I was configuring a Microsoft 365 lab environment to write this blog post recently. As I needed some hybrid user identities, I needed to configure good old Azure AD Connect. When I entered all the needed information in the configuration wizard, I already saw that it took a very long time to set up the AAD Connect configuration and eventually I received an error:
Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue.
The log file, that is found in C:\ProgramData\AADConnect, showed a repeated error;
GetServiceAccount: service account authorization failed for Sync_xx@xx.onmicrosoft.com. Waiting for account to be provisioned. Details: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access ‘00000002-0000-0000-c000-000000000000’.
00000002-0000-0000-c000-000000000000 looks like an ID of an Azure Enterprise application or Azure App registration to me. I guess this account is hitting one of my Conditional Access policies.
To verify this, we need to check the Azure portal. Browse to Enterprise applications and set the application type filter to All applications (because currently, the app type is unknown). Enter a part or the whole ID we found in the Application ID starts with filter.
And indeed, we see this is the ID of an application in Azure, Windows Azure Active Directory.
So, we need to make sure this application is excluded from the CA policy that is hit, or the sync account is excluded from the policy that requires Multi-factor Authentication (MFA).
In my case, I have simply targeted a CA policy to all users and all cloud apps, that is hit.
I’m unable to exclude the app Windows Azure Active Directory (At least via the Azure portal, I didn’t check MS Graph). So I excluded the Directory Role Directory Synchronization Accounts from which the sync account is part.
After configuring this exclusion, the Azure AD Connect configuration was successful.
For my lab tenant, this solution was fine, so I could move on with my setup. In a production environment, you need to make proper decisions on how to exclude the sync account from your CA MFA policy.
Another note is that the above-seen error is not particularly related to the Windows Azure Active Directory app, but the error can also be seen as related to other apps that are protected by a CA policy that requires MFA.
Thanks for reading, I hope it saved you some time for troubleshooting,