Forced MFA on Oct 15 vs "On-Premises Directory Synchronization Service Account"

Question

I just want to get a hold of the whole forced MFA that's going to be applied on all user accounts. I understand that all user-based service accounts will be forced to use MFA.

The question is about the "On-Premises Directory Synchronization Service Account" used by Entra Connect, I have found no info that mentions if we can replace this account by a service principal, especially since it uses the “Directory Synchronization Accounts” role which is a hidden role that cannot be assigned to any other accounts/service principals.

How can we replace this account used by Entra Connect by a service principal?

Answer 1

Hello @Ziad ALSAMAD,

Thank you for posting your query on Microsoft Q&A.

Based on your description, I believe you're referring to the recent announcement about MFA enforcement, specifically the mandatory multifactor authentication for Azure and other administration portals starting on October 15, 2024. Since MFA will be enforced for all users, you were concerned about the "On-Premises Directory Synchronization Service Account" used by Entra Connect.

The new MFA enforcement will only be mandatory for sign-ins to the Azure Portal, Entra Portal, and Intune Portal. The sync account, which is the "On-Premises Directory Synchronization Service Account" used by Entra Connect, does not sign into the Azure Portal. The sync process will occur silently without any interactive. Therefore, there will be no issues with the new MFA enforcement, and the account will continue to function as expected.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.