7,023 questions
Hello, this looks like conditional access is enabled on your synchronization account.
You need to remove this account from CAP policies
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola
Cannot upgrade Entra Connect Sync
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 85%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKT%3C/text%3E%3C/svg%3E)
Kiedroň Tomáš
0
Reputation points
have upgrade Entra Connect Sync. I am getting error during upgradinf configuration like this:
Configure AAD Sync
An error occurred executing Configure AAD Sync task: System.InvalidOperationException:
There was an issue obtaining cloud sync intervals --- >
Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration
change made by your administrator, or because you moved to a new location, you must enroll
in multi-factor authentication to access '00000002-0000-0000-c000-000000000000'. Trace ID:
30899e49-84c1-43e1-9ad5-272f73b4e600 Correlation ID: 4db1d100-d056-40d5-
aaae-8572bfa3a79b Timestamp: 2024-11-11 16:02:18Z
at
Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AuthenticateMS
AL(AzureService azureService, String userName, SecureString password, Boolean
useCachedToken, String& access Token, String& errorCode, String& additionalDetails, Boolean
throwOnException, Boolean throwExceptionOnMFAError)
at
Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceTo
ken(AzureService azureService, String& serviceEndpoint, String& errorCode, String&
additionalDetail, AuthenticationStatus& status, Boolean throwOnException, Boolean
throwExceptionOnMFAError)
at
Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceTo
ken(AzureService azureService, String& serviceEndpoint, String& additionalDetail,
AuthenticationStatus& status, Boolean throwOnException)
at
Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceTo
ken(AzureService azureService, String& additionalDetail, Boolean throwOnException)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
at
Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.Provisioning
WebServiceAdapter.InitializeProvisionHelper()
at
Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.Provisioning
WebServiceAdapter.Initialize()
at
Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.Provisioning
WebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
at
Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerl
nterval()
at
Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get CurrentSchedulerSetti
ngs()
--- End of inner exception stack trace ---
at
Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSetti
ngs()
at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , ConfigAttrNode* pcanList,
Ulnt32 ccanltems, Char ** syncSettingsSerialized, Char ** errorString)
I have tried to set exception from MFA and Conditional Access for admin account used for setting Sync but the result is same.
Any proposition?
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,130 questions
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Abiola Akinbade 29,490 Reputation points Volunteer Moderator2024-11-11T23:58:19.01+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator2024-11-14T15:37:18.1133333+00:00 Hi @Kiedroň Tomáš
Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back. -
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2024-11-15T10:45:56.54+00:00 Hi @Kiedroň Tomáš
Just checking in to see if above answer was helpful. If you have any further updates on this issue, please feel free to post back.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 67%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Kelvin Kipkoech Ruttoh 5 Reputation points2025-03-24T09:02:52.7266667+00:00 Saved me big time, turns out the sync_<yourPDC name>******@yourdomain.onmicrosoft.com account needs to be exempted from the CAP for MFA
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 37%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
Dan Dwyer 0 Reputation points2025-04-02T11:12:37.1466667+00:00 Thank you! this one was driving me crazy! Saved me alot of wasted time!
Sign in to comment -