An Error Occurred Executing Configure AAD Sync Task | Fix

Guide / By

an error occurred executing configure aad sync task usually means Entra Connect can’t finish a cloud call during setup, most often because TLS or outbound access is blocked.

You’ll see this message inside the Microsoft Entra Connect wizard, often near the end when it tries to connect to your tenant and stamp the sync configuration. The wizard shows one line, but several moving parts sit behind it: Windows TLS, certificate checks, proxy rules, and the local sync service.

This walkthrough keeps it practical. Start with the fast checks that clear most installs, then move to the log-driven checks that tell you exactly what failed. On a new VM, run it like a clean-room test, then confirm network, crypto, time, and service health.

What The Wizard Is Trying To Do

During configuration, Entra Connect runs a set of internal tasks. The “Configure AAD Sync” task is where it sets up cloud connectivity, validates tenant details, and lines up the first sync runs.

When this task fails, you’re usually in one of three buckets:

  • TLS negotiation fails — The server can’t complete a TLS 1.2 handshake the way the wizard expects.
  • Certificate validation stalls — The server can’t reach revocation list hosts or can’t build a trusted chain.
  • Outbound web calls are blocked — A proxy, firewall, or TLS inspection device breaks the sign-in flow.

That’s why the same top-level error can show up with different underlying messages in logs, like “while sending the request” or “underlying connection was closed.” Treat the wizard line as a pointer, not a diagnosis.

Symptom In The Wizard Likely Layer Best First Check
“An error occurred while sending the request” TLS defaults or proxy path Confirm TLS 1.2 settings, then test outbound HTTPS
Works on one server, fails on a new VM OS crypto and outbound rules Compare TLS, time sync, and firewall rules
Fails only behind a proxy .NET app proxy settings Set proxy at machine level, restart sync service

Fixing An Error Occurred Executing Configure AAD Sync Task On Entra Connect

Recent Microsoft guidance for this wizard failure points first to TLS 1.2. A Microsoft Q&A thread ties the error to TLS 1.2 not being selected by the Connect tooling on some servers. Microsoft also documents a TLS 1.2 enforcement step for specific Entra Connect builds and notes that newer builds no longer need that pre-step.

Step 1: Confirm The Entra Connect Build

Open Windows “Apps & features” and locate Microsoft Entra Connect. Note the full version number. Microsoft’s TLS enforcement doc applies to a defined range of builds, so knowing your version keeps you from chasing the wrong fix.

  • Record the version — Keep it in your change notes before you run upgrades.
  • Check for a newer build — If you’re on an older v2 release, upgrading first can save time.

Microsoft notes that some Entra Connect builds need explicit TLS 1.2 enforcement. On other builds, the same error can still appear when server hardening changes SCHANNEL or .NET defaults. The goal stays the same: successful TLS handshakes to Microsoft endpoints.

Step 2: Ensure TLS 1.2 Is Enabled For The Server

On Windows Server, “TLS 1.2 enabled” can mean different things depending on registry values and .NET defaults. Microsoft’s TLS enforcement page lists the exact registry values to set for 32-bit and 64-bit .NET 4.x, plus SCHANNEL client and server settings. It also provides a PowerShell script that sets those values.

  • Use Microsoft’s script — Run the official PowerShell from the Microsoft doc so you don’t miss a value.
  • Restart the server — The doc notes a reboot is needed for the registry change to take effect.
  • Rerun the wizard step — Go back to the failed page and run it again right away after the restart.

Step 3: Check Time Sync And Root Certificates

If the clock is off, certificate validation can fail and look like a generic web request error. Sync the server time with your domain time source, then install pending Windows updates so the server has current root certificates.

  • Verify the time source — Confirm the server is not drifting minutes or hours.
  • Run Windows Update — Apply updates that include crypto and certificate store changes.

Network Checks That Stop Cloud Calls

If TLS is set and the wizard still fails, shift to the network path. Microsoft’s connectivity guidance notes that Entra Connect uses MSAL and relies on machine-level configuration for .NET apps. In proxy setups, this can be the whole story.

Confirm DNS Resolution From The Server

Some “request” errors are really name resolution problems. Test DNS from the sync server, not from your workstation.

  • Run a name lookup — Use nslookup login.microsoftonline.com and confirm you get valid results.
  • Check the server’s DNS servers — Confirm the NIC points to DNS that can resolve public names.
  • Test the same endpoints by name — If Invoke-WebRequest fails only by name, DNS is your first fix.

Test Outbound HTTPS From The Sync Server

Start by proving you can reach the sign-in and Graph endpoints from the server. This does not guarantee every wizard call will work, but it will catch the common “no route, proxy, TLS, certificate” problems fast.

  • Open a browser test — Sign in to the Microsoft sign-in page from the server and confirm it loads cleanly.
  • Run a PowerShell test — Use Invoke-WebRequest against a Microsoft endpoint and watch for TLS or certificate errors.
Invoke-WebRequest -Uri "https://login.microsoftonline.com/" -UseBasicParsing
Invoke-WebRequest -Uri "https://graph.microsoft.com/" -UseBasicParsing

Allow Certificate Revocation List Traffic

Certificate checks can require plain HTTP access to revocation list hosts. Microsoft’s connectivity doc calls out CRL endpoints like mscrl.microsoft.com and *.verisign.com as part of the minimum set used during initial connection.

