Sometimes, the installation of Azure AD Connect can mess up your project deadlines in mere seconds. In this blogpost, I want to share an error that kept the admins of an organization occupied for several days, while it was easy to fix.
The situation
An organization uses Azure AD and Azure AD Connect.
After configuration of the initial Azure AD Connect installation, the organization has embraced Microsoft’s Azure identity & access security best practices.
An admin wants to configure an additional Azure AD Connect installation in Staging Mode. He downloads Azure AD Connect, and runs it. The admin configures Azure AD Connect correctly and presses the Install button on the Ready to Configure screen.
The issue
During configuration, a modern authentication prompt appears:
The account and its password are unknown. However, the account name contains the name of the Windows Server installation on which Azure AD Connect is newly configured.
The only option is to dismiss the authentication prompt. When the authentication prompt is dismissed, configuration fails.
In the trace file, located in the C:\ProgramData\AADConnect folder, the following lines can be found:
Caught exception while creating azure service account.
An error occurred while creating the synchronization service account in Azure AD. The error was: Unable to create the synchronization service account for Azure Active Directory. Retrying this operation may help resolve the issue.
In Event viewer (eventvwr.exe), Event ID 906 is logged:
This event provides information on the failure:
GetSecurityToken: unable to retrieve a security token for the provisioning web service (AWS).
Note:
The endpoint for Azure AD Connect is not hosted on Amazon AWS. AWS is the Microsoft internal abbreviation for its Azure AD Connect provisioning web service.
The cause
Azure AD Connect creates a new account in Azure AD. This account acts as the Azure AD service account. The new account is subject to a Conditional Access policy.
The solution
Do not cancel the Azure AD Connect configuration wizard. Instead, remedy the Conditional Access policy. When requiring multi-factor authentication or other grant requirements in Azure AD Conditional Access policies, exclude the Directory synchronization accounts role.
Wait a couple of minutes and press the Retry button. Azure AD Connect will be configured without the need to rerun through the entire wizard.
Concluding
My recommendation is to create a separate Conditional Access policy targeting the Directory synchronization accounts role and possible other service accounts that communicate with Azure (AD) endpoints.
Limit access by only allowing access from the egress/web proxy IP address(es) for the datacenter(s) your Azure AD Connect installations reside and/or you might want to setup Azure AD Connect installations (in times of need). Block all other locations.
Login