Recently I was asked to help with a Office 365 deployment that had an issue that they couldn’t get Azure AD Connect to work. They couldn’t get Azure AD Connect installed in their environment. They where kept being asked for credentials for the sync account.
Because the password is unknown, the account is created during install by Azure AD connect, you can’t continue with the installation. Also resetting the password in Azure AD is not possible. Eventually you get stuck in a loop. Where the password popup keeps appearing and you have to click the cross to end the install. This gives an installation error. Which might be similar to this one:
After restarting Azure AD connect you keep getting the above page saying that there is an error and you need to uninstall the software.
Reason for the popup of the password is that MFA is preventing the logon of the sync_** account. You can solve this by one of two ways if you are using Azure AD with conditional access (as part of e.g. Microsoft Endpoint Management licensing). You need to exclude the Sync account from triggering MFA, explained below. Or if you are using the Office 365 MFA enforcement you can disable it on the account via the Office 365 portal (also explained below).
So first things first, uninstall the Azure AD connect software but keep the supporting components installed, this will speed up the re-installation further on.
After uninstalling you can start tackling the issue of the MFA issue. There are 2 ways to do this.
Disable Office 365 MFA
If you are not using Conditional Access in Azure AD you need to log in to the Office 365 portal (https://portal.office.com) with administrative credentials. Go the administrative portal (https://admin.microsoft.com/Adminportal/Home?source=applauncher#/users). If the wizard worked there will already be a user named sync_servername_asciistring. You can check this by typing in sync next to the filter icon. In my case there is a sync user already created. so you know what account to look for. If you know the account select the Multi factor authentication button on the top bar.
in the next screen klick on the search button
The sync user will become visible check if the MFA status for this user is disabled like the below screenshot.
If this is not the case select the user en from the quick steps on the right klick Disable
Then proceed to the reinstallation of Azure AD connect as described below.
Configure Azure AD Conditional access
If you are using conditional access in Azure AD there are different ways to solve the issue. The reason that MFA is popping up in the first place is mostly the fault of not configuring conditional access as per best practices from Microsoft, you can read up about this here (Plan an Azure Active Directory Conditional Access Deployment | Microsoft Docs). It comes down to configuring conditional access based on groups and not on all users with some exclusions. But if for some reason you cannot change that setting. Best solution is to disable conditional access for the sync user. Alternative is to disable conditional access for the WAN IP from which the Azure AD connect server is connecting to the internet. But that’s less secure because all traffic coming from that IP will not trigger the conditional access policies. Please think before you enable this setting.
For the solution we’ll go for the safe option and exclude the sync user from conditinal access. To fix this log on to Azure administrative Portal Next go to the conditional access blade Conditional Access – Microsoft Azure.
The screenshot in this case has only 1 policy. Enable MFA Always. I should say this screenshot is self explanatory :-). To add the exclusion to the policy open the policy by clicking on it.
Click on the users and groups
Click on the Exclude tab. You can see in the screenshot there are already some users/accounts configured to be excluded from conditional access. Click on the 8 users under select excluded users. This can be named differently in your environment!
Select the Sync account from the list and Click add. After that click select. The user should than be added to the list. finally klick save and your sync user should appear in the list making the excluded users count 9 (in this case).
After this start reinstalling the Azure AD Connect software following the installation guide below.
Reinstallation Of Azure AD Connect
start the installer and choose express settings (if you want the easy way :-))
You need to fill in global administrator credentials and if you are smart about security these accounts have MFA enabled so you’ll need to fill in user name and password and after that acknowledge the MFA popup on your phone or whatever option you use.
Next type in the enterprise administrator credentials for connecting to the local Active directory.
After that the next screen will appear confirming the settings.
The installation should go without a hitch because MFA is disabled for the sync user.
disclaimer please, please, please configure conditional access as per best practices from Microsoft. You can run into all sorts of issues (like this one where facing now) when you don’t follow procedure. Hope this helps someone!
Pro tip. To check if the sync works start the synchronization service on the server you installed Azure AD connect on.
You need to run this tool as and administrator or else it won’t start..
The sync logging appears and here you can check if the sync works or if there are issues with accounts or the logging itself.