https://www.alitajran.com/conditional-access-mfa-breaks-azure-ad-connect-synchronization/

Synchronization Service Manager Sign in on the Microsoft Entra Connect server. Start the application Synchronization Service Manager. Look at the start and end times.

In the screenshot below, the start time and end time are 4/11/2021. Today is 4/19/2021. It’s been more than a week that Azure AD Connect synced.

Conditional Access MFA breaks Azure AD Connect synchronization before Microsoft 365 admin center Sign in to Microsoft 365 admin center. Check the User management card.

We can confirm that the Azure AD Connect last sync status was more than three days ago, and there is no recent password synchronization happening.

Conditional Access MFA breaks Azure AD Connect synchronization not syncing Azure AD Connect synchronization error Run Windows PowerShell as administrator. Run a force sync Microsoft Entra Connect with PowerShell. It will show the error below.

PS C:> Import-Module ADSync PS C:> Start-ADSyncSyncCycle -PolicyType Delta Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application. Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.

The screen below shows how it looks after running the AD Sync command.

Conditional Access MFA breaks Azure AD Connect synchronization errors Event Viewer application events Start Event Viewer. Go to Windows Logs > Application. The following Error events show up:

Event 662, Directory Synchronization Event 6900, ADSync Event 655, Directory Synchronization Event ID 906, Directory Synchronization Click on Event ID 906.

Conditional Access MFA breaks Azure AD Connect synchronization Event Viewer errors Event 906, Directory Synchronization GetSecurityToken: unable to retrieve a security token for the provisioning web service (AWS). The ADSync service is not allowed to interact with the desktop to authenticate [email protected]. This error may occur if multifactor or other interactive authentication policies are accidentally enabled for the synchronization account.

Solution for AD Connect synchronization failing The solution for AD Connect synchronization breaking after implementing Azure AD MFA is to exclude the Azure AD Connect Sync Account from Azure AD MFA.

Service accounts, such as the Azure AD Connect Sync Account, are non-interactive accounts that are not tied to any particular user. They are usually used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can’t be completed programmatically.

Find Azure AD synchronization account In the event log error, which we looked at in the previous step, you can copy the account you need to exclude from Azure MFA.

If you want to check the account in Synchronization Service Manager, click on Connectors. Click the type Windows Azure Active Directory (Microsoft). Click Properties.

Conditional Access MFA breaks Azure AD Connect synchronization Connectors Click Connectivity and find the UserName.

Conditional Access MFA breaks Azure AD Connect synchronization Azure AD Connect Sync Account Read more: Find Microsoft Entra Connect accounts »

Exclude MFA for Azure AD Connect Sync Account Sign in to Microsoft Azure. Open the menu and browse to Azure Active Directory > Security > Conditional Access. Edit the Conditional Access policy that’s enforcing MFA for the user accounts.

In this example, it’s the policy MFA all users.

Read more: How to Configure Microsoft Entra Multi-Factor Authentication »

Conditional Access MFA breaks Azure AD Connect synchronization Conditional Access policy Under Assignments, click Users and groups and select Exclude. Check the checkbox Users and groups. Find the synchronization account that you copied in the previous step. Ensure that the policy is On and click on Save.

Conditional Access MFA breaks Azure AD Connect synchronization exclude user Verify Azure AD Connect sync status You can wait for a maximum of 30 minutes, or if you don’t want to wait that long, force sync Microsoft Entra Connect with PowerShell.

PS C:> Import-Module ADSync PS C:> Start-ADSyncSyncCycle -PolicyType Delta The start time and end time changed to 4/19/2021.

Conditional Access MFA breaks Azure AD Connect synchronization after Green checks for Azure AD Connect sync in Microsoft 365 admin center.

Conditional Access MFA breaks Azure AD Connect synchronization syncing Did this help you to fix the broken Azure AD Connect synchronization after configuring Conditional Access MFA?

Keep reading: Add users to group with PowerShell »

Conclusion You learned why Azure AD Connect synchronization service stopped syncing after implementing Azure AD Multi-Factor Authentication. It’s happing because MFA is enabled on the Azure AD Connect Sync Account. Exclude the Azure AD Connect Sync Account from Azure Conditional Access policy, and it will start syncing.

A better way is to create a security group named Non-MFA and add the Azure AD Connect Sync Account as a member. This way, you will keep it organized if you need to add other service accounts in the future.

Did you enjoy this article? You may also like How to Connect to Microsoft Entra with PowerShell. Don’t forget to follow us and share this article.