We want to import Conditional Access policies into the Microsoft Entra tenant. Now, we can…
Conditional Access MFA breaks Azure AD Connect synchronization
Azure AD Connect synchronization service hasn’t been working for over a week. When we run manual AD sync with PowerShell, it shows errors. Why is this happening, and why did this occur after implementing Azure AD Multi-Factor Authentication (MFA)? Most importantly, what is the solution to Azure AD Connect synchronization failing?
Table of contents
Check Azure AD Connect synchronization
Let’s look at how to verify that Azure AD Connect is not working.
Synchronization Service Manager
Sign in on the Azure AD Connect server. Start the application Synchronization Service Manager. Look at the start and end times.
In the below screenshot, the start time and end time are 4/11/2021. Today is 4/19/2021. It’s been more than a week that Azure AD Connect synced.
Microsoft 365 admin center
Sign in to Microsoft 365 admin center. Check the User management card.
We can confirm that the Azure AD Connect last sync status was more than three days ago, and there is no recent password synchronization happening.
Azure AD Connect synchronization error
Run Windows PowerShell as administrator. Run a force sync Azure AD Connect with PowerShell. It will show the below error.
PS C:\> Import-Module ADSync
PS C:\> Start-ADSyncSyncCycle -PolicyType Delta
Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is
not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service
application.
Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service
application.
The below screen shows how it looks after running the AD Sync command.
Event Viewer application events
Start Event Viewer. Go to Windows Logs > Application. The following Error events show up:
- Event 662, Directory Synchronization
- Event 6900, ADSync
- Event 655, Directory Synchronization
- Event ID 906, Directory Synchronization
Click on Event ID 906.
Event 906, Directory Synchronization
GetSecurityToken: unable to retrieve a security token for the provisioning web service (AWS). The ADSync service is not allowed to interact with the desktop to authenticate Sync_DC01-2016_588c77bd8651@exoip365.onmicrosoft.com. This error may occur if multifactor or other interactive authentication policies are accidentally enabled for the synchronization account.
Solution for AD Connect synchronization failing
The solution for AD Connect synchronization breaking after implementing Azure AD MFA is to exclude the Azure AD Connect Sync Account from Azure AD MFA.
Service accounts, such as the Azure AD Connect Sync Account, are non-interactive accounts that are not tied to any particular user. They are usually used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can’t be completed programmatically.
Find Azure AD synchronization account
In the event log error, which we looked at in the previous step, you can copy the account you need to exclude from Azure MFA.
If you want to check the account in Synchronization Service Manager, click on Connectors. Click the type Windows Azure Active Directory (Microsoft). Click Properties.
Click Connectivity and find the UserName.
Read more: Find Azure AD Connect accounts »
Exclude MFA for Azure AD Connect Sync Account
Sign in to Microsoft Azure. Open the menu and browse to Azure Active Directory > Security > Conditional Access. Edit the Conditional Access policy that’s enforcing MFA for the user accounts.
In this example, it’s the policy MFA all users.
Read more: Configure Azure AD Multi-Factor Authentication »
Under Assignments, click Users and groups and select Exclude. Check the checkbox Users and groups. Find the synchronization account that you copied in the previous step. Ensure that the policy is On and click on Save.
Verify Azure AD Connect sync status
You can wait for a maximum of 30 minutes, or if you don’t want to wait that long, force sync Azure AD Connect with PowerShell.
PS C:\> Import-Module ADSync
PS C:\> Start-ADSyncSyncCycle -PolicyType Delta
The start time and end time changed to 4/19/2021.
Green checks for Azure AD Connect sync in Microsoft 365 admin center.
Did this help you to fix the broken Azure AD Connect synchronization after configuring Conditional Access MFA?
Keep reading: Add users to group with PowerShell »
Conclusion
You learned why Azure AD Connect synchronization service stopped syncing after implementing Azure AD Multi-Factor Authentication. It’s happing because MFA is enabled on the Azure AD Connect Sync Account. Exclude the Azure AD Connect Sync Account from Azure Conditional Access policy, and it will start syncing.
A better way is to create a security group named Non-MFA and add the Azure AD Connect Sync Account as a member. This way, you will keep it organized if you need to add other service accounts in the future.
Did you enjoy this article? You may also like How to Connect to Azure AD with PowerShell. Don’t forget to follow us and share this article.
Really a great article, it killed a day to struggle to rid off the issue, finally your article helped me fix the issue, thanks a lot Ali 🙂
Thank you. Great article. You helped me very much.
Saved the day again, thanks so much for your articles and site!
Do you know if excluding the account takes any time to be reflected? we had several MFA policies and one of them was missing the exclusion (even though I had a security group with the account added as excluded in all the policies). I changed the password before and is not letting me update it on the Synchronization Service Manager because it keeps telling me I need to enroll that account to MFA. I’m not sure how to proceed, I’m pretty sure this is the thing that’s causing the issue in our case.
Thank you! Exactly what I needed!
To tighten up the security further you can create a policy specifically for this account and set the action to block but exclude your known IP ranges as it should only be ever used from those locations.
I have 2 MFA rules. One which requires MFA from all admins (not using groups), and the other one which requires MFA from users in a group.
Can you explain perhaps why I have to exclude the Ad connect sync account from the rule which requires MFA from admins? the account has no admin roles whatsoever, i’m just lost as to why it’s being impacted by that rule.
I’ve encountered the same issue. It’s the AAD Built-in directory role “Directory synchronization accounts”. Just uncheck this role in your Conditional Access Policy which requires MFA for all admins.
Awesome. Many thanks for this.
Had me scratching my head after setting up an Azure lab with a single 2016 DC VM and MFA enabled.
Interestingly, I have had the MFA policy in place for a while, but only noticed this issue after updating to AAD Connect v2 on my DC which does away with EDAL completely and uses MSAL instead.
Not sure if the two are connected, but either way, many thanks for the fix.
This happened to me and caused chaos. My IT support provider assured me that my creation of the CA policy was coincidental as to why my DC had stopped syncing with Azure. I then searched google, found this article and it relates EXACTLY to my situation. I have since applied the correct account for ‘exclusion’ and whilst i’ve not yet tested it, i’m quite confident it will resolve the issue and allow MFA to be set domain-wide. I get fed up of fixing most of the issues i raise tickets to our support provider for. Thanks for the article.
Thanks, well done great article. Worked for me.
I had this problem and I am glad that I found your article. Thanks!!