Azure Conditional Access Rules break AAD Connect setup and configuration

Today I came across an interesting issue in my lab when trying to setup and configure Azure Active Directory Connect.

Errors Message:

AAD Connect Error Message

Checking the log is no help either, it just points me to the same error

Error Message:

[ERROR] Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.

 

Hmm what’s this about?

Let me google that for you – http://bfy.tw/BIv0

Not very helpful either.

After many painstaking searches I found reference to an issue where conditional access rules may be the root cause.

Started digging into the rule enabled.

 

In detail

 

Controls selected

 

I disabled the rule and hit retry in AAD Connect to check if it was the cause.

 

Progress!

Bingo

 

Now I’ve found part of the problem, I still needed to solve the other piece of the puzzle, after all I wanted this rule in place even it if means some compromise.

What is it inside my policy that is causing this error to appear?

Well it looks like I didn’t exclude an important account from the conditional access policy

My On-Premises Directory Sync account

 

Added the account to the rule and we are through

 

Hope this helps someone save some time when encountering this issue.

 

9 Replies to “Azure Conditional Access Rules break AAD Connect setup and configuration”

Leave a Reply