Windows logins failing after Azure AD Connect pass-through auth: a Perth firm back online in 2 days
A 15-user Perth firm hit business-wide Windows and Microsoft 365 login failures caused by unstable Azure AD Connect Pass-through Authentication with no redundancy. We migrated authentication to Password Hash Synchronization — improving security, reliability and availability — and closed the outage in two business days.
2 days
Outage to full resolution
15 users
Sign-in restored
0
Auth outages since
PTA → PHS
Cloud-resilient authentication
The challenge
A 15-user Perth professional services firm ran a hybrid Microsoft 365 and on-premises Windows Server environment, with staff signing into both Windows and Microsoft 365 using the same credentials via Azure AD Connect Pass-through Authentication (PTA). One Monday morning, staff began failing to log into their Windows PCs and cloud resources; within hours most of the 15-person team was locked out, halting billable work and client communication. Severity was high — all staff affected, with deadlines and reputation at risk.
What we did
Level 2 support traced the outage to unstable, intermittently failing PTA agents with no redundancy — a single point of failure, because PTA validates every sign-in against on-premises agents in real time. Escalated to Level 3, who confirmed the underlying design (PTA without high availability) was the root risk, not a simple restart or patch. The fix: migrate authentication from PTA to Password Hash Synchronization (PHS) in Azure AD Connect, so Azure AD authenticates users in the cloud without depending on on-prem agents for every login. Engineers enabled PHS alongside the existing configuration, let the initial hash-sync cycle complete, verified users, piloted with a small group, then cut over organisation-wide outside business-critical hours and decommissioned reliance on the PTA agents.
The outcome
Sign-in stability was confirmed for all 15 users and the ticket closed within two business days. With PHS, logins no longer depend on a single on-premises agent or office connectivity — Azure AD validates credentials in the cloud — so a small firm without redundant infrastructure gained materially better availability with fewer moving parts. Password hashes are synchronised one-way in a salted, hashed form (original passwords are never stored in Azure AD), aligning with Microsoft best practice and making it easier to adopt Conditional Access and sign-in risk analysis. The client had no further authentication outages after the change.
Could we do the same for you?
Book a free 30-minute IT assessment. We'll review your setup and tell you honestly where you stand.