Azure AD connector service account missing role, how do I get it back?

Favian Zendejas 21 Reputation points

We have Azure AD Connect installed on a server. We recently stopped being able to sync due to this error: "Access policy does not allow token

We do not have any conditional access policies in place. We noticed our On-Premises Directory Synchronization Service Account is missing the built-in role "Directory synchronization accounts" and it cannot be reassigned. Any ideas where I can go from here or how to get the role back in place?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,170 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 143.8K Reputation points MVP

    Can you exclude that service account from the those policies if they are enabled?

    As far as I know, its not supported to add that role outside of the AADConnect Wizard:

    However, you may be able to add it via powershell:

2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 143.8K Reputation points MVP

    Can you export the config out and reinstall AADConnect using the existing config?

  2. Andy David - MVP 143.8K Reputation points MVP

    The change in IP may have tripped a Identity Policy:

    Check here to see what is set: