While running the Azure AD Connect wizard, in the last step I repeatedly get an unexpected password prompt with the Azure AD sync account username prepopulated.
Then I get an error "unable to create the synchronization service account for azure active directory".
What could possible gone wrong that would trigger a logon prompt using the Sync account?
https://docs.microsoft.com/answers/storage/attachments/23487-azure-ad-connect-4.jpg
After approx. two weeks without much progress by Azure Support, I managed to escalate it to MS Premier.
The issue turned out to be improper handling of MFA global restrictions by the Az ADConnect install wizard.
The workaround (after the original failure, you cannot avoid that step) is an MFA exemption for the Service account and then uninstall/reinstall Az ADConnect.
Dear @bhanote - thank you for the follow-up but I was confused by your message, this thread doesn't have a single on-topic suggestion or comment about the issue, why do you press for a "solution"?
I was trying to find the solution of it as I was experiencing similar issues with my test set-up. That was the reason.
Thanks,
thank you! Ran into the same issue.
Disabled the sync account via MFA conditional access policy and re-ran the wizard. Passed no problem.
Please create an Azure support request to better address this issue.
Thanks Alfredo,
i have created an Azure support request; but the forums are for the benefit of the community, no?
That's correct but since a step might imply reviewing confidential information such as the one stored in AD Connect logs it would be better to do it trough a support request.
Thanks for the clarification.
Back to the issue at hand, any ideas would be appreciated!
Hi FrustratedAdm,
Can we know if the issue is resolved now, if yes, then if we can know the resolution. This will help the community.
Thanks,
Ravi
The issue turned out to be MFA for the Sync Account: There is a bug in the Azure AD Connect wizard where it doesn't properly detect when MFA is enabled on the Azure Environment, and will give out the wrong error message.
Disabling MFA for the account and restarting the wizard is a reasonable workaround.
7 people are following this question.
