Azure AD Connect Staging Mode Install issue

Question

I am trying to installing AAD Connect on another server in staging mode. I have configured it in the past with no issues so I am familiar with the process and the isseu I am seeing has never happened before.

My issue is:
During the setup wizard after the last screen when I select "enable staging mode" one of the wizard config tasks is it creates the Sync Service account in AD and Azure AD.
At this point I am getting a Microsoft Sign in Prompt that is auto populated with this Sync Service account. It is asking me to input the password. The password for this account is known to me as it is auto created by the AD Connect wizard.

I tried to replicate this in my lab but I don't get the Microsoft Sign in. The account just gets created and the wizard finishes.

Could this be an MFA thing setup in the customers Tenant?

Thanks

Answer 1

Here is the solution.

The customer had an MFA policy setup the included "All Users" instead of using a security group. Because of this when the new Azure AD Sync account was created it got MFA enabled by default. Both myself and the MS support engineers thought the" Directory synchronization accounts" Role, which the new account is a member of, was an Admin role and would have its MFA controlled by the "MFA for Admins" policy. This was not correct.

Once I excluded the Azure AD Sync account from the "All Users" policy I could run the AD Connect install without being prompted for a Log in.

Answer 2

Hello,

MFA could have been setup on this account by default.

Another possibility is that the new ADConnect does not connect to Office 365 with the same public IP address (or subnet) as the ADConnect server in production. Conditional access could force MFA from unknown locations/IP.

Regards,

Answer 3

Update
Still no luck with this. MFA has been turned off for all accounts related to this process and Named Location are setup and trusted for the IP's

Here are a few more things I tried

1. I tried using a dedicated service account that has all the needed permissions set. This account is an AD account sync'ing to Azure. I ran the install and choice this account during the process. At the end I choice to not "sync after completed" and to "enable Staging mode".

Result: the install auto created an Azure AD Sync account in Azure and gives me the Microsoft login, wanting the password (see image)

2. I tried using a dedicated service account that has all the needed permissions set. This account is an AD account sync'ing to Azure. I ran the install and choice this account during the process. At the end I choice to not "sync after completed" and not to "enable Staging mode". Thinking that I would do a manual export and import of the connection properties after.

Result:
The same as result #1

I tried the #1 process in my lab and had no issues. Everything installed as expected. I am thinking it has to be something in the customers tenant but can't figure out what.

I can figure out why

1. the wizard keeps creating an Azure AD Sync Account even when I choice to use an existing account (see image)
2. Why am I getting a Microsoft login when MFA is supposedly turned off

Answer 4

Try Use an Azure managed GA account to install AADConnect - logged onto the local AADConnect server as the Microsoft Azure AD Sync service account.