We like to connect to Azure AD with PowerShell because we want to retrieve Microsoft…
Azure AD Connect synchronization service isn’t working for more than a week. When we run manual AD sync with PowerShell, it shows errors. Why is this happening, and why did this start to occur after implementing Azure AD Multi-Factor Authentication (MFA)? Most importantly, what is the solution to Azure AD Connect synchronization failing?
Table of contents
- Check Azure AD Connect synchronization
- Solution for AD Connect synchronization failing
- Verify your work
Check Azure AD Connect synchronization
Let’s have a look at how to verify that Azure AD Connect is not working.
Synchronization Service Manager
Sign in to the machine which got Azure AD installed and configured. Start the application Synchronization Service Manager. Look at the start and end times. In the below screenshot, the start time and end time are 4/11/2021. Today is 4/19/2021. It’s been more than a week that Azure AD Connect synced.
Microsoft 365 admin center
Sign in to Microsoft 365 admin center. We can confirm that the Azure AD Connect last sync status was more than three days ago, and there is no recent password synchronization happening.
Force sync Azure AD Connect
Run Windows PowerShell as administrator. Run a force sync Azure AD Connect with PowerShell. It will show the below error.
PS C:\> Import-Module ADSync PS C:\> Start-ADSyncSyncCycle -PolicyType Delta Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service
The below screen shows how it looks after running the AD Sync command.
Event Viewer application events
Start Event Viewer. Go to Windows Logs > Application. The following Error events show up:
- Event 662, Directory Synchronization
- Event 6900, ADSync
- Event 655, Directory Synchronization
- Event ID 906, Directory Synchronization
Click on Event ID 906.
Event 906, Directory Synchronization
GetSecurityToken: unable to retrieve a security token for the provisioning web service (AWS). The ADSync service is not allowed to interact with the desktop to authenticate Sync_DC01email@example.com. This error may occur if multifactor or other interactive authentication policies are accidentally enabled for the synchronization account.
Solution for AD Connect synchronization failing
The solution for AD Connect synchronization breaking after implementing Azure AD MFA is to exclude the Azure AD Connect Sync Account from Azure AD MFA.
Service accounts, such as the Azure AD Connect Sync Account, are non-interactive accounts that are not tied to any particular user. They are usually used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can’t be completed programmatically.
Find Azure AD synchronization account
In the event log error, which we looked at in the previous step, you can copy the account you need to exclude from Azure MFA.
If you want to check the account in Synchronization Service Manager, click on Connectors. Click the type Windows Azure Active Directory (Microsoft). Click Properties.
Click Connectivity and find the UserName.
Exclude MFA for Azure AD Connect Sync Account
Sign in to Microsoft Azure. Open the menu and browse to Azure Active Directory > Security > Conditional Access. Edit the Conditional Access policy that’s enforcing MFA for the user accounts. In this example, it’s the policy MFA all users.
Under Assignments, click Users and groups and select Exclude. Check the checkbox Users and groups. Find the synchronization account that you copied in the previous step. Ensure that the policy is On and click on Save.
Verify your work
You can wait for a maximum of 30 minutes, or if you don’t want to wait that long, force sync Azure AD Connect with PowerShell.
PS C:\> Import-Module ADSync PS C:\> Start-ADSyncSyncCycle -PolicyType Delta
The start time and end time changed to 4/19/2021.
Green checks in Microsoft 365 admin center for Azure AD Connect.
Did this help you to fix the broken Azure AD Connect synchronization after configuring Conditional Access MFA?
Keep reading: Add users to group with PowerShell »
In this article, you learned why Azure AD Connect synchronization service stopped syncing after implementing Azure AD Multi-Factor Authentication. It’s happing because MFA is enabled on the Azure AD Connect Sync Account. Exclude the Azure AD Connect Sync Account from Azure Conditional Access policy, and it will start syncing.
A better way is to create a security group with the name Non-MFA and add the Azure AD Connect Sync Account as a member. This way, you will keep it organized if you need to add other service accounts in the future.
Did you enjoy this article? You may also like Connect to Azure AD with PowerShell. Don’t forget to follow us and share this article.