All case studies
Professional Services·Perth·15 users

Windows logins failing after Azure AD Connect pass-through auth: a Perth firm back online in 2 days

A 15-user Perth firm hit business-wide Windows and Microsoft 365 login failures caused by unstable Azure AD Connect Pass-through Authentication with no redundancy. We migrated authentication to Password Hash Synchronization — improving security, reliability and availability — and closed the outage in two business days.

2 days

Outage to full resolution

15 users

Sign-in restored

0

Auth outages since

PTA → PHS

Cloud-resilient authentication

The challenge

A 15-user Perth professional services firm ran a hybrid Microsoft 365 and on-premises Windows Server environment, with staff signing into both Windows and Microsoft 365 using the same credentials via Azure AD Connect Pass-through Authentication (PTA). One Monday morning, staff began failing to log into their Windows PCs and cloud resources; within hours most of the 15-person team was locked out, halting billable work and client communication. Severity was high — all staff affected, with deadlines and reputation at risk.

What we did

Level 2 support traced the outage to unstable, intermittently failing PTA agents with no redundancy — a single point of failure, because PTA validates every sign-in against on-premises agents in real time. Escalated to Level 3, who confirmed the underlying design (PTA without high availability) was the root risk, not a simple restart or patch. The fix: migrate authentication from PTA to Password Hash Synchronization (PHS) in Azure AD Connect, so Azure AD authenticates users in the cloud without depending on on-prem agents for every login. Engineers enabled PHS alongside the existing configuration, let the initial hash-sync cycle complete, verified users, piloted with a small group, then cut over organisation-wide outside business-critical hours and decommissioned reliance on the PTA agents.

The outcome

Sign-in stability was confirmed for all 15 users and the ticket closed within two business days. With PHS, logins no longer depend on a single on-premises agent or office connectivity — Azure AD validates credentials in the cloud — so a small firm without redundant infrastructure gained materially better availability with fewer moving parts. Password hashes are synchronised one-way in a salted, hashed form (original passwords are never stored in Azure AD), aligning with Microsoft best practice and making it easier to adopt Conditional Access and sign-in risk analysis. The client had no further authentication outages after the change.

Services involved

Could we do the same for you?

Book a free 30-minute IT assessment. We'll review your setup and tell you honestly where you stand.