AzureAD Connect error while executing the command 'Get-MsolUserRole' Access Denied.

Question

We've been running AzureAD Connect for ages. No issues, syncing works. Haven't needed to make a config change for a while but after attempting to upgrade from 2.3.6.0 to the latest we're getting this error when it asks for the password to Connect to Azure AD. Same with an attempt using a different Global Admin. Rolled the version back using a vm restore and getting the same error when attempting to change the user sign-in.

Any suggestions for troubleshooting? CAP policies won't come into play because it's from whitelisted IP.

Answer 1

Hello @Brian Altman ,

Thank you for reaching out to QnA platform. The error you’re encountering "An error occurred while executing the ‘Get-MsoIUserRole’ command. Access Denied. You do not have permissions to call this cmdlet" in Azure AD Connect is typically due to insufficient permissions. Here are a few steps you can take to resolve this issue:

• Check the Account Permissions:
  • Ensure that the account you’re using to execute the command has Global Administrator permissions.
  • If you’re unsure, try creating another Global Administrator account using your initial domain and use that for troubleshooting.

You can also refer following thread with similar issue where using a different Global Admin account resolved the issue. https://learn.microsoft.com/en-us/answers/questions/1668447/azuread-connect-error-while-executing-the-command

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.