{"id":1578,"date":"2020-02-16T08:29:49","date_gmt":"2020-02-16T14:29:49","guid":{"rendered":"https:\/\/www.ciraltos.com\/?p=1578"},"modified":"2023-03-23T22:21:20","modified_gmt":"2023-03-24T03:21:20","slug":"mfa-conditional-access-policy-breaks-ad-connect-synchronization","status":"publish","type":"post","link":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/","title":{"rendered":"MFA Conditional Access Policy Breaks AD Connect Synchronization"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

I ran into this issue today and sharing for anyone else that may run into the same problem.  The scenario is fairly simple, Azure AD Connect synchronizing to Azure AD.  All works fine until MFA policies were enabled, and then sync stops working.  Running a Sart-ADSyncSyncCycle returns a lot of red, but the basic are:<\/p>\n\n\n\n\n\n\n\n

Start-ADSyncSyncCycle :\nSystem.Management.Automation.CmdletInvocationException:\nSystem.InvalidOperationException: Showing a modal dialog box or form when the\napplication is not running in UserInteractive mode is not a valid operation.\nSpecify the ServiceNotification or defaultDesktopOnly style to display a\nnotification from a service application.<\/p>\n\n\n\n

The Event Log reports Event ID: 906 with the following error\nmessage:<\/p>\n\n\n\n

GetSecurityToken: unable to retrieve a security token\nfor the provisioning web service (AWS). Showing a modal dialog box or form when\nthe application is not running in UserInteractive mode is not a valid\noperation. Specify the ServiceNotification or DefaultDesktopOnly style to\ndisplay a notification from a service application.<\/p>\n\n\n\n

The MFA Conditional Access Policy put in place included all\nusers with MFA Trusted IPs excluded from the policy.  The computer with AD Connect installed ran in\nAzure and had a dynamic public IP assigned. \nThe computer shut off overnight (this was a lab) and the next day, after\ngetting a new external IP address, AD Connect quit working.<\/p>\n\n\n\n

Once the public IP address changed on the AD Connect server,\nthe AD Connect Sync account was in scope for the MFA policy. That prevented the\naccount from logging in and caused the error.<\/p>\n\n\n\n

There are two ways to fix this.  First, update the MFA Trusted IPs with the\nnew external IP address.  That will\nexclude the computer from MFA, and things should start working again.  At least until that IP changes.<\/p>\n\n\n\n

The better option is to exclude the sync account from the\nMFA policy.  Find the account name by\ngoing into the AD Connect Synchronization Service Manager and go to\nConnectors.  Find the connector type Windows\nAzure Active Directory<\/em> and go to Properties<\/em>, Connectivity<\/em>.  <\/p>\n\n\n\n

Find the account to exclude in the UserName field.  <\/p>\n\n\n\n

\"\"
AD Connect Sync User<\/figcaption><\/figure>\n\n\n\n

Next, go to the Conditional Access Policy that\u2019s enforcing\nMFA for your tenant in Azure AD.  Go to Users\nand Groups, <\/em>and go to the Exclude<\/em> tab.  Under Select users to Exclude<\/em>, find\nand add the Sync account used to sync the on-premises directory.  Add and save that to the MFA user exclusion.<\/p>\n\n\n\n

\"\"
MFA Exclusion List<\/figcaption><\/figure>\n\n\n\n

Making one of these changes fixed the issue.  So far, I have only had a problem with the\nsync account.  I\u2019m sure there will be a\nneed to add other automation accounts now that MFA enforcement is on by\ndefault.<\/p>\n","protected":false},"excerpt":{"rendered":"

