25,081 questions
Probably a conditional access policy which asks for registration of your sync user.
Exclude your sync user from MFA/CA.
Unable to create the syncronization service account for Azure Active Directory. Retrying this operation may help resolve the issue.
Marcelo Fernandes de Freitas | @mfreitas365
1
Reputation point
Hi community,
I am try reinstall and configure Azure AD Connect on Windows Server 2019 Activey Directory, I used 'Express Mode', inserted a user 'Global Admin' and user 'Enterprise Admin' (to create local user). The wizard getting the user and password "******@msdx530006.onmicrosoft.com" (user visible on Azure AD based On-Premise sync) but I cancel because don't know the passwod created and I can't reset the password. And the message error showed me "Unable to create the syncronization service account for Azure Active Directory. Retrying this operation may help resolve the issue", as follow the shared Log shared.
Can someone help me? Thank you!
{
[19:32:05.334] [ 8] [ERROR] ExecuteADSyncConfiguration: configuration failed. Skipping export of synchronization policy. resultStatus=Failed
[19:32:05.378] [ 8] [ERROR] PerformConfigurationPageViewModel: An error occurred while creating the synchronization service account in Azure AD. The error was: Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.AzureADServiceAccountException: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue. ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: User canceled authentication. On an Android device, this could be due to the lack of capabilities, such as custom tabs, for the system browser. See https://aka.ms/msal-net-system-browsers for more information.
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.VerifyAuthorizationResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__60.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__42.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__34.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName, SecureString password, AzureService azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType, String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService adalResource, String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
at Microsoft.Online.Deployment.Types.Providers.ProvisioningWebServiceProvider.GetServiceAccount(String servicePrefix, String syncMachineIdentifier)
--- End of inner exception stack trace ---
at Microsoft.Online.Deployment.Types.Providers.ProvisioningWebServiceProvider.GetServiceAccount(String servicePrefix, String syncMachineIdentifier)
at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.UpdateAADConnectorCredentials(IAzureActiveDirectoryContext aadContext, IAadSyncContext aadSyncContext)
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.ConfigureSyncEngineStage.StartADSyncConfigurationCore(Action`1 UpdateProgressText)
[19:32:05.378] [ 8] [ERROR] PerformConfigurationPageViewModel: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue.
[19:47:47.088] [ 1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20201226-190545.log
}
Microsoft Security Microsoft Entra Microsoft Entra ID
{count} votes
-
Mahmoud A. ATALLAH 226 Reputation points MVP2024-02-20T16:05:59.86+00:00 Just exclude ******@xx.onmicrosoft.com from conditional access and it works.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 49%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENZ%3C/text%3E%3C/svg%3E)
Navnath Zanzad 0 Reputation points2024-04-12T11:50:51.5633333+00:00 Resolve the same issue for me as well. Great help! Thanks
Sign in to comment
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 95%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Rene Mulder 21 Reputation points2022-03-11T13:41:52.01+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 89%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Pavlo 6 Reputation points2022-07-10T12:08:57.61+00:00 ReneMulder-9842 Thank you! I was same error, and after add On-Premises Directory Synchronization Service Account to excluded users of Conditional Access policy, Configuration was complete sucessfully.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 42%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
mirba-msft 651 Reputation points Microsoft Employee Moderator2020-12-28T11:18:38.44+00:00 Hello @Marcelo Fernandes de Freitas | @mfreitas365
Thank you for reaching out to us.
Please follow the steps below and let me know if this helps to resolve your issue.
- Make sure you have TLS 1.2 enabled as by looking at the logs you posted this looks to be an Authentication issue failing for getting the token in order to Enable TLS 1.2 run the PowerShell command listed in the article. and then restart the server.
- Please download and install the following six new certificates listed in this article and restart the Azure AD Connect server.
- Make sure you have all the endpoints open listed in the article.
- As you have mentioned you are reinstalling the Azure AD Connect please make sure to use a cloud-only global admin Account.
- if following the steps listed above do not resolve the issue then please elaborate on what do you mean when you mention the AD Sync Account "******@msdx530006.onmicrosoft.com"
Let me know if this helps to answer your question If Yes then do accept it as an answer in the interest of community members with similar queries. If this does not answer, please ask further in the comments and we will happy to address your concerns. Thank you.
-
Marcelo Fernandes de Freitas | @mfreitas365 1 Reputation point
2021-02-01T03:39:11.783+00:00 Hi, mirba-msft
Thank you for your message.I folowed the steps informated but the problem continue.
I executed again the wizard of
Microsoft Azure Active Directory Connectin the stepConfigure, in the momentCreating the Azure Active Directory Synchronization Accountshow me a user "******@msdx530006onmicrosoft.com", this user there is Azure AD with status 'Directory synced' = Yes.
But for this Tenant sync has never run - as the prints.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 50%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Mohamed Aly 1 Reputation point2022-04-20T15:05:45.523+00:00 ******@msdx530006onmicrosoft.com is showing as synced because it is being created by the AD connect during installation. it doesn't exist in your local AD and not actually syncing, but created from an on-premise source, which is the AD connect server.
AD connect tool creates 3 accounts https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions
They are service accounts and you don't need to know there passwords. just exclude the Azure AD connector account which is "******@msdx530006onmicrosoft.com" from MFA if it is enforced by CA policy.
If for any reason you want to change passwords for those accounts then follow this doc
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-serviceacct-pass
Sign in to comment
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 28.999999999999996%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E7%3C/text%3E%3C/svg%3E)