All Conditional Access policies are configured to exclude directory synchronization accounts or do not scope them
Why This Matters
Service accounts like the Microsoft Entra Connect Sync Account are critical for directory synchronization but should never be subject to conditional access policies that require user interaction, such as multi-factor authentication. If these accounts are blocked by conditional access rules, synchronization can fail, leading to identity inconsistencies and potential outages across your tenant.
What Aether365 Checks
This check verifies that all conditional access policies either explicitly exclude directory synchronization service accounts or do not scope them at all. It appears in the Aether365 dashboard under the microsoft-365 category as check AE.1020.