Resolve error AzureActiveDirectorySyncAccountMultiFactorAuthEnabled in AADC:CS
AVD with a DC requires Azure Active Directory Connect Cloud Sync (AADC:CS) or plain AADC. MCIT (v3) AVD deployments use AADC:CS. A requirement is that the sync account Microsoft creates does not support MFA/2FA.
The errors you may see in the Azure portal at: https://portal.azure.com/#blade/Microsoft_AAD_Connect_Provisioning/ProvisioningManagementBlade
are:
- AzureActiveDirectorySyncAccountMultiFactorAuthEnabled
- Multi-factor authentication is enabled for synchronization service account <your AAD account>. This error may occur if multi-factor or other interactive authentication policies are accidentally enabled for the synchronization account. Removing any interactive authentication policies for the account should resolve the issue.
- Multi-factor authentication is enabled for synchronization service account <your account>. This error may occur if multi-factor or other interactive authentication policies are accidentally enabled for the synchronization account. Removing any interactive authentication policies for the account should resolve the issue.
The account name is usually ADToAADSyncServiceAccount or On-Premises Directory Synchronization Service Account.
You are required to exclude this account from MFA.
You can do this under "Per-user MFA" at: https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers
If you use AAD conditional access you will need to edit your policies at: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Overview
and exclude the ADToAADSyncServiceAccount from MFA. See example below