Upgraded Azure AD Connect - now getting 8344 errors on Export of local directory

Question

performed in place upgrade of Azure AD Connect to 1.1.561.0   

Export stage of synchronization is throwing an error on 400+ user objects.

Status: Completed - export errors

Permission Issue - Export tab shows error 8344 - Insufficient access rights to perform the operation.

Answer 1

You could possibly check on the solution steps mentioned in the following blogs:

1. Connected data source error code: 8344: Insufficient access rights to perform the operation
2. Azure AD Sync Permissions Error: Error Code 8344

***********************************************************

Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

---------------------------------------------------------------------------------------------------
Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members

Answer 2

I have run this down a bit more.  

First - sync from local AD to Azure/0365 is working fine.

The connector from Azure to the local domain is where the errors are occurring.

When I upgraded, I switched over from objectGUID to mS-DS-ConsistencyGuid for user objects in Azure AD