For a long time, I worked with Azure AD Connect and was installing another AAD Connect machine to staging mode. The installation didn’t finish because of an error I received in the configuration phase.


The installation, or configuration, failed because it was unable to create a synchronization service account for Azure AD.

The exact error – ‘Unable to create the synchronization service account for Azure Active Directory’.

Errors in AADC deployment log.

From the Azure AD ‘Non-InteractiveSigninLogs’ is seen that ‘sync_FETADC04…’ account has multiple failure logins.

From the detailed sign-in information is seen that this user should enroll authentication information to multi-factor authentication service to be able to proceed.

From the AAD Connect server Event logs, I found event 906 which indicates that the AADC service hasn’t been able to get token.

Root Cause

The root cause is Azure AD Conditional Access policies. In the environment I was working on are multiple policies where these type of service accounts needs to be excluded and allow logins only from specific IP-address ranges.

After the service account was excluded from the needed CA policies I was able to finalize Azure AD Connect installation.

Hope this helps if you are facing the same issue. And, Happy New Year!