Issue with Entra Connect wizard setup and MFA requirements/conditional access

Question

Hi all,

Our company is moving from an on-prem AD to a hybrid AAD setup and we want to utilize intune to manage a few policies. The issue I am having is with the initial Entra connect setup, the installation wizard fails each time with this error.

and in the Entra failed logs

I have researched this and it seems to be a conditional access issue. What is the best way around this? Do I have to create a policy for the service account associated? We have assigned the hybrid administrator role to myself and the service account. Any help is greatly appreciated,

Thanks

Answer 1

Hi @Taio Ray

Thank you for reaching Microsoft Q&A Forum!

If you are seeing the error "Unable to create the synchronization service account", the most common root cause would be a Conditional Access/MFA policy which requests registration of your connector account user. To resolve this, you can exclude this user from Conditional Access/MFA policies.
Also, ensure that TLS 1.2 is enabled to allow successful authentication.

Reference: https://learn.microsoft.com/en-us/answers/questions/1840734/unable-to-create-the-synchronization-service-accou
https://learn.microsoft.com/en-us/answers/questions/622694/unable-to-create-the-synchronization-service-accou
Hope this helps. Do let us know if you any further queries by responding in the comments section.

Thanks,

Akhilesh V.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

Try excluding the Entra Connect sync account from the CA policy that apparently applies in this case

More at https://www.alitajran.com/conditional-access-mfa-breaks-azure-ad-connect-synchronization/

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin