You may see this error (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443))  when trying to add an an Entra ID Directory to your PowerSyncPro Server configuration:

You would see this screenshot when saving your directory:

and in the C:\PowerSyncProLogs directory in the file that is PSP-YYYYMMDD.txt something like:

ERROR 2025-10-26 20:47:54,716 [er #3] A.c3646c4a75d486a06138c57d6f1ac0b16      - Unhandled exception
System.AggregateException: One or more errors occurred. (ClientSecretCredential authentication failed: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)) (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)) (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)) (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)))
---> Azure.Identity.AuthenticationFailedException: ClientSecretCredential authentication failed: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)) (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)) (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)) (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443))
---> System.AggregateException: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)) (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)) (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)) (No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443))
---> Azure.RequestFailedException: No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)
---> System.Net.Http.HttpRequestException: No connection could be made because the target machine actively refused it. (login.microsoftonline.com:443)
---> System.Net.Sockets.SocketException (10061): No connection could be made because the target machine actively refused it.
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
   at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|285_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---

However, you may be able to log in successfully to https://login.microsoftonline.com so you might be confused.

In this particular case to access the Internet on this server you must go via a reverse proxy.  These could be seen in the Control Panel Internet Options, which worked fine for the logged in user, however the PowerSyncPro Service was not running as the logged in user but rather a service account.  A local service account in this instance.

To resolve this we ran the PowerSyncPro service as the logged in users and then in the background worked with the clients Server Admin and Network teams to ensure that the service account being used to run the service was able to reach all of the Microsoft 3565 and Entra endpoints.

*** NOTE *** 

However, IF you create Directories and Certificates and some other configurations, and then change the service account that will run PowerSyncPro you will run into encryption issues in the SQL Tables and you will almost certainly need to unpick some of your configuration.  It would be advisable to resolve the underlying connectivity issue first before proceeding too far.