Does the account that AAD Connect uses to connect to Azure AD requires MFA to be disabled? It's the account that AAD Connect creates itself during the installation process. Recently, we noticed that if MFA is enforced for this account then AAD Connect starts raising errors.

Gurdev Singh MFA is definately the issue here, I came across your post after experiencing similar issues. MFA was enfored to all accounts by Microsoft and disrupted our AD sync. The account i authenticated with in Azure AD was set to disabled for MFA but the issue remained. After much digging i then discovered that the account actually used for the sync was an account called sync_servername_tenant. Within the admin portal search for a user starting with Sync_ your server name should follow after the _. Once found visit the Multi-factor authentication menu and disabled multi-factor authentication for this sync_servername account. Its this account that is used by Azure AD Connect to sync on-prem AD to Azure. Once disabled you will find that your AD Connect sync resumes without issue.

AndyDotPhillips It looks like that https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication has been updated with clarification on the Azure AD Connect sync accounts (excerpt shown below for convenience):Question: Will phase 1 or phase 2 of mandatory MFA impact my ability to sync with Microsoft Entra Connect or Microsoft Entra Cloud Sync?Answer: No. The syncronization service account isn't affected by the mandatory MFA requirement. Only applications listed previously require MFA for sign in.

Hi All, from 1 august MFA needs to be enabled on ALL Microsoft Partner Tentants:https://docs.microsoft.com/nl-nl/partner-center/partner-security-requirements When I read this: We cannot use conditional access anymore:Once these requirements are technically enforced every single authentication must have an MFA challenge. You will not be able to use any feature of conditional access to avoid authenticating using MFA when access Microsoft commercial cloud services. How are we suppose to combine this???

Sol Birnbaum I currently have the baseline policy enabled, and the "user-level" MFA disabled for the account used by AD Connect and it works. ADConnect/DirSync still syncs successfully. The senior support engineer basically said that the "Policy level" one is somehow "application aware" and does not interfere with AD Connect, whereas the User-Level one is not and requires MFA on every type of login. It looks like they have indeed updated the documentation page they said they would update as part of my escalated support case. This page:https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq?branch=isaiah%2Fsecurity-requirements-update Heading: "What are the key actions I need to take to meet the requirements?" has now been updated to explicitly mention the baseline policies. They have also added this new section:Will the service account used by Azure AD Connect be impacted by the partner security requirements?No, the service account used by Azure AD Connect will not be impacted by the partner security requirements. If you experience an issue with Azure AD Connect as result of enforcing MFA, then open a technical support request with Microsoft support. Put differently, if you enable the Policy level one, it should have the effect of requiring MFA for a user trying to log into the portal to do admin work like manage your partner account, but it should not prevent logins used for other purposes. Since they are trying to secure the partner portal, they view the mission as accomplished via the Baseline Policy.

Based on the previous comments, unsure if the upcoming 15-Oct-2024 MFA requirement for Azure/Entra/Intune portals apply to this?https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication

Azure AD Connect sync account MFA support

18 Replies

AndyDotPhillips
Copper Contributor
Aug 16, 2024
Based on the previous comments, unsure if the upcoming 15-Oct-2024 MFA requirement for Azure/Entra/Intune portals apply to this?

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication
- hobdeyc
  Copper Contributor
  Oct 08, 2024
  AndyDotPhillips
  
  It looks like that https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication has been updated with clarification on the Azure AD Connect sync accounts (excerpt shown below for convenience):
  
  Question: Will phase 1 or phase 2 of mandatory MFA impact my ability to sync with Microsoft Entra Connect or Microsoft Entra Cloud Sync?
  
  Answer: No. The syncronization service account isn't affected by the mandatory MFA requirement. Only applications listed previously require MFA for sign in.
- KrazeyKami
  MCT
  Sep 16, 2024
  AndyDotPhillips
  Very good point indeed.
Adam__Brown__
Copper Contributor
Oct 23, 2019
Gurdev Singh

MFA is definately the issue here, I came across your post after experiencing similar issues. MFA was enfored to all accounts by Microsoft and disrupted our AD sync. The account i authenticated with in Azure AD was set to disabled for MFA but the issue remained. After much digging i then discovered that the account actually used for the sync was an account called sync_servername_tenant.

Within the admin portal search for a user starting with Sync_ your server name should follow after the _.

Once found visit the Multi-factor authentication menu and disabled multi-factor authentication for this sync_servername account.

Its this account that is used by Azure AD Connect to sync on-prem AD to Azure. Once disabled you will find that your AD Connect sync resumes without issue.
- dusting00
  Copper Contributor
  Jan 23, 2025
  This was my issue.
- austinwatling
  Copper Contributor
  Jul 29, 2024
  Just wanted to bump this answer as this was the issue we were having as well. Thank you thank you!
- Jdadule
  Copper Contributor
  Sep 21, 2022
  Adam__Brown__ Thank you. You're a life saver! 😄
VasilMichev
MVP
Jun 13, 2019
Yes, exclude it from MFA or any CA policies that require MFA. The account you use to configure AAD Connect can have MFA on, but that one is only used to create the actual sync account.
- Gurdev Singh
  Iron Contributor
  Jun 13, 2019
  VasilMichev...Thanks. Do you know if this is documented somewhere that AAD Connect Sync account must be excluded from MFA.
  
  Also, do you know much about ADFS https://techcommunity.microsoft.com/t5/Azure-Active-Directory/AAD-Connect-staging-mode-and-ADFS-configuration/m-p/689450#M2959
  - VasilMichev
    MVP
    Jun 13, 2019
    I'm not aware of any article explicitly mentioning the MFA requirement. However, this article describes how the account is provisioned and the type of credentials used: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#azure-ad-connector-account

Forum Discussion

Azure AD Connect sync account MFA support

18 Replies

Resources