Background:
Today I run into an issue after doing some changes to a Conditional Access policy. More precisely I changed the MFA-settings.
Issue:
“Azure AD Connect” was unable to sync and “Synchronization Service” showed no warnings or errors.
PowerShell gave below error message and the “Showing modal dialog box” indicated that this issue was related to MFA.
Solution:
As I knew that I recently had done some changes to the Conditional Access policy the first thing I did was to fetch the account used to run AAD Sync.
- Open “Synchronization Service” on the Azure AD Connect server
- Click “Connectors”.
- Double-click the cloud connector (the one with *onmicrosoft.com in the name).
- Click “Connectivity”.
- Copy the “UserName” (see print screen below).
- Add the user name from step 5 as an excluded account from the Conditional Access that forces MFA.
By excluding the sync account from the Conditional Access policy the MFA challenge is not mandatory for this specific account (do not apply this to all accounts). 😉