skip to Main Content

Conditional Access MFA breaks Azure AD Connect synchronization

Azure AD Connect synchronization service isn’t working for more than a week. When we run manual AD sync with PowerShell, it shows errors. Why is this happening, and why did this start to occur after implementing Azure AD Multi-Factor Authentication (MFA)? Most importantly, what is the solution to Azure AD Connect synchronization failing?

Check Azure AD Connect synchronization

Let’s have a look at how to verify that Azure AD Connect is not working.

Synchronization Service Manager

Sign in to the machine which got Azure AD installed and configured. Start the application Synchronization Service Manager. Look at the start and end times. In the below screenshot, the start time and end time are 4/11/2021. Today is 4/19/2021. It’s been more than a week that Azure AD Connect synced.

Conditional Access MFA breaks Azure AD Connect synchronization before

Microsoft 365 admin center

Sign in to Microsoft 365 admin center. We can confirm that the Azure AD Connect last sync status was more than three days ago, and there is no recent password synchronization happening.

Conditional Access MFA breaks Azure AD Connect synchronization not syncing

Force sync Azure AD Connect

Run Windows PowerShell as administrator. Run a force sync Azure AD Connect with PowerShell. It will show the below error.

PS C:\> Import-Module ADSync
PS C:\> Start-ADSyncSyncCycle -PolicyType Delta
Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is 
not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service 
application.

Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service
application.

The below screen shows how it looks after running the AD Sync command.

Conditional Access MFA breaks Azure AD Connect synchronization errors

Event Viewer application events

Start Event Viewer. Go to Windows Logs > Application. The following Error events show up:

  • Event 662, Directory Synchronization
  • Event 6900, ADSync
  • Event 655, Directory Synchronization
  • Event ID 906, Directory Synchronization

Click on Event ID 906.

Conditional Access MFA breaks Azure AD Connect synchronization Event Viewer errors

Event 906, Directory Synchronization
GetSecurityToken: unable to retrieve a security token for the provisioning web service (AWS). The ADSync service is not allowed to interact with the desktop to authenticate Sync_DC01-2016_588c77bd8651@exoip365.onmicrosoft.com. This error may occur if multifactor or other interactive authentication policies are accidentally enabled for the synchronization account.

Solution for AD Connect synchronization failing

The solution for AD Connect synchronization breaking after implementing Azure AD MFA is to exclude the Azure AD Connect Sync Account from Azure AD MFA.

Service accounts, such as the Azure AD Connect Sync Account, are non-interactive accounts that are not tied to any particular user. They are usually used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can’t be completed programmatically.

Find Azure AD synchronization account

In the event log error, which we looked at in the previous step, you can copy the account you need to exclude from Azure MFA.

If you want to check the account in Synchronization Service Manager, click on Connectors. Click the type Windows Azure Active Directory (Microsoft). Click Properties.

Conditional Access MFA breaks Azure AD Connect synchronization Connectors

Click Connectivity and find the UserName.

Conditional Access MFA breaks Azure AD Connect synchronization Azure AD Connect Sync Account

Exclude MFA for Azure AD Connect Sync Account

Sign in to Microsoft Azure. Open the menu and browse to Azure Active Directory > Security > Conditional Access. Edit the Conditional Access policy that’s enforcing MFA for the user accounts. In this example, it’s the policy MFA all users.

Read more: Configure Azure AD Multi-Factor Authentication »

Conditional Access MFA breaks Azure AD Connect synchronization Conditional Access policy

Under Assignments, click Users and groups and select Exclude. Check the checkbox Users and groups. Find the synchronization account that you copied in the previous step. Ensure that the policy is On and click on Save.

Conditional Access MFA breaks Azure AD Connect synchronization exclude user

Verify your work

You can wait for a maximum of 30 minutes, or if you don’t want to wait that long, force sync Azure AD Connect with PowerShell.

PS C:\> Import-Module ADSync
PS C:\> Start-ADSyncSyncCycle -PolicyType Delta

The start time and end time changed to 4/19/2021.

Conditional Access MFA breaks Azure AD Connect synchronization after

Green checks in Microsoft 365 admin center for Azure AD Connect.

Conditional Access MFA breaks Azure AD Connect synchronization syncing

Did this help you to fix the broken Azure AD Connect synchronization after configuring Conditional Access MFA?

Keep reading: Add users to group with PowerShell »

Conclusion

In this article, you learned why Azure AD Connect synchronization service stopped syncing after implementing Azure AD Multi-Factor Authentication. It’s happing because MFA is enabled on the Azure AD Connect Sync Account. Exclude the Azure AD Connect Sync Account from Azure Conditional Access policy, and it will start syncing.

A better way is to create a security group with the name Non-MFA and add the Azure AD Connect Sync Account as a member. This way, you will keep it organized if you need to add other service accounts in the future.

Did you enjoy this article? You may also like Connect to Azure AD with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 4 Comments

  1. Awesome. Many thanks for this.

    Had me scratching my head after setting up an Azure lab with a single 2016 DC VM and MFA enabled.

    Interestingly, I have had the MFA policy in place for a while, but only noticed this issue after updating to AAD Connect v2 on my DC which does away with EDAL completely and uses MSAL instead.

    Not sure if the two are connected, but either way, many thanks for the fix.

  2. This happened to me and caused chaos. My IT support provider assured me that my creation of the CA policy was coincidental as to why my DC had stopped sync’ing with Azure. I then searched google, found this article and it relates EXACTLY to my situation. I have since applied the correct account for ‘exclusion’ and whilst i’ve not yet tested it, i’m quite confident it will resolve the issue and allow MFA to be set domain-wide. I get fed up of fixing most of the issues i raise tickets to our support provider for. Thanks for the article.

Leave a Reply

Your email address will not be published. Required fields are marked *