Users are unable to sign in to the Azure AD Domain Services managed domain

Recommended steps

1. Try to sign in using the UPN format (for example, 'joeuser@contoso.com') instead of the SAMAccountName format ('CONTOSO\joeuser').
2. Ensure that you have enabled password synchronization in accordance with the steps outlined in the Getting Started guide.
3. Note: Ensure that the affected user account is not an external account in the Azure AD tenant. External users cannot sign in to the managed domain, since Azure AD Domain Services does not have credentials for such user accounts.
4. If the affected user account is a cloud-only user account: Ensure that the user has changed their password after you enabled Azure AD Domain Services. This step causes the credential hashes required for Azure AD Domain Services to be generated.
5. If the affected user accounts are synchronized from an on-premises directory: Verify that the recommended release of Azure AD Connect has been configured to perform a full synchronization.
6. If issues persist after confirming step #4, execute the following commands from your sync machine: 1. "net stop 'Microsoft Azure AD Sync'" 2. "net start 'Microsoft Azure AD Sync'"

Recommended documents

• Administrative privileges you do not have on a managed domain
• Azure AD Domain Services FAQs

Note: As mentioned under the "Administration and operations" section of the article Frequently asked questions about Azure AD Domain Services | Microsoft Docs

• Can I connect to the domain controller for my managed domain using Remote Desktop?

No. You don't have permissions to connect to domain controllers for the managed domain using Remote Desktop. Members of the AAD DC Administrators group can administer the managed domain using AD administration tools such as the Active Directory Administration Center (ADAC) or AD PowerShell. These tools are installed using the Remote Server Administration Tools feature on a Windows server joined to the managed domain. For more information, see Create a management VM to configure and administer an Azure AD Domain Services managed domain.

• I've enabled Azure AD Domain Services. What user account do I use to domain join machines to this domain?

Any user account that's part of the managed domain can join a VM. Members of the AAD DC Administrators group are granted remote desktop access to machines that have been joined to the managed domain.