AAD Sync errors 8344 on export for a small number of accounts

Question

AAD Sync errors 8344 on export for a small number of accounts

Spencer Guest 21

Good morning hive mind!

I am struggling to find what is causing error 8344 on just 8 accounts on Export sync with AAD, getting error 8344 "Insufficient access rights to perform the operation"

we have enabled inheritance on the MSOL account, and have checked permissions are set for reset/change password. But still getting these errors.

Any ideas would be helpful please!

Michael Smith 2,931 Reputation points Microsoft Employee Moderator

2024-05-24T09:19:47.5266667+00:00

Hi @Spencer Guest ,

We received your feedback. so to clarify 6 accounts have Admincount =1 correct?

The other 2 accounts dont have any value set?

Can you tell me what values are being added or changed in the import or synchronization operations for those 2 accounts?

You can try also restore the permissions using the trouble-shooter from the ad connect tool.
Spencer Guest 21 Reputation points

2024-05-24T11:30:31.6033333+00:00

The other two accounts do not had any value set. and we've tried to restore the permissions.
Michael Smith 2,931 Reputation points Microsoft Employee Moderator

2024-05-24T12:01:38.8+00:00

Thanks for the update Spencer. for those 2 accounts what attribute is being imported thats failing with permission denied? you can see this in the import or synchronization operations.
Spencer Guest 21 Reputation points

2024-05-28T14:19:38.3066667+00:00

There is no attribute. Nothing. One of the accounts are no longer required so we can remove one, but the others are still required to be sync'd.

Any help on this would be useful! Cheers
Michael Smith 2,931 Reputation points Microsoft Employee Moderator

2024-05-28T15:06:31.1166667+00:00

Hi Spencer,

There must be something changing with the account otherwise sync wouldn't be failing with permissions for it.

What does the CS for the account show?

Link to this thread/post

We can connect offline and discuss further on this.

1 answer

Your answer

Michael Smith 2,931 Reputation points Microsoft Employee Moderator

2024-05-24T09:19:47.5266667+00:00

Hi @Spencer Guest ,

We received your feedback. so to clarify 6 accounts have Admincount =1 correct?

The other 2 accounts dont have any value set?

Can you tell me what values are being added or changed in the import or synchronization operations for those 2 accounts?

You can try also restore the permissions using the trouble-shooter from the ad connect tool.
Spencer Guest 21 Reputation points

2024-05-24T11:30:31.6033333+00:00

The other two accounts do not had any value set. and we've tried to restore the permissions.
Michael Smith 2,931 Reputation points Microsoft Employee Moderator

2024-05-24T12:01:38.8+00:00

Thanks for the update Spencer. for those 2 accounts what attribute is being imported thats failing with permission denied? you can see this in the import or synchronization operations.
Spencer Guest 21 Reputation points

2024-05-28T14:19:38.3066667+00:00

There is no attribute. Nothing. One of the accounts are no longer required so we can remove one, but the others are still required to be sync'd.

Any help on this would be useful! Cheers
Michael Smith 2,931 Reputation points Microsoft Employee Moderator

2024-05-28T15:06:31.1166667+00:00

Hi Spencer,

There must be something changing with the account otherwise sync wouldn't be failing with permissions for it.

What does the CS for the account show?

Link to this thread/post

We can connect offline and discuss further on this.

Answer 1

Hi @Spencer Guest ,

Thank you for reaching out to the Q&A community.

This permission error can happen when the syncing users with pre-existing administrative accounts.

Check if the users have admin count 1 in their attributes.

User's image

Its possible to configure the permission but its strongly recommended to Not sync users with on premises admin accounts.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

On-prem admins should be dedicated accounts for administration with no applications access. You want the Azure AD admins to be cloud only accounts: https://learn.microsoft.com/en-us/azure/active-directory/roles/security-planning#ensure-separate-user-accounts-and-mail-forwarding-for-global-administrator-accounts

I hope this helps to resolve your query. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

AAD Sync errors 8344 on export for a small number of accounts

1 answer

Your answer