Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure AD Connect sync account MFA support

Iron Contributor

Does the account that AAD Connect uses to connect to Azure AD requires MFA to be disabled? It's the account that AAD Connect creates itself during the installation process.

 

Recently, we noticed that if MFA is enforced for this account then AAD Connect starts raising errors.

13 Replies

Yes, exclude it from MFA or any CA policies that require MFA. The account you use to configure AAD Connect can have MFA on, but that one is only used to create the actual sync account.

@Vasil Michev...Thanks. Do you know if this is documented somewhere that AAD Connect Sync account must be excluded from MFA.

 

Also, do you know much about ADFS https://techcommunity.microsoft.com/t5/Azure-Active-Directory/AAD-Connect-staging-mode-and-ADFS-conf...

I'm not aware of any article explicitly mentioning the MFA requirement. However, this article describes how the account is provisioned and the type of credentials used: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permission...

Hi All,

 

from 1 august MFA needs to be enabled on ALL Microsoft Partner Tentants:

https://docs.microsoft.com/nl-nl/partner-center/partner-security-requirements

 

When I read this: We cannot use conditional access anymore:

Once these requirements are technically enforced every single authentication must have an MFA challenge. You will not be able to use any feature of conditional access to avoid authenticating using MFA when access Microsoft commercial cloud services.

 

How are we suppose to combine this???

@Raymond Rothengatter 

 

This is the exact issue I am facing.  CSP partners are required to have MFA enabled on 100% of accounts, but Azure AD Connect does not seem to support the Azure AD Application Graph which would allow it to work with MFA Enabled?  

 

With other applications (like Veeam for Office 365 for example) I would open:

Azure Active Directory

App Registrations

New Registration

Then as part of the registration give it the "App Permission" of "Microsoft Graph"  and the sub-permissions that it needs.

 

I'm not finding any documentation from Microsoft for AD Connect to indicate that they support their own MFA-Compliant method of performing this.

 

I've opened a support case with the Partner Center, but hoping that someone has already figured out how to make this work.  If they cannot come up with a way to make AD Connect work with MFA Enabled account, then I'm hoping that they will carve out an exception because they are telling partners that we will no longer be able to transaction with Microsoft if we are not 100% MFA enabled.

OK, Here's what I found out from my support case.

 

As of August 2019, there are now two forms of MFA policy:

1. User-specific MFA 

Enabled through the account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx page.

2. Azure Active Directory Conditional Access - Policies

Accessed via URL: (https://aad.portal.azure.com

Click "Azure Active Directory"

Click Conditional Access

Then enable these policies:

  • Baseline policy: Require MFA for admins (Preview)
  • Baseline policy: Require MFA for Service Management (Preview)

 

The techs on the call are saying that if #2 is enabled, then you do not need to enable MFA at the end user level, because the policy will be enforced for the things that they care about.

 

The techs all agreed that the documentation on the partner site (https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq?branch=isaiah%2Fse...) was inadequate to make this distinction and they included a documentation person on the call to make notes and take screen shots of the changes required to clarify the policy.

 

We also confirmed for the tech (and took Fiddler traces of) the Azure AD Connect logs when #1 User-Level MFA is enabled on the account used by ADConnect.  Proving without a doubt that the user-level setting being enabled will break ADConnect and with it disabled it fixes ADConnect.

 

Finally, we also reviewed the fact that the Microsoft Security Score site is not paying attention to the Baseline Policy settings when calculating your security score.  They plan to reach out to the Security Score team to have them update the score settings when the policy is configured.

 

 

@Darren_BL I'm not sure I understand how that resolves the issue. If MFA is required on 100% of Azure AD accounts - regardless of whether it's enforced via the old portal, baseline CA policy, or custom CA policy - it is not compatible with Azure AD Connect.

@Sol Birnbaum I currently have the baseline policy enabled, and the "user-level" MFA disabled for the account used by AD Connect and it worksADConnect/DirSync still syncs successfully.

 

The senior support engineer basically said that the "Policy level" one is somehow "application aware" and does not interfere with AD Connect, whereas the User-Level one is not and requires MFA on every type of login.

 

It looks like they have indeed updated the documentation page they said they would update as part of my escalated support case.  This page: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq?branch=isaiah%2Fs... 

 

Heading: "What are the key actions I need to take to meet the requirements?" has now been updated to explicitly mention the baseline policies.  

They have also added this new section:

Will the service account used by Azure AD Connect be impacted by the partner security requirements?

No, the service account used by Azure AD Connect will not be impacted by the partner security requirements. If you experience an issue with Azure AD Connect as result of enforcing MFA, then open a technical support request with Microsoft support.

 

Put differently, if you enable the Policy level one, it should have the effect of requiring MFA for a user trying to log into the portal to do admin work like manage your partner account, but it should not prevent logins used for other purposes.  Since they are trying to secure the partner portal, they view the mission as accomplished via the Baseline Policy.

 

 

@Darren_BL Interesting because our custom conditional access MFA policy was definitely blocking the Azure AD Connect service account, but at this point I don't see a reason not to use the baseline protection policy anyway.

@Gurdev Singh 

 

MFA is definately the issue here, I came across your post after experiencing similar issues. MFA was enfored to all accounts by Microsoft and disrupted our AD sync. The account i authenticated with in Azure AD was set to disabled for MFA but the issue remained. After much digging i then discovered that the account actually used for the sync was an account called sync_servername_tenant.

 

Within the admin portal search for a user starting with Sync_ your server name should follow after the _.

 

Once found visit the Multi-factor authentication menu and disabled multi-factor authentication for this sync_servername account.

 

Its this account that is used by Azure AD Connect to sync on-prem AD to Azure. Once disabled you will find that your AD Connect sync resumes without issue.

@Adam__Brown__ 

thanks, this work for me.

@Adam__Brown__ 

Thanks Adam.  This worked for me, pointing me in the right direction for the fix.  I excluded the sync account from my MFA conditional access policies I have setup for users and admins.  I saw recently that two of the pre-configured conditional access policies I had enabled to enforce MFA had been disabled by Microsoft.  The two that had been disabled were "Baseline policy: Require MFA for admins (Preview)" and "Baseline policy: End user protection (Preview)".  I then created two policies identical to these two baseline policies.  There were links in the baseline policies to help me create my own.  After I created the two policies, that is when AD Sync broke to my on prem AD.  Your solution helped me to fix the issue.  Thanks again.

@Adam__Brown__ Thank you. You're a life saver! :D