Conditional Access MFA breaks Azure AD Connect synchronization

Precaution when activating Conditional Access MFA

When activating 365 Conditional Access ,- a great feature of 365, we need to take extra precaution if we are using Azure AD Connect.

Because Azure AD connect creates a Entra User ID with the name of something like “Sync_server@domain”, enabling MFA on this accoount will break the AD connection sync scheduler. (However it will work by running it manually..)

This EntraID user account needs to be excluded from the MFA Conditional Access policy. 

You can find the exact name of the useraccount in question in the “Syncronisation server manager” by  clicking connections, properties and “connectivity”

Even though we are able to run the sync manually in the Syncronization service manager, it won’t run according to schedule.

We check the schedule by issuing the following powershell command:

				
					get-adsyncscheduler
				
			

If you get something nasty like this, then the sceduler is down because of MFA:

So remove the MFA conditional access requirement for the Sync user and this will resolve in a couple of minutes

More articles

Optional features

Check available optional features: DISM /Online /Get-Capabilities Install an optional feature: DISM /Online /Add-capability /capabilityname:Media.MediaFeaturePack~~~~0.0.1.0

Read More »

AD retention period

Check AD retention tombstone value: Import-Module ActiveDirectory $ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext $DirectoryServicesConfigPartition = Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Properties *

Read More »