In case it helps, our solution was this:
1) Add Azure IP subnet range (just our subnet) as an IP range location in Named locations in Conditional Access
2) in Conditional Access, under "enforce MFA for all cloud apps," excluded service accounts and the account used to enable the process in Azure directory sync from this conditional access policy.
2a) the account used to enable the process was subsequently removed from the exclusion after the configuration successfully completed.
I'm not sure what our problem was, but that was our solution and now it's working fine.