On March 19th, 2021, Microsoft introduced Azure AD Connect version 18.104.22.168 to incorporate the lessons learned and distribute the fixes Microsoft made to the larger public. As part of its version release history, Microsoft added the following line to the release notes for this version:
Azure AD Connect now supports the Hybrid Identity Administrator role for configuring the service.
Alas, this line applies to all but one implementation scenario.
You implement Azure AD Connect with the Enable seamless single sign-on option enabled, or you implement an additional Azure AD Connect installation towards an Azure AD tenant that has this option enabled.
On the Connect to Azure AD page of the the Microsoft Azure Active Directory Connect wizard, you specify an account that has the Hybrid Identity administrator role assigned, but not the Global administrator role.
The Enable seamless single sign-on option enables the Desktop Single Sign-on (DSSO) feature.
On the Enable single sign-on page of the Microsoft Azure Active Directory Connect wizard, you encounter an Cannot retrieve single sign-on status. error:
This error prevents you from continuing to configure Azure AD Connect.
In the Event viewer (eventvwr.exe) you additionally encounter an error:
The error with EventID 0 and source Azure AD Connect Authentication Agent provides the following information:
Connector registration failed: Make sure you are a Global Administrator of your Active Directory to register the Connector. Error: ‘“The registration request was denied. Details: User is unauthorized.”’
This error occurs because managing the Desktop SSO feature is not supported with the Hybrid Identity Administrator role.
The Desktop SSO feature can currently only be managed using an account with the Global Administrator role.
Press the Previous button in the Microsoft Azure Active Directory Connect wizard until you reach the Connect to Azure AD page again. Alternatively, you can click on the Connect to Azure AD node in the left navigation menu.
Enter the credentials of an account with the Global administrator role assigned on this page. Continue the wizard again, but this time with success.
Following Microsoft’s recommended practices for using least privileged roles to accomplish administrative tasks proved troublesome yesterday.
In Azure Active Directory, Microsoft can fix things overnight. I’m sure this issue will be fixed in the coming months. In the meanwhile, please be advised to use an account with the Global administrator role assigned when managing Desktop SSO.
My SCCT colleague Rob Bethbeder brought this issue to my attention.