I faced error which I haven’t seen before during AAD Connect installation. I made a custom installation in one of my environments and saw this one on my screen.
In this particular tenant I have been implementing two Conditional Access Policies and Identity Protection and thought that those might be playing a role in here. Event viewer showed this error which more and more leads to either CA policies or Identity Protection.
I investigate all my policies and found that I had an Identity Protection MFA registration enforced to all users and the synchronization account was not in the exception list. Also found that one of my CA policies was configured to all users without sync account in the exception list.
After configuring Sync_<servername>_xxxx sync account to the exception list authentication started to work without any problems and I was able to proceed with AAD Connect installation. Summary Conditional Access and Identity Protection policies which are enforcing controls to identities are very powerful as we have seen. Keep service accounts in mind when planning and implementing the policies to avoid the situation that I faced.