Warning "User in your organization will not be able to log in" while setting up AZure AD Connect

Stefan Tellenbach 21 Reputation points
2020-06-26T15:39:58.173+00:00

10765-ad-connect-warning.jpg

Dear community

I try to setup up AD Connect here. I created a test OU and a test User. I also created a service user that is used to sync the AD Data. This service user is a normal user, these rights should be enough says Microsoft in a document i found online.
At the final step of the setup i have this warning (screenshot)

What does the first sentence exactly mean? "Users in your organisation will not be able to log in" ; > where exactly to log in ? I hope this means the cloud / Azure Portal am i right here ? This will not change anything on my on prem Active Directory i hope.
The domain i want to sync "intranet.xxxxxx.ch" is already registered as a known domain in my tenant and its the only domain in this active directory so the "one or more domains" part in the second sentence of the warning is a bit confusing too.

Can someone please explain me what this warning means and what i have to do to solve this. I set up a testlab a week ago and there i did not get this error.
I found this command online "Invoke-ADSyncDiagnostics -PasswordSync" but that will only work after the setup is completed.

Thank you very much for your help.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,597 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sander Berkouwer 86 Reputation points
    2020-06-27T17:14:18.46+00:00

    As documented here, the Azure AD Connect service account will need the following permissions for Password Hash Synchronization (PHS):

    • Replicate Directory Changes
    • Replicate Directory Changes All

    By default, 'normal' users in Active Directory do not have this permission. The permissions should be added manually, or you can specify an account with membership to the Enterprise Admins group in the Active Directory forest to set the delegated permissions for you.

    You receive the error 'Users in your organisation will not be able to log in', because with the current permissions on the service account, Azure AD Connect will not be able to synchronize the (hashes of the) hashes of the passwords for the users in scope. As you've specified this as the sign-in method to Azure AD, the users in scope will not be able to sign in to Azure AD and Azure AD-integrated services, like Microsoft 365 and Azure.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. T. Kujala 8,706 Reputation points
    2020-06-27T04:26:31.513+00:00
    0 comments No comments