Thomas' Tech Talk

Just Can't Get Enough Of IT

Register Azure AD Pass-through agent manually

Filed under: Azure AD,PowerShell — Thomas Stensitzki at 1:26 pm on Monday, February 10, 2020

Azure AD Pass-through authentication (PTA) recommends that you run at least three authentication agents to provide high availability for authentication.

When you download and install the PTA agent, registering the PTA agent to Azure AD might fail. This happens most of the time when the network connectivity to Azure AD requires the use of a proxy server. In such a network setup you normally encounter configuration errors only, if the proxy server is misconfigured or the Internet Explorer zone configuration is missing required entries for trusted sites.

When you encounter an error during installation and registration of the dedicated PTA agent I recommend to separate these two steps. You need the credentials of an Azure AD account that is a member of the Global Administrator management group.

  1. Download the most current release of the PTA agent:
  2. Copy the downloaded file to the server that will serve as a PTA agent
  3. Open an administrative command prompt and install the PTA agent software in silent mode without registering the agent:
AADConnectAuthAgentSetup.exe REGISTERCONNECTOR="false" /q
  1. Open an administrative PowerShell session, navigate to the default installation location and register the PTA agent manually
# navigate to the default installation location
cd "C:\Program Files\Microsoft Azure AD Connect Authentication Agent"

# enter the global admin credentials
$cred = Get-Credential

# register the PTA agent using the RegisterConnector.ps1 script
# multiline example
.\RegisterConnector.ps1 `
-ModulePath "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\" `
-ModuleName "PassthroughAuthPSModule" `
-AuthenticationMode Credentials ` 
-UserCredentials $cred `
-Feature PassthroughAuthentication

The Azure AD Pass-through agent Quickstart documentation has an example for automating the installation of the PTA agent as part of a server provisioning process. The current example references the wrong PowerShell module named AppProxyPSModule. The most recent release of the PTA agent does not contain a PowerShell module by that name. Use the PowerShell module PassthroughAuthPSModule, as shown in the PowerShell example shown above.


The automation example shown here, stores the account password in cleartext. This is not the best solution for running an IT-infrastructure with enhanced security. Do not use clear text passwords in PowerShell script. Never.

One example on how to use proper password encryption is shown in this blog post by Dennis Span:






No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>