INVALID CREDENTIALS AFTER ENTEERING CORRECT DOMAIN ADMIN CREDENTIALS WHEN INSTALLING THE PROVISIONING AGENT

The error usually appears when the account being used doesn’t have the required domain/enterprise admin rights or when the service can’t authenticate to a domain controller, even if the username and password are correct.

Use these checks and fixes:

1. Verify the account has the right permissions
   For the provisioning agent and gMSA creation, the account must be a Domain Admin (often Enterprise Admin in multi‑domain forests).
   • On a domain controller, open Active Directory Users and Computers (dsa.msc).
   • Right‑click the domain → Find → in Name, type Enterprise Admins → Find Now.
   • Open Enterprise Admins → Members tab and confirm the account is listed.
   • If it is not listed, have an existing Enterprise Admin add the account, or use an account that is already a member.
2. Confirm the credentials themselves
   • Log on to a domain‑joined server or DC using the same DOMAIN\username and password.
   • If logon fails or the password is expired, change/reset the password and then rerun the provisioning agent configuration.
3. Check connectivity from the agent server to domain controllers
   The wizard must be able to contact a DC to validate the credentials.
   • From the server where the Microsoft Entra Provisioning Agent is being installed, ensure it can resolve and reach domain controllers (DNS, network, firewall).
   • If the server cannot authenticate to AD, the wizard will report the credentials as invalid.
4. Ensure sufficient local/service privileges for the agent
   During installation the service account NT SERVICE\AADConnectProvisioningAgent is created and must have Log on as a service rights. If a Group Policy strips these rights, the agent and gMSA setup can fail with misleading credential errors.
   • Open secpol.msc → Local Policies → User Rights Assignment → Log on as a service.
   • Confirm NT SERVICE\ALL SERVICES is present. If not, add it and rerun the wizard.
5. If gMSA creation/logon is failing
   When the wizard tries to switch the service to a gMSA and that account is not recognized as managed, you can see errors like “The user name or password is incorrect” even though the domain admin credentials are valid.
   • Check System event log for EventID 7038 or 7041 related to AADConnectProvisioningAgent.
   • If the account is not marked as managed, run on the server:

          sc.exe qmanagedaccount aadconnectprovisioningagent
     

     If Account is managed: False, set it to managed:

          sc.exe managedaccount aadconnectprovisioningagent true
     

   • Rerun the provisioning agent configuration.
6. Run the wizard with a domain/enterprise admin context
   Make sure the user running the installer itself has Domain Admin or Enterprise Admin rights and that UAC elevation is accepted when prompted.

If these steps are followed—ensuring correct group membership, working AD authentication from the server, proper “Log on as a service” rights, and a managed gMSA—the “Invalid credentials provided” error during provisioning agent installation is typically resolved.

References:

• Error when you try to run the Azure Active Directory Sync Tool Configuration wizard: The Enterprise Administrator credentials that you supplied are not valid
• Microsoft Entra Hybrid Sync Agent Installation Issues - No privileges to install MSI
• Microsoft Entra Hybrid Sync Agent Installation Issues - The gMSA is set to log on as Service
• Cloud sync troubleshooting
• Microsoft Entra Hybrid Sync Agent Installation Issues - Cannot start service AADConnectProvisioningAgent
• Install the Microsoft Entra provisioning agent