Forum Discussion
Azure AD Connect sync account MFA support
Yes, exclude it from MFA or any CA policies that require MFA. The account you use to configure AAD Connect can have MFA on, but that one is only used to create the actual sync account.
VasilMichev...Thanks. Do you know if this is documented somewhere that AAD Connect Sync account must be excluded from MFA.
Also, do you know much about ADFS https://techcommunity.microsoft.com/t5/Azure-Active-Directory/AAD-Connect-staging-mode-and-ADFS-configuration/m-p/689450#M2959
I'm not aware of any article explicitly mentioning the MFA requirement. However, this article describes how the account is provisioned and the type of credentials used: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#azure-ad-connector-account
Hi All,
from 1 august MFA needs to be enabled on ALL Microsoft Partner Tentants:
https://docs.microsoft.com/nl-nl/partner-center/partner-security-requirements
When I read this: We cannot use conditional access anymore:
Once these requirements are technically enforced every single authentication must have an MFA challenge. You will not be able to use any feature of conditional access to avoid authenticating using MFA when access Microsoft commercial cloud services.
How are we suppose to combine this???
This is the exact issue I am facing. CSP partners are required to have MFA enabled on 100% of accounts, but Azure AD Connect does not seem to support the Azure AD Application Graph which would allow it to work with MFA Enabled?
With other applications (like Veeam for Office 365 for example) I would open:
Azure Active Directory
App Registrations
New Registration
Then as part of the registration give it the "App Permission" of "Microsoft Graph" and the sub-permissions that it needs.
I'm not finding any documentation from Microsoft for AD Connect to indicate that they support their own MFA-Compliant method of performing this.
I've opened a support case with the Partner Center, but hoping that someone has already figured out how to make this work. If they cannot come up with a way to make AD Connect work with MFA Enabled account, then I'm hoping that they will carve out an exception because they are telling partners that we will no longer be able to transaction with Microsoft if we are not 100% MFA enabled.
