| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.component | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Azure Active Directory Domain Services: Troubleshooting Service Principal configuration| Microsoft Docs |
Troubleshooting Service Principal configuration for Azure AD Domain Services |
active-directory-ds |
eringreenlee |
f168870c-b43a-4dd6-a13f-5cfadc5edf2c |
active-directory |
domain-services |
identity |
na |
na |
conceptual |
03/12/2018 |
ergreenl |
This article helps you troubleshoot and resolve service principal-related configuration errors that result in the following alert message:
Alert message: A Service Principal required for Azure AD Domain Services to function properly has been deleted from your Azure AD directory. This configuration impacts Microsoft's ability to monitor, manage, patch, and synchronize your managed domain.
Service principals are applications that Microsoft uses to manage, update, and maintain your managed domain. If they are deleted, it breaks Microsoft's ability to service your domain.
Use the following steps to determine which service principals need to be recreated:
- Navigate to the Enterprise Applications - All Applications page in the Azure portal.
- In the Show dropdown, select All Applications and click Apply.
- Using the following table, search for each application ID by pasting the ID into the search box and pressing enter. If the search results are empty, you must recreate the service principal by following the steps in the "resolution" column.
| Application ID | Resolution | | :--- | :--- | :--- | | 2565bd9d-da50-47d4-8b85-4c97f669dc36 | Recreate a missing service principal with PowerShell | | 443155a6-77f3-45e3-882b-22b3a8d431fb | Re-register to the Microsoft.AAD namespace | | abba844e-bc0e-44b0-947a-dc74e5d09022 | Re-register to the Microsoft.AAD namespace | | d87dcbc6-a371-462e-88e3-28ad15ec4e64 | Re-register to the Microsoft.AAD namespace |
Follow these steps if a service principal with the ID 2565bd9d-da50-47d4-8b85-4c97f669dc36 is missing from your Azure AD directory.
Resolution: You need Azure AD PowerShell to complete these steps. For information on installing Azure AD PowerShell, see this article.
To address this issue, type the following commands in a PowerShell window:
-
Install the Azure AD PowerShell module and import it.
Install-Module AzureAD Import-Module AzureAD
-
Check whether the service principal required for Azure AD Domain Services is missing in your directory by executing the following PowerShell command:
Get-AzureAdServicePrincipal -filter "AppId eq '2565bd9d-da50-47d4-8b85-4c97f669dc36'"
-
Create the service principal by typing the following PowerShell command:
New-AzureAdServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
-
After you have created the missing service principal, wait two hours and check your managed domain's health.
Follow these steps if a service principal with the ID 443155a6-77f3-45e3-882b-22b3a8d431fb or abba844e-bc0e-44b0-947a-dc74e5d09022 or d87dcbc6-a371-462e-88e3-28ad15ec4e64 is missing from your Azure AD directory.
Resolution: Use the following steps to restore Domain Services on your directory:
- Navigate to the Subscriptions page in the Azure portal.
- Choose the subscription from the table that is associated with your managed domain
- Using the left-hand navigation, choose Resource Providers
- Search for "Microsoft.AAD" in the table and click Re-register
- To ensure the alert is resolved, view the health page for your managed domain in two hours.
Alert message: The service principal with the application ID “d87dcbc6-a371-462e-88e3-28ad15ec4e64” was deleted and then recreated. The recreation leaves behind inconsistent permissions on Azure AD Domain Services resources needed to service your managed domain. Synchronization of passwords on your managed domain could be affected.
Resolution: You need Azure AD PowerShell to complete these steps. For information on installing Azure AD PowerShell, see this article.
To address this issue, type the following commands in a PowerShell window:
-
Install the Azure AD PowerShell module and import it.
Install-Module AzureAD Import-Module AzureAD
-
Delete the old application and object using the following PowerShell commands
$app = Get-AzureADApplication -Filter "IdentifierUris eq 'https://sync.aaddc.activedirectory.windowsazure.com'" Remove-AzureADApplication -ObjectId $app.ObjectId $spObject = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Azure AD Domain Services Sync'" Remove-AzureADServicePrincipal -ObjectId $app.ObjectId
-
After you have deleted both, the system will remediate itself and recreate the applications needed for password synchronization. To ensure the alert has been remediated, wait two hours and check your domain's health.
Contact the Azure Active Directory Domain Services product team to share feedback or for support.