question

Check the security inheritance on the user.

If that isnt the issue did you enable writeback permission if you enabled SSPR?

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback

Did you enable any other options?

Note that group filtering is not supported except for pilot testing.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering#group-based-filtering

So I checked the three users I am having the issue with and they already have enabled inheritance so that's not the issue.
I also do not have any other option besides password hash synching. I do not have write back enabled and I do not have SSPR in azure enabled. Understood on the group filtering, we are testing to make sure everything works perfectly before we synch everyone.

As a test I temporarily added the service account to the admin group and it added the ms-ds-consistencyguid to the users with previous errors. I then added 3 new users to synch, removed admin to the service account and it went back to giving me the permission issue. Is it possible I have to give write permission to the azure ad account for ms-ds-consistencyguid?

Yes:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#using-ms-ds-consistencyguid-as-sourceanchor

For this feature to work, the AD DS account used to synchronize with on-premises Active Directory must be granted write permission to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory.

Thanks for the article. I'm trying to give permission to the service account with the below powershell script:

$accountName = "domain\MSOL_nnnnnnn" $ForestDN = "DC=do,DC=domain,DC=local" $cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'" Invoke-Expression $cmd | Out-Null

however when I try to run it in powershell where I have azure ad connect it tells me At line:1 char:41 $accountName =domain\MSOL_nnnnn" etc etc unexpected token $ForestDN in expression or statement and same for Invoke-Expression.

I have only used powershell a few times so not sure if I am supposed to run it line by line or save it to a script file and then run it?

Any help would be appreciated.

I would use the built-in functionality in AADConnect Powershell:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account#configure-ms-ds-consistency-guid-permissions

 Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <String> -ADConnectorAccountDomain <String> [-SkipAdminSdHolders] 
 [<CommonParameters>]

I did the command and unfortunately still having the permission issue. I'm not sure what else to try.

Yes I can see the security permissions it has on the forest.
I was also able to add the write permission using powershell successfully but still having the permission issue.
-I also reset the MSOL_ pw and reinstalled the client to match the new pw.
-The Microsoft Azure AD Sync service was changed to logon as the MSOL_ service account
-Added the MSOL_ account locally to administrators group and ADSyncAdmins where AD connect is installed.
-Temporarily turned off windows firewall to test
After all those changes I still keep getting the permission issue when its trying to export back to our AD and add the ms-ds-consistencyguid attribute.

Yes that account has Replicate directory changes and replicate directory changes all. I don't understand the part about "At the root of Password Hash Sync requirement"?

Yes if I add the service account to domain admin it will clear the permission errors.

Finally it is fixed! After I started checking the security permissions for the root domain I noticed the OU for our users didn't have the MSOL at all.

The users OU had inheritance disabled. After I enabled inheritance for that particular OU the problem is fixed.