AzureAD Connect error while executing the command 'Get-MsolUserRole' Access Denied.

Brian Altman 30 Reputation points

We've been running AzureAD Connect for ages. No issues, syncing works. Haven't needed to make a config change for a while but after attempting to upgrade from to the latest we're getting this error when it asks for the password to Connect to Azure AD. Same with an attempt using a different Global Admin. Rolled the version back using a vm restore and getting the same error when attempting to change the user sign-in.

Any suggestions for troubleshooting? CAP policies won't come into play because it's from whitelisted IP.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,918 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Harpreet Singh Matharoo 7,581 Reputation points Microsoft Employee

    Hello @Brian Altman ,

    Thank you for reaching out to QnA platform. The error you’re encountering "An error occurred while executing the ‘Get-MsoIUserRole’ command. Access Denied. You do not have permissions to call this cmdlet" in Azure AD Connect is typically due to insufficient permissions. Here are a few steps you can take to resolve this issue:

    • Check the Account Permissions:
      • Ensure that the account you’re using to execute the command has Global Administrator permissions.
      • If you’re unsure, try creating another Global Administrator account using your initial domain and use that for troubleshooting.

    You can also refer following thread with similar issue where using a different Global Admin account resolved the issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.