To make sync and onboarding automation work, the sync service account zadd2exchange cannot have mfa – at least at this point 4/1/2025. 

Please remove the MFA requirement and exclude and set conditional access to only allow from your internal or machine’s IP. 

To be complete, and for even tighter security, the only other alternative is to make a change to your onboarding process and when adding users to our managed dist list, and your team runs the permissions powershell (not added in GUI) as your existing admin with exchange administration privileges.  That account could have mfa  - with mfa answered manually during your onboarding, and completely outside our system.  The sync service account could then just be administrator of the sync machine and normal system user with no special privileges other than delegation and no policies as applied to your domain users.  We would be a system account with no roaming profile, maps or shares recommended.

To continue and allow our system to be fully automated and self contained, to remove MFA you must do this you must do this as your global or tenant admin in https:\\Admin.microsoft.com

Processes tor remove MFA for full automation

For 365, you would log into Entra as your Global Admin to make the change
Manage users excluded from Conditional Access policies - Microsoft Entra | Microsoft Learn

  1. Go to Entra Active Directory and then select Conditional Access to open the Policies blade.
  2. Check if security defaults are turned on (which enforces MFA)
  3. Select the policy you want to exclude a user from or create a new one.
  4. Under Assignments, select Administrators require MFA, make the exception for the sync service account (zadd2exchange)
  5. If necessary, do also in Users and groups conditional access policy.
  6. On the Exclude tab, select the excluded user(s)
  7. Apply.
  8. In the Protection Tab, Authentications select your MFA technique and add an exception for this account.
  9. For those without Conditional Access Blade, use these screens to navigate to your Administrative account MFA


https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthMethodsSettings/fromNav/Identity

Processes to grant permissions with MFA on

Timing Note: If you are in Office 365, and have hybrid AD, in order for permissions to take effect, once you add the user to our managed distribution list, you may have to wait an hour or so for your AD sync from on premises to 365.  If you don't have local AD sync, adding to the Office 365 dist list should happen within a few minutes.  In this case, you can  run the permissions almost immediately.

After running the permissions scripts below, it usually takes15 additional minutes for those permissions given to members to propagate to the mailbox folder structures.  After running the permissions after this propagation delay, you can close the Add2Exchange Console and start the Add2Exchange Service and it will make the folders automatically if needed and then sync the contents to new users first, then remove any offboarded users,

Alternative Manual Options for Onboarding - These options are for those with MFA still on and each require a small change to your onboarding procedures:

To give permissions manually during onboarding, run the following commands or process to give permissions to the sync service account for any new user, which gives the sync service account permissions to sync to or from the new mailbox. Please incorporate into your onboarding Options 

Option 1: Office 365-Add Permissions to single user - log into O365 with Exchange powershell
            $Identity is the new onboarding user
            $User is the sync service account, usually zadd2exchange by default but yours may be different
                  Add-MailboxPermission -Identity $identity -User $User -AccessRights 'FullAccess' -InheritanceType all -AutoMapping:$false

Option 2: Use the powershell interface on the desktop of the Sync Service account.

Log into the Replication Server.  
          Locate from the Desktop the "Diditbetter Support Menu.ps1"  Run it by right clicking and select run as powershell
          Go to Auto Shell Permissions
          Select 1 for 365 or 3 for Exchange On premises.
          If you have MFA on, either the Modern Auth prompt will come up, and you can select the service account, or enter the credentials if prompted.
          Usually the sync service account is an Exchange Administrator, so you can use that account, or enter the creds for an account with that membership.
          Then you have options.  Most users select option 4, to give the permissions to the members of the distribution list.  IF that errors, some installations must select 1               to give permissions to all users.  

If you are granting granular permissions, you can select 12 or 13, to give permissions to all or to members of our managed distribution lists. 
Next, start the Add2Exchange Service and the new user will be included in the Sync.   

Hosted Clients who want automation: There are a couple of additional things to do once removing MFA for Conditional Access Security regarding MFA,
In your Conditional Access Protection Polices and tight security, make an exclusion for MFA on the admin account for our sync account something like "zadd2exchange@yourdomain,com". Your account will be different. 

Specify the ip we use is to sync from: 23.111.174.164
Less likely - check whether the account has a sign-in risk. If there is a sign-in risk policy that enforces MFA, then this could be an issue moving forward.  Set any exclusions necessary.

 

|

Website and materials copyright 2008-2014, all rights reserved DidItBetter.com Software. US: 800-837-8636 Intl: 001-813-977-5739

DidItBetter.com Software specializes in Exchange Sync and Hosting, Outlook Task Management and CRM solutions.