We have recently started looking at the security state of our O365 tenant with the Secure Score tool (https://securescore.office.com). One of the suggestions to raise the score is to enable MFA for all Global Admin accounts. However, the Azure AD sycn tool has a user/service account that requires the Global Admin role to be assigned to it (as noted in the first referenced link below). Additionally, other Office365 admin roles are not permitted the directory sync access (as noted in the second link below).
Seeing as how the sync is an automated process, there is no way that I know of to build approving a login with MFA.
I have been unable to locate any articles around the Azure AD sync tool, nor a way to add an exception to the Secure Score portal for this user account. Has anyone come across a solution for either adding MFA to a service account or creating an exception for a service account to the Secure Score?
The AAD Connect Global Admins account is only required when you run the wizard. AAD Connect creates itself a service account that does not have Global Admins rights, rather is a member of the special role, "Directory Synchronization Accounts".
If you're still using AADSync with a Global Admins service account, time to upgrade!