A little while back I was asked to help troubleshoot an issue with Azure AD Connect. Everything was working great before, but all of a sudden Azure AD Connect stopped sync’ing successfully. When looking at the event log on the server, I noticed an ADSync event 6900 that seemed to indicate an issue with MFA. It said “The ADSync service is not allowed to interact with the desktop to authenticate…” as shown below
This event was accompanies by a few others, like Events 904, 906, 659
After logging into Azure AD, I found that a Conditional Access policy has been enabled to enforce MFA on all administrator accounts and this was tripping up the ADSync account. To solve the problem, simply add an exclusion to the policy. You can do this in two ways, either exclude the specific account or exclude the “Directory Synchronization Accounts” role. I chose the latter option