To make sync and onboarding automation work, the sync service account zadd2exchange cannot have mfa – at least at this point 1/16/2025. 

Please remove the requirement and exclude asap and set conditional access to only allow from your internal or machine’s IP. 

To be complete, and for even tighter security, the only other alternative is to make a change to your onboarding process and when adding users to our managed dist list, and your team runs the permissions powershell (not added in GUI) as your existing admin with exchange administration privileges.  That account could have mfa  - with mfa answered manually during your onboarding, and completely outside our system.  The sync service account could then just be administrator of the sync machine and normal system user with no special privileges other than delegation and no policies as applied to your domain users.  We would be a system account with no roaming profile, maps or shares recommended.

To continue and allow our system to be fully contained, to remove MFA you must do this you must do this as your global or tenant admin.  

Process

For 365, you would log into Entra as your Global Admin to make the change
Manage users excluded from Conditional Access policies - Microsoft Entra | Microsoft Learn

  1. Go to Entra Active Directory and then select Conditional Access to open the Policies blade.
  2. Select the policy you want to exclude a user from or create a new one.
  3. Under Assignments, select Administrators require MFA, make the exception for the sync service account (zadd2exchange)
  4. If necessary, do also in Users and groups conditional access policy.
  5. On the Exclude tab, select the excluded user(s)
  6. Apply.

    For those without Conditional Access Blade, use these screens to navigate to your Administrative account MFA

https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsSettings/fromNav/Identity

There are a couple of additional things to check to see regarding MFA.

  • Check if security defaults are turned on (which enforces MFA).
  • For your Conditional Access Policies and tight security, make an exclusion for MFA on the admin account zadd2exchange@nicholscontracting.com
    • Specify the ip we use is to sync from: 23.111.174.164
  • Less likely - check whether the account has a sign-in risk. If there is a sign-in risk policy that enforces MFA, then this could be an issue moving forward.  Set any exclusions necessary

Alternative Option

Change your onboarding procedures:  As another option you could use another account to run the permissions as part of your onboarding procedure and answer any MFA questions there.

To do this, run the following command to the new user, giving the service account permissions to sync to or from the mailbox.
# Option 6: Office 365-Add Permissions to single user
   $Identity is the new onboarding user
   $User is the sync service account, usually zadd2exchange by default but yours may be different
Add-MailboxPermission -Identity $identity -User $User -AccessRights 'FullAccess' -InheritanceType all -AutoMapping:$false


   

|

Website and materials copyright 2008-2014, all rights reserved DidItBetter.com Software. US: 800-837-8636 Intl: 001-813-977-5739

DidItBetter.com Software specializes in Exchange Sync and Hosting, Outlook Task Management and CRM solutions.