  • Allow outbound HTTP/80 — Permit CRL retrieval so TLS handshakes can complete.
  • Allow outbound HTTPS/443 — Permit identity endpoints used by your tenant and the wizard.
  • Review TLS inspection — If a gateway rewrites TLS, confirm it doesn’t break trust chains.

Proxy Rules That Matter In Real Life

If your proxy requires authentication, the wizard can fail if proxy settings live only in a per-app file. Microsoft’s doc recommends configuring proxy settings in machine.config and notes that miiserver.exe.config can be overwritten during upgrades.

  • Check WinHTTP proxy — Run netsh winhttp show proxy and confirm it matches your corporate proxy.
  • Set proxy in machine.config — Apply the settings where .NET apps and the wizard can read them.
  • Restart the sync service — After changes, restart “Microsoft Entra ID Sync” so it picks them up.

Sync Service And Permission Checks

Once you trust the network path, check the local pieces. The wizard relies on the local sync engine service, and it needs a tenant admin sign-in that can complete from that server. A blocked sign-in policy can look like a network issue, and a broken service install can look like a cloud issue.

Confirm The Sync Service Is Running

  • Open Services — Look for “Microsoft Entra ID Sync” on v2 builds.
  • Start the service — If it is stopped, start it and watch for an instant stop or error.
  • Check Event Viewer — Review Windows Logs > Application for ADSync and .NET runtime errors.

Use The Right Tenant Role For Setup

Microsoft’s install docs point to a Hybrid Identity Administrator role for the tenant sign-in during setup. If your tenant uses conditional access, confirm the policy does not block sign-in from that server, and confirm your MFA method can complete inside the wizard.

  • Try a clean admin sign-in — Use an account in the default onmicrosoft.com domain if your org does that for setup.
  • Check conditional access — Look for blocks tied to legacy auth, location, device state, or sign-in risk.

Watch For Hardening And Security Tooling Blocks

Server hardening and endpoint security tools can block child processes, LocalDB, or crypto operations. If you run a hardened template, compare it to Microsoft’s published prerequisites and review recent GPO changes that touch crypto, services, and local rights.

  • Confirm “Log on as a service” — Ensure the sync service account can run as a service.
  • Review AV blocks — Check quarantine logs for Entra Connect binaries.
  • Confirm SQL access — If you used a remote SQL instance, confirm the account can create and read the sync database.

Logs That Turn The Wizard Line Into A Real Error

When the fix is not obvious, the logs are. Entra Connect writes wizard traces and Windows event logs that include the exception type, the failed URL, and the call stack. That’s what you want, since it tells you whether you’re fixing TLS, proxy, certificates, or tenant sign-in.

Where To Look

  • Wizard trace files — Look under C:\\ProgramData\\AADConnect for logs created at the time of the failure.
  • Windows event logs — Check Application for sources like ADSync and Directory Synchronization.
  • Sync engine UI — In Synchronization Service Manager, check the last run profile and its error details.

If the trace is still unclear, capture a short network trace while you run the failed step. Built-in netsh trace can show DNS, TCP, and TLS failures.

How To Read Common Messages

These text fragments map cleanly to the layer that broke:

  • “The underlying connection was closed” — Often TLS mismatch, TLS inspection, or blocked CRL retrieval.
  • “An error occurred while sending the request” — Often proxy interference or .NET TLS default settings.
  • “Element ‘ma-run-data’ was not found” — Often a corrupted sync state; a repair or clean reinstall is usually faster than chasing it.

If the logs show a specific hostname or URL, test that exact endpoint from the server and fix the rule that blocks it. After that, rerun the wizard once, then check the logs again. Two tight loops beat ten blind retries.

Keep The Next Install Clean

After you get a working sync, take five minutes to lock in what you learned. Most repeats happen after a server rebuild, a proxy change, or a security hardening push that resets crypto defaults.

Pre-Install Checklist You Can Reuse

  • Confirm TLS 1.2 settings — Use the Microsoft TLS enforcement doc if your build needs it.
  • Confirm outbound rules — HTTPS to Microsoft identity endpoints, plus HTTP to CRL hosts.
  • Confirm proxy settings — If you use an authenticating proxy, set it at machine level.
  • Confirm time sync — Fix drift before you start the wizard.
  • Confirm admin sign-in path — Tenant role ready and conditional access checked.

Once this list is green, the wizard usually runs straight through. If the message still shows up, grab the exception from the logs and work that layer. That’s how you clear ‘an error occurred executing configure aad sync task’ without turning setup day into a guessing game.

Official Microsoft Pages Worth Bookmarking

Please use a real email you check. If it's fake or mistyped, your message won't reach us and we can't reply — wrong addresses are rejected automatically.