Client Certificate Renewal for the Azure AD Passthrough Authentication Agent

We recently came across an issue where the client certificate for the Azure AD Passthrough Authentication Agent wasn’t being renewed automatically. I understand that it should be renewed about 30 days out, however this hadn’t happened and we were fast approaching expiry.

A simple way to renew the certificate manually is to jump onto the server where the passthrough agent is installed and run the following Powershell commands to re-register the agent with Azure AD. The agent status in Azure AD will momentarily change to Inactive, but will then become Active again. You’ll need to run the .ps1 script from the directory where the Passthrough Agent is installed, typically this is under C:\Program Files\.

You can probably achieve the same result by uninstalling and reinstalling the agent also, but I haven’t tried that method.

PS C:\Program Files\Microsoft Azure AD Connect Authentication Agent>

$User = '<Insert Global Administrator Username Here>'

$PlainPassword = '<Insert Global Administrator Password Here>'

$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force

$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $SecurePassword

.\RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\" -moduleName "PassthroughAuthPSModule" -Authenticationmode Credentials -Usercredentials $cred -Feature PassthroughAuthentication

Azure Conditional Access Named Locations IPv6 Support

Named Locations in Azure Conditional Access only supports locations based on IPv4 IP address ranges. For sign-ins that are coming from IPv6 addresses where you are looking to enforce a geo-policy, you’ll need to manually add the IPv6 address ranges for the countries you wish to exclude/include as appropriate.

Whilst looking into this a colleague of mine discovered the following resource that details the IPv4 address ranges for multiple countries – not sure how often it is updated, but a good starting point to reduce any sign-in issues for those users using IPv6 addresses:

Regional Internet Registries Statistics – RIR Delegations – New Zealand (NZ) – IPv6 address delegations (

It’s quite easy to copy the table from there into a CSV file and then import the list into Azure to create a new location based on IPv6 addresses.