Event 659 – Error while retrieving password policy sync configuration. System.InvalidOperationException: The ADSync service is not allowed to interact with the desktop to authenticate This error may occur if multifactor or other interactive authentication policies are accidentally enabled for the synchronization account.


If you have recently implemented MFA ( Enforced mode in your tennant). I have found that there is no much information about the Dirsync Account status. As per now if you do enforce mfa the account will be affected. Hence breaking the sync as shown

In order to resolve:

You will have to exception the “Directory sync service account from the MFA policy”. The account can be found in the last screen. ( per security reasons mine is obscured

You will have to run again the sync and ensure the services are healthy.

The script to force the sync, after the exception config you should be able to run the sync with no problems.

import-module ADSync
Start-ADSyncSyncCycle -PolicyType Delta


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.