Forum Discussion

Iron Contributor

Jun 13, 2019

Azure AD Connect sync account MFA support

Does the account that AAD Connect uses to connect to Azure AD requires MFA to be disabled? It's the account that AAD Connect creates itself during the installation process. Recently, we noticed t...

Azure Active Directory (AAD)

MVP

Jun 13, 2019

Yes, exclude it from MFA or any CA policies that require MFA. The account you use to configure AAD Connect can have MFA on, but that one is only used to create the actual sync account.

Gurdev Singh
Iron Contributor
Jun 13, 2019
VasilMichev...Thanks. Do you know if this is documented somewhere that AAD Connect Sync account must be excluded from MFA.

Also, do you know much about ADFS https://techcommunity.microsoft.com/t5/Azure-Active-Directory/AAD-Connect-staging-mode-and-ADFS-configuration/m-p/689450#M2959
- VasilMichev
  MVP
  Jun 13, 2019
  I'm not aware of any article explicitly mentioning the MFA requirement. However, this article describes how the account is provisioned and the type of credentials used: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#azure-ad-connector-account
  - Raymond Rothengatter
    Copper Contributor
    Jul 30, 2019
    Hi All,
    
    from 1 august MFA needs to be enabled on ALL Microsoft Partner Tentants:
    https://docs.microsoft.com/nl-nl/partner-center/partner-security-requirements
    
    When I read this: We cannot use conditional access anymore:
    Once these requirements are technically enforced every single authentication must have an MFA challenge. You will not be able to use any feature of conditional access to avoid authenticating using MFA when access Microsoft commercial cloud services.
    
    How are we suppose to combine this???

Share

Resources