Microsoft Identity Agent (MIA) is an agent that enables on-premises Active Directory Domain Services (AD DS) deployment to leverage Azure AD for a variety of scenarios, including password hash synchronization and seamless single sign-on (SSO) capabilities. MIA provides a lightweight method for extending AD DS to Azure AD, and it can be installed on domain controllers in various configurations. However, issues can arise like any software, and troubleshooting may be required. This article will explore common issues and steps for troubleshooting Microsoft Identity Agent on domain controllers in a fictitious company called DiveCorp.

  1. Please verify that the MIA is appropriately installed. Before troubleshooting, it’s important to ensure the MIA is installed correctly. To do this, follow these steps:
  • Open Control Panel on the domain controller where the MIA is installed.
  • Navigate to Programs and Features and look for Microsoft Identity Agent in the list of installed programs.
  • If it is not installed, download and install the latest version of MIA from the Microsoft website.
  • Once installed, verify that the MIA service is running by opening the Services console and looking for the “Microsoft Identity Agent” service.
  1. Check the event logs for errors. The event logs are a great source of information when troubleshooting MIA issues. Some joint event log IDs to check for include:
  • Event ID 301 – This event indicates that MIA has started successfully.
  • Event ID 302 – This event indicates that MIA has stopped successfully.
  • Event ID 4104 – This event indicates that there was an issue with MIA starting or running, and it provides a brief description of the issue.
  • Event ID 4105 – This event indicates that there was an issue with MIA stopping, and it provides a brief description of the issue.
  1. Check the MIA log files. MIA creates several log files that can be useful in troubleshooting issues. The log files are located in the following directory: C:\ProgramData\Microsoft\Identity Agent\Logs

Some of the log files to check to include:

  • MSIDCRL.log – This log file contains information about authentication requests and responses.
  • MSIPC.log – This log file contains information about Azure Information Protection requests and responses.
  • MSIDBroker.log – This log file contains information about brokered authentication requests and responses.
  • MSIDDS.log – This log file contains information about domain synchronization requests and responses.
  • MSIDFED.log – This log file contains information about federation requests and responses.
  1. Check the firewall settings. MIA requires specific firewall settings to function correctly. To ensure that the firewall settings are correct, follow these steps:
  • Open Windows Firewall with Advanced Security on the domain controller where MIA is installed.
  • Navigate to Inbound Rules and look for the “Microsoft Identity Agent” rule.
  • If the rule is not present, create a new inbound rule with the following settings:
    • Protocol: TCP
    • Local Port: 6134
    • Remote Port: All Ports
    • Action: Allow
  1. Verify the network connectivity MIA requires network connectivity to Azure AD for authentication and other functions. To verify the network connectivity, try the following:
  • Ping the Azure AD endpoints listed in the MIA log files.
  • Verify that the domain controller where MIA is installed has access to the internet and can communicate with Azure AD endpoints.

Conclusion: Troubleshooting Microsoft Identity Agent on domain controllers can be challenging. However, following the steps outlined in this article, you can narrow down the issues and resolve them quickly. Always start by ensuring that the MIA is appropriately installed, check the event logs, review the log files, verify the firewall settings, and check the network

Thanks,

John O’Neill Sr. rMVP