Azure AD Sync Connect issue with permission error 8344

Jesse Sanchez 131 Reputation points
2020-10-01T21:01:11.907+00:00

Hello,

We currently installed Azure AD Sync connect and everything seems to be synching well except for a 8344 "Insufficient access rights to perform the operation". We did a custom install where it only syncs a specific OU / group.

-We are doing only PW Hash Synchronization
-Users are getting their pws synced for the few that we are doing, pw changes, take effect too,
-During AD Forest account we selected create a new ad account
-We used users are represented only once across all directories
-Let azure manage the source anchor was selected

Again all the passwords are synching good but when I open Synchronization service manager I get the above error. When I click on the user error I see it has a change under "ms-ds-consistencyGuid" which I believe is the change it is having issue writing back to our active directory. Is there an easy way to fix this?

EDIT:
Finally it is fixed! After I started checking the security permissions for the root domain I noticed the OU for our users didn't have the security permissions for the MSOL service account at all.

The users OU had inheritance disabled. After I enabled inheritance for that particular OU, the permissions instantly appeared for the service account and the problem was fixed.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,341 questions
0 comments
Accepted answer
  1. Andy David - MVP 140.8K Reputation points MVP
    2020-10-05T14:34:16.447+00:00

    Did you also give the AADConnect account:

    Replicate Directory Changes
    Replicate Directory Changes All

    at the root for the Password Hash Sync requirement?

    If you add the account to Domain Admins as a test, I assume it works yes?

    0 comments

11 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 140.8K Reputation points MVP
    2020-10-01T21:06:46.137+00:00

    Check the security inheritance on the user.
    29703-image.png
    29704-image.png

    If that isnt the issue did you enable writeback permission if you enabled SSPR?

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

    Did you enable any other options?

    Note that group filtering is not supported except for pilot testing.

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#group-based-filtering

    7 people found this answer helpful.
  2. Jesse Sanchez 131 Reputation points
    2020-10-05T15:08:27.047+00:00

    Finally it is fixed! After I started checking the security permissions for the root domain I noticed the OU for our users didn't have the MSOL at all.

    The users OU had inheritance disabled. After I enabled inheritance for that particular OU the problem is fixed.

    2 people found this answer helpful.
    0 comments
  3. Carmen Lazlo 10 Reputation points Microsoft Employee
    2023-06-21T13:25:40.1966667+00:00

    Dear all,

    We have created a new article in regards to this topic.

    For more details, please see below:

    https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/troubleshoot-permission-issue-sync-service-manager

    I hope you will find this useful.

    Kind regards,

    Carmen

    2 people found this answer helpful.
    0 comments
  4. Andy David - MVP 140.8K Reputation points MVP
    2020-10-02T15:00:43.18+00:00

    I would use the built-in functionality in AADConnect Powershell:

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account#configure-ms-ds-consistency-guid-permissions 

    Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders]   
[<CommonParameters>]
    1 person found this answer helpful.
    0 comments