This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 95%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
A customer of ours had AAD Connect setup and working fine until one day it didn't. Not sure what happened, but probably a password change without following the correct process of destroying the encryption keys. I am now trying to install and configure aad connect on a different server and keep running into the "Unable to create the synchronization service account for Microsoft Entra ID..." I have made sure that the cloud AD Connect account is not in any conditional access policies, removed from legacy MFA policies, removed from the registration group, and I have the permissions assigned to the service account. Here is the error in the logs: "Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.AzureADServiceAccountException: Unable to create the synchronization service account for Microsoft Entra ID. Retrying this operation may help resolve the issue. ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000002-0000-0000-c000-000000000000'. Trace ID: 2794fdcd-2b1e-4bb2-af55-555267e53800 Correlation ID: dfb9f1ed-8ed6-4368-9c44-ce63e673513e Timestamp: 2024-11-15 19:38:26Z"
And Azure support is not responding to my inquiry. Any help would be appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Jordan Schwieso Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Which sync account did you exclude from MFA policies? If it cant create it, then the new one using the name of the new server shouldnt be in Azure.
The hybrid identity manager account in the cloud that is used for managing the cloud identities.
Did you remove the previous sync config in Azure? That should prob be cleaned up
ok so, I was unaware that the connect sync creates a cloud service account. I don't see that in the documentation. Thanks for telling me to look into the config because that spurred me to look into the previous account setup and realized the above epiphany. It looks like it is running now. At least I am getting farther.