Unable to create the synchronization service account for Azure Active Directory

Question

When trying to setup a secondary Azure AD Connect (Staging) for High Availability, the process fails at the end with the error, 'Unable to create the synchronization account for Azure Active Directory'. Could it be related to a Conditional Access feature?

[14:41:54.080] [ 30] [ERROR] GetServiceAccount: the retry time limit for service account authorization has been exceeded. Exception Data (Raw): Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.AzureADServiceAccountException: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue. --- Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000002-0000-0000-c000-000000000000'. Customer answers to additional questions for Azure Active Directory User Provisioning and Synchronization: Which user is experiencing this problem? - ******@reco.on.ca; Which Resource ID is experiencing this problem? - ; When did the problem start? - 2021-11-10T15:00:00.000Z; Description - When trying to setup a secondary Azure AD Connect (Staging) for High Availability, ithe process fails at the end with the error, 'Unable to create the synchronization account for Azure Active Directory'. Could it be related to a Conditional Access feature? [14:41:54.080] [ 30] [ERROR] GetServiceAccount: the retry time limit for service account authorization has been exceeded. Exception Data (Raw): Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.AzureADServiceAccountException: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue. --- Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000002-0000-0000-c000-000000000000'

Huge thanks for any help,
Simon

Answer 1

Yes, this appears to be related to conditional access.

"Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue. --- Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000002-0000-0000-c000-000000000000'"

The account you are using as the Azure AD admin account when going through the wizard, despite being able to authenticate earlier in the session, is getting blocked by Conditional Access. These policies are requiring extra conditions to be met before granting authorization. You'll need to make sure that the Azure AD admin account you use is able to authenticate and authorize fully into Azure AD.

There is a related thread with an identical error message here: Unable to create synchronization service account

Answer 2

Hello,

When this error is received, it is said that the users covered by Conditional Access in Azure have made an error. Azure sync uses two accounts. The first is the global admin account we created. Another is the synchronization account that AD Sync creates in Azure. It usually starts with "Sync..." and ends with our tenant. These two accounts must be excluded from conditional access.

Answer 3

Hi Marilee,
Many thanks for your response!
May I just clarify that you mean the Azure AD Global Administrator account?

Cheers!