Azure AD Connect Sync Failure After 2FA Implementation

Azure AD Connect Sync Failure After 2FA Implementation

This is just a short post to outline an issue we encountered with a new client. We added additional licenses to this new clients' Microsoft Tenant to enable us to better secure and manage the organisation from a technical standpoint.

Part of this included adding conditional access policies and also enforced 2FA for all users to add another security layer. Everything was rolled out and no adverse issues arose after implementation for the first 24 or so hours.

We suddenly started getting alerts from their Tenant that their on-premises Azure AD Connect instance hadn't successfully synced their Active Directory for over 24 hours. We thought, hmmm that's weird, we didn't make any changes to their on-prem AD or Azure AD Connect instance.

After checking the usual things like ensuring the the service was running:

We thought let's execute a sync from PowerShell using:

Start-ADSyncSyncCycle -PolicyType Initial

And we received the following error:

If you read through the error you can see that the culprit is actually the Azure AD Sync utility is being asked to setup 2FA. This is outlined in the following excerpt from the screenshot above:

In plain text it reads: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access

Well, that explains the problem, but how do you rectify it? The issue is resolved by creating an exclusion in your 2FA Policy for the account called On-Premises Directory Synchronization Service Account.

Log into your Microsoft Tenant here and navigate to Protection > Conditional Access > Policies. Edit your 2FA Policy and in the Assignment section ensure you add the On-Premises Directory Synchronization Service Account.

Give it a few minutes to propagate through and then try and run the Sync again through PowerShell and your should receive a Successful Sync like the example below:

That's it, your task is complete...

If you've found this useful, you may want to sign up to our newsletter where you'll receive notices on when we post new articles and helpful "how tos". Just fill out your details below and we'll do the rest…

Microsoft 365
No tags
No comments
23
0
0

Written by

View all posts by:

No Comments Yet.

Leave a comment


Sign up to our newsletter where you’ll receive notices on when we post new articles and helpful “how tos” to make your IT life easier.