For a long time, I worked with Azure AD Connect and was installing another AAD Connect machine to staging mode. The installation didn’t finish because of an error I received in the configuration phase.
The installation, or configuration, failed because it was unable to create a synchronization service account for Azure AD.
The exact error – ‘Unable to create the synchronization service account for Azure Active Directory’.
Errors in AADC deployment log.
From the Azure AD ‘Non-InteractiveSigninLogs’ is seen that ‘sync_FETADC04…’ account has multiple failure logins.
From the detailed sign-in information is seen that this user should enroll authentication information to multi-factor authentication service to be able to proceed.
From the AAD Connect server Event logs, I found event 906 which indicates that the AADC service hasn’t been able to get token.
The root cause is Azure AD Conditional Access policies. In the environment I was working on are multiple policies where these type of service accounts needs to be excluded and allow logins only from specific IP-address ranges.
After the service account was excluded from the needed CA policies I was able to finalize Azure AD Connect installation.
Hope this helps if you are facing the same issue. And, Happy New Year!