Azure Conditional Access Rules break AAD Connect setup and configuration

Today I came across an interesting issue in my lab when trying to setup and configure Azure Active Directory Connect.

Errors Message:

AAD Connect Error Message

Checking the log is no help either, it just points me to the same error

Error Message:

[ERROR] Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.

 

Hmm what’s this about?

Let me google that for you – http://bfy.tw/BIv0

Not very helpful either.

After many painstaking searches I found reference to an issue where conditional access rules may be the root cause.

Started digging into the rule enabled.

 

In detail

 

Controls selected

 

I disabled the rule and hit retry in AAD Connect to check if it was the cause.

 

Progress!

Bingo

 

Now I’ve found part of the problem, I still needed to solve the other piece of the puzzle, after all I wanted this rule in place even it if means some compromise.

What is it inside my policy that is causing this error to appear?

Well it looks like I didn’t exclude an important account from the conditional access policy

My On-Premises Directory Sync account

 

Added the account to the rule and we are through

 

Hope this helps someone save some time when encountering this issue.

 

Azure Replication Status Report – Email Notification

Recently I was given the task to monitor the replication status of a large number of servers, I really didn’t want to be going via the classic console and clicking inside every replication group just to make sure things were rolling smoothly. It got me thinking about how I could automate this task using Azure Automation Run books.

I started digging around and came across a post where a gentleman had written a Powershell script to deliver the daily backup jobs via email. It was not exactly what I wanted so I took that script and modified it to deliver the information I required.

First step is to create a runbook in Azure

Give the runbook a useful name and choose the powershell option as the runbook type

For the runbook to create a connection you will need to add the following code at the start of your script, if you have not setup an Azure RunasAccount you can follow these instructions – Authenticate runbooks with an Azure Run As account

Be sure to populate your runas account next to $connectionName

Next Add the code below

This is the workhorse that produces the report, you will need to populate your SMTP settings

You are now ready to test the runbook works

Select Test pane

Select edit and start the test, the runbook will be queue for an automation worker to pick it up


Wait for the runbook to complete.

A new email should arrive with a table of results like below

Now you just need to publish the runbook and add a schedule

You can set the schedule for an hourly drop into your inbox or drop the results into a group inbox.