Azure AD connector service account missing role, how do I get it back?

Favian Zendejas 21 Reputation points
2022-10-28T16:00:08.577+00:00

We have Azure AD Connect installed on a server. We recently stopped being able to sync due to this error: "Access policy does not allow token
issuance."

We do not have any conditional access policies in place. We noticed our On-Premises Directory Synchronization Service Account is missing the built-in role "Directory synchronization accounts" and it cannot be reassigned. Any ideas where I can go from here or how to get the role back in place?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,170 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 143.8K Reputation points MVP
    2022-10-31T13:00:00.677+00:00

    Can you exclude that service account from the those policies if they are enabled?

    As far as I know, its not supported to add that role outside of the AADConnect Wizard:
    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#azure-ad-connector-account

    However, you may be able to add it via powershell:
    https://github.com/MicrosoftDocs/azure-docs/issues/53899


2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 143.8K Reputation points MVP
    2022-10-28T16:07:27.477+00:00

    Can you export the config out and reinstall AADConnect using the existing config?

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-import-export-config


  2. Andy David - MVP 143.8K Reputation points MVP
    2022-10-31T12:41:26.187+00:00

    The change in IP may have tripped a Identity Policy:

    Check here to see what is set:
    https://portal.azure.com/?feature.msaljs=false#view/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/~/Overview

    255659-image.png