Skip to content

Conditional Access MFA breaks Azure AD Connect synchronization

Azure AD Connect synchronization service hasn’t been working for over a week. When we run manual AD sync with PowerShell, it shows errors. Why is this happening, and why did this occur after implementing Azure AD Multi-Factor Authentication (MFA)? Most importantly, what is the solution to Azure AD Connect synchronization failing?

Check Azure AD Connect synchronization

Let’s look at how to verify that Azure AD Connect is not working.

Synchronization Service Manager

Sign in on the Azure AD Connect server. Start the application Synchronization Service Manager. Look at the start and end times.

In the below screenshot, the start time and end time are 4/11/2021. Today is 4/19/2021. It’s been more than a week that Azure AD Connect synced.

Conditional Access MFA breaks Azure AD Connect synchronization before

Microsoft 365 admin center

Sign in to Microsoft 365 admin center. Check the User management card.

We can confirm that the Azure AD Connect last sync status was more than three days ago, and there is no recent password synchronization happening.

Conditional Access MFA breaks Azure AD Connect synchronization not syncing

Azure AD Connect synchronization error

Run Windows PowerShell as administrator. Run a force sync Azure AD Connect with PowerShell. It will show the below error.

PS C:\> Import-Module ADSync
PS C:\> Start-ADSyncSyncCycle -PolicyType Delta
Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is 
not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service 
application.

Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service
application.

The below screen shows how it looks after running the AD Sync command.

Conditional Access MFA breaks Azure AD Connect synchronization errors

Event Viewer application events

Start Event Viewer. Go to Windows Logs > Application. The following Error events show up:

  • Event 662, Directory Synchronization
  • Event 6900, ADSync
  • Event 655, Directory Synchronization
  • Event ID 906, Directory Synchronization

Click on Event ID 906.

Conditional Access MFA breaks Azure AD Connect synchronization Event Viewer errors

Event 906, Directory Synchronization
GetSecurityToken: unable to retrieve a security token for the provisioning web service (AWS). The ADSync service is not allowed to interact with the desktop to authenticate Sync_DC01-2016_588c77bd8651@exoip365.onmicrosoft.com. This error may occur if multifactor or other interactive authentication policies are accidentally enabled for the synchronization account.

Solution for AD Connect synchronization failing

The solution for AD Connect synchronization breaking after implementing Azure AD MFA is to exclude the Azure AD Connect Sync Account from Azure AD MFA.

Service accounts, such as the Azure AD Connect Sync Account, are non-interactive accounts that are not tied to any particular user. They are usually used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can’t be completed programmatically.

Find Azure AD synchronization account

In the event log error, which we looked at in the previous step, you can copy the account you need to exclude from Azure MFA.

If you want to check the account in Synchronization Service Manager, click on Connectors. Click the type Windows Azure Active Directory (Microsoft). Click Properties.

Conditional Access MFA breaks Azure AD Connect synchronization Connectors

Click Connectivity and find the UserName.

Conditional Access MFA breaks Azure AD Connect synchronization Azure AD Connect Sync Account

Read more: Find Azure AD Connect accounts »

Exclude MFA for Azure AD Connect Sync Account

Sign in to Microsoft Azure. Open the menu and browse to Azure Active Directory > Security > Conditional Access. Edit the Conditional Access policy that’s enforcing MFA for the user accounts.

In this example, it’s the policy MFA all users.

Read more: Configure Azure AD Multi-Factor Authentication »

Conditional Access MFA breaks Azure AD Connect synchronization Conditional Access policy

Under Assignments, click Users and groups and select Exclude. Check the checkbox Users and groups. Find the synchronization account that you copied in the previous step. Ensure that the policy is On and click on Save.

Conditional Access MFA breaks Azure AD Connect synchronization exclude user

Verify Azure AD Connect sync status

You can wait for a maximum of 30 minutes, or if you don’t want to wait that long, force sync Azure AD Connect with PowerShell.

PS C:\> Import-Module ADSync
PS C:\> Start-ADSyncSyncCycle -PolicyType Delta

The start time and end time changed to 4/19/2021.

Conditional Access MFA breaks Azure AD Connect synchronization after

Green checks for Azure AD Connect sync in Microsoft 365 admin center.

Conditional Access MFA breaks Azure AD Connect synchronization syncing

Did this help you to fix the broken Azure AD Connect synchronization after configuring Conditional Access MFA?

Keep reading: Add users to group with PowerShell »

Conclusion

You learned why Azure AD Connect synchronization service stopped syncing after implementing Azure AD Multi-Factor Authentication. It’s happing because MFA is enabled on the Azure AD Connect Sync Account. Exclude the Azure AD Connect Sync Account from Azure Conditional Access policy, and it will start syncing.

A better way is to create a security group named Non-MFA and add the Azure AD Connect Sync Account as a member. This way, you will keep it organized if you need to add other service accounts in the future.

Did you enjoy this article? You may also like How to Connect to Azure AD with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 12 Comments

  1. Really a great article, it killed a day to struggle to rid off the issue, finally your article helped me fix the issue, thanks a lot Ali 🙂

  2. Do you know if excluding the account takes any time to be reflected? we had several MFA policies and one of them was missing the exclusion (even though I had a security group with the account added as excluded in all the policies). I changed the password before and is not letting me update it on the Synchronization Service Manager because it keeps telling me I need to enroll that account to MFA. I’m not sure how to proceed, I’m pretty sure this is the thing that’s causing the issue in our case.

  3. To tighten up the security further you can create a policy specifically for this account and set the action to block but exclude your known IP ranges as it should only be ever used from those locations.

  4. I have 2 MFA rules. One which requires MFA from all admins (not using groups), and the other one which requires MFA from users in a group.
    Can you explain perhaps why I have to exclude the Ad connect sync account from the rule which requires MFA from admins? the account has no admin roles whatsoever, i’m just lost as to why it’s being impacted by that rule.

    1. I’ve encountered the same issue. It’s the AAD Built-in directory role “Directory synchronization accounts”. Just uncheck this role in your Conditional Access Policy which requires MFA for all admins.

  5. Awesome. Many thanks for this.

    Had me scratching my head after setting up an Azure lab with a single 2016 DC VM and MFA enabled.

    Interestingly, I have had the MFA policy in place for a while, but only noticed this issue after updating to AAD Connect v2 on my DC which does away with EDAL completely and uses MSAL instead.

    Not sure if the two are connected, but either way, many thanks for the fix.

  6. This happened to me and caused chaos. My IT support provider assured me that my creation of the CA policy was coincidental as to why my DC had stopped syncing with Azure. I then searched google, found this article and it relates EXACTLY to my situation. I have since applied the correct account for ‘exclusion’ and whilst i’ve not yet tested it, i’m quite confident it will resolve the issue and allow MFA to be set domain-wide. I get fed up of fixing most of the issues i raise tickets to our support provider for. Thanks for the article.

Leave a Reply

Your email address will not be published. Required fields are marked *