Conditional Access and Azure Role Groups

Just a quick post, I was investigating why Azure Sync had suddenly stopped working at a customer site. Nothing had changed with the configuration of the sync server, looking at the event log I found the following message:

Authenticate-ADAL: unexpected authentication failure [Unspecified-Authentication-Failure] – Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application..

I knew the customer had been looking at Conditional Access policies so I headed there to see if any changes were causing policies to apply to the synchronisation account. I found a rule had been created to apply to all Azure AD roles to ensure users assigned them are forced to use MFA.

Now, there is a role “Directory synchronization accounts” which all Azure AD Connect sync accounts are added to, and this account was included in the scope of the Conditional Access rule. Now despite MFA being configured to not apply at trusted locations, which included the location of the sync server, simply including the sync account in scope of the Conditional Access policy changed the authentication method to one not supported by the client.


TLDR: don’t include “Directory Synchronization accounts” role in conditional access policies and ensure Synchronisation accounts are excluded.

About the author