Come Feb 29th 2020 and Microsoft are turning off the baseline security policies. If you used these policies to do MFA for all admins (as that was an easy way to achieve this), then a replacement Conditional Access rule might cause errors with AADConnect.
The reason being is that you could create a new Conditional Access rule that stops all administrative roles from logging in unless they perform MFA. The AADConnect service sync account is an account that is created for you automatically by AADConnect in Azure AD and it has some special admin roles – but cannot operate with MFA enabled.
If your MFA Conditional Access rule (or Admin only from Compliant Devices or similar type of rule) does not exclude the sync account then expect sync to stop working. It will stop with MA errors on the connection to Azure AD and if you run Start-ADSyncSyncCycle you get the following error message about a modal dialog box or form when the application is not running in UserInteractive mode.
The fix is to add the sync account to the group that contains your break glass accounts, so that you bypass MFA for this account. If you do not have a break glass account then make one, and ensure it and the sync account bypass MFA or other limiting conditional access rules. The sync account is called “On-Premises Directory Synchronization Service Account” and is named sync_computername_uniquestring@tenant_domain.
The full error message for a search engine to find and bring you here is:
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\administrator> Start-ADSyncSyncCycle
Start-ADSyncSyncCycle : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException:
Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the Service Notification or DefaultDesktopOnly style to display a notification from a service
application.
at
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.WebUI.<AcquireAuthorizationAsync>d__12.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<AcquireAuthorizationAsync>d__11.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__10.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__39.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__30.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName,SecureString password, Azure Service azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType,String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceazureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail,AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceazureService, String& service Endpoint, String& additionalDetail, AuthenticationStatus& status, BooleanthrowOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceadalResource, String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char**syncSettingsSerialized, Char** errorString) —> System.InvalidOperationException: System.InvalidOperationException:Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service
application.
at
Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.WebUI.<AcquireAuthorizationAsync>d__12.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<AcquireAuthorizationAsync>d__11.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__10.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__39.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__30.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName,
SecureString password, AzureService azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType,String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceazureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail,
AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureServiceazureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, BooleanthrowOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService
adalResource, String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char**syncSettingsSerialized, Char** errorString)
at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchedulerSettings(String&settingsDeserialized, String& errorString)
at Microsoft.IdentityManagement.PowerShell.Cmdlet.GetADSyncScheduler.ProcessRecord()
— End of inner exception stack trace —
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input,PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShellpowerShell)
at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName,InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.SchedulerPowerShellAdapter.GetCurrentSchedulerSettings()
at Microsoft.MetadirectoryServices.Scheduler.Scheduler.StartSyncCycle(String overridePolicy, BooleaninteractiveMode)
at SchedulerUtils.StartSyncCycle(SchedulerUtils* , Char* policyType, Int32 interactiveMode, Char** errorString)
At line:1 char:1
+ Start-ADSyncSyncCycle
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (Microsoft.Ident…ADSyncSyncCycle:StartADSyncSyncCycle) [Start-ADSyncSyncCycle], InvalidOperationException
+ FullyQualifiedErrorId : System.Management.Automation.CmdletInvocationException: System.InvalidOperationException
: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.WebUI.<AcquireAuthorizationAsync>d__12.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<AcquireAuthorizationAsync>d__11.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__10.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__39.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__30.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName, SecureString password, AzureService azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType, String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService adalResource, String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
InitializeProvisionHelper()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
Initialize()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
GetCompanyConfiguration(Boolean includeLicenseInformation)
at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char** syncSettingsSerialized, Char** errorString) —> System.InvalidOperationException: System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a va
lid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.WebUI.<AcquireAuthorizationAsync>d__12.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<AcquireAuthorizationAsync>d__11.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenInteractiveHandler.<PreTokenRequestAsync>d__10.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenCommonAsync>d__39.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__30.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AuthenticateADAL(String userName, SecureString password, AzureService azureService, Boolean useCachedToken, String& accessToken, String& adalErrorType, String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String userName, SecureString password, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail, AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.AzureAuthenticationProvider.AcquireServiceToken(AzureService adalResource, String& additionalDetails, Boolean throwOnException)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
InitializeProvisionHelper()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
Initialize()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.
GetCompanyConfiguration(Boolean includeLicenseInformation)
at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char** syncSettingsSerialized, Char** errorString)
at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchedulerSettings(String&settingsDeserialized, String& errorString)
at Microsoft.IdentityManagement.PowerShell.Cmdlet.GetADSyncScheduler.ProcessRecord()
— End of inner exception stack trace —
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)
at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.SchedulerPowerShellAdapter.GetCurrentSchedulerSettings()
at Microsoft.MetadirectoryServices.Scheduler.Scheduler.StartSyncCycle(String overridePolicy, Boolean interactiveMode)
at SchedulerUtils.StartSyncCycle(SchedulerUtils* , Char* policyType, Int32 interactiveMode, Char** errorString)
,Microsoft.IdentityManagement.PowerShell.Cmdlet.StartADSyncSyncCycle
Leave a Reply