MFA Conditional Access Policy Breaks AD Connect Synchronization

I ran into this issue today and sharing for anyone else that may run into the same problem.  The scenario is fairly simple, Azure AD Connect synchronizing to Azure AD.  All works fine until MFA policies were enabled, and then sync stops working.  Running a Sart-ADSyncSyncCycle returns a lot of red, but the basic are:

Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or defaultDesktopOnly style to display a notification from a service application.

The Event Log reports Event ID: 906 with the following error message:

GetSecurityToken: unable to retrieve a security token for the provisioning web service (AWS). Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.

The MFA Conditional Access Policy put in place included all users with MFA Trusted IPs excluded from the policy.  The computer with AD Connect installed ran in Azure and had a dynamic public IP assigned.  The computer shut off overnight (this was a lab) and the next day, after getting a new external IP address, AD Connect quit working.

Once the public IP address changed on the AD Connect server, the AD Connect Sync account was in scope for the MFA policy. That prevented the account from logging in and caused the error.

There are two ways to fix this.  First, update the MFA Trusted IPs with the new external IP address.  That will exclude the computer from MFA, and things should start working again.  At least until that IP changes.

The better option is to exclude the sync account from the MFA policy.  Find the account name by going into the AD Connect Synchronization Service Manager and go to Connectors.  Find the connector type Windows Azure Active Directory and go to Properties, Connectivity

Find the account to exclude in the UserName field. 

AD Connect Sync User

Next, go to the Conditional Access Policy that’s enforcing MFA for your tenant in Azure AD.  Go to Users and Groups, and go to the Exclude tab.  Under Select users to Exclude, find and add the Sync account used to sync the on-premises directory.  Add and save that to the MFA user exclusion.

MFA Exclusion List

Making one of these changes fixed the issue.  So far, I have only had a problem with the sync account.  I’m sure there will be a need to add other automation accounts now that MFA enforcement is on by default.

3 thoughts on “MFA Conditional Access Policy Breaks AD Connect Synchronization

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.