I ran into this issue today and sharing for anyone else that may run into the same problem.  The scenario is fairly simple, Azure AD Connect synchronizing to Azure AD.  All works fine until MFA policies were enabled, and then sync stops working.  Running a Sart-ADSyncSyncCycle returns a lot of red, but the basic are:<\/p>\n","protected":false},"author":1,"featured_media":3947,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":""},"categories":[1],"tags":[],"yoast_head":"\nMFA Conditional Access Policy Breaks AD Connect Synchronization - ciraltos<\/title>\n<meta name=\"description\" content=\"Azure AD Connect synchronizing to Azure AD. All works fine until MFA policies were enabled, and then sync stops working. Running a Sart-ADSyncSyncCycle returns a lot of red\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MFA Conditional Access Policy Breaks AD Connect Synchronization - ciraltos\" \/>\n<meta property=\"og:description\" content=\"Azure AD Connect synchronizing to Azure AD. All works fine until MFA policies were enabled, and then sync stops working. Running a Sart-ADSyncSyncCycle returns a lot of red\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/\" \/>\n<meta property=\"og:site_name\" content=\"ciraltos\" \/>\n<meta property=\"article:published_time\" content=\"2020-02-16T14:29:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-03-24T03:21:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/MFA-150x150-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Travis Roberts\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ciraltos\" \/>\n<meta name=\"twitter:site\" content=\"@ciraltos\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Travis Roberts\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/\"},\"author\":{\"name\":\"Travis Roberts\",\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\"},\"headline\":\"MFA Conditional Access Policy Breaks AD Connect Synchronization\",\"datePublished\":\"2020-02-16T14:29:49+00:00\",\"dateModified\":\"2023-03-24T03:21:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/\"},\"wordCount\":466,\"commentCount\":15,\"publisher\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/\",\"url\":\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/\",\"name\":\"MFA Conditional Access Policy Breaks AD Connect Synchronization - ciraltos\",\"isPartOf\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#website\"},\"datePublished\":\"2020-02-16T14:29:49+00:00\",\"dateModified\":\"2023-03-24T03:21:20+00:00\",\"description\":\"Azure AD Connect synchronizing to Azure AD. All works fine until MFA policies were enabled, and then sync stops working. Running a Sart-ADSyncSyncCycle returns a lot of red\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/www.ciraltos.com\/staging2\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MFA Conditional Access Policy Breaks AD Connect Synchronization\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#website\",\"url\":\"http:\/\/www.ciraltos.com\/staging2\/\",\"name\":\"ciraltos\",\"description\":\"cloud, technology and trends\",\"publisher\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.ciraltos.com\/staging2\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\",\"name\":\"Travis Roberts\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png\",\"contentUrl\":\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png\",\"width\":5657,\"height\":3563,\"caption\":\"Travis Roberts\"},\"logo\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/\"},\"sameAs\":[\"http:\/\/www.ciraltos.com\",\"https:\/\/twitter.com\/ciraltos\"],\"url\":\"https:\/\/www.ciraltos.com\/staging2\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MFA Conditional Access Policy Breaks AD Connect Synchronization - ciraltos","description":"Azure AD Connect synchronizing to Azure AD. All works fine until MFA policies were enabled, and then sync stops working. Running a Sart-ADSyncSyncCycle returns a lot of red","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/","og_locale":"en_US","og_type":"article","og_title":"MFA Conditional Access Policy Breaks AD Connect Synchronization - ciraltos","og_description":"Azure AD Connect synchronizing to Azure AD. All works fine until MFA policies were enabled, and then sync stops working. Running a Sart-ADSyncSyncCycle returns a lot of red","og_url":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/","og_site_name":"ciraltos","article_published_time":"2020-02-16T14:29:49+00:00","article_modified_time":"2023-03-24T03:21:20+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/MFA-150x150-1.jpg","type":"image\/jpeg"}],"author":"Travis Roberts","twitter_card":"summary_large_image","twitter_creator":"@ciraltos","twitter_site":"@ciraltos","twitter_misc":{"Written by":"Travis Roberts","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/#article","isPartOf":{"@id":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/"},"author":{"name":"Travis Roberts","@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a"},"headline":"MFA Conditional Access Policy Breaks AD Connect Synchronization","datePublished":"2020-02-16T14:29:49+00:00","dateModified":"2023-03-24T03:21:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/"},"wordCount":466,"commentCount":15,"publisher":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/","url":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/","name":"MFA Conditional Access Policy Breaks AD Connect Synchronization - ciraltos","isPartOf":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#website"},"datePublished":"2020-02-16T14:29:49+00:00","dateModified":"2023-03-24T03:21:20+00:00","description":"Azure AD Connect synchronizing to Azure AD. All works fine until MFA policies were enabled, and then sync stops working. Running a Sart-ADSyncSyncCycle returns a lot of red","breadcrumb":{"@id":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.ciraltos.com\/staging2\/mfa-conditional-access-policy-breaks-ad-connect-synchronization\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/www.ciraltos.com\/staging2\/"},{"@type":"ListItem","position":2,"name":"MFA Conditional Access Policy Breaks AD Connect Synchronization"}]},{"@type":"WebSite","@id":"http:\/\/www.ciraltos.com\/staging2\/#website","url":"http:\/\/www.ciraltos.com\/staging2\/","name":"ciraltos","description":"cloud, technology and trends","publisher":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.ciraltos.com\/staging2\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a","name":"Travis Roberts","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/","url":"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png","contentUrl":"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png","width":5657,"height":3563,"caption":"Travis Roberts"},"logo":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/"},"sameAs":["http:\/\/www.ciraltos.com","https:\/\/twitter.com\/ciraltos"],"url":"https:\/\/www.ciraltos.com\/staging2\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts\/1578"}],"collection":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/comments?post=1578"}],"version-history":[{"count":1,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts\/1578\/revisions"}],"predecessor-version":[{"id":3955,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts\/1578\/revisions\/3955"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/media\/3947"}],"wp:attachment":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/media?parent=1578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/categories?post=1578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/tags?post=1578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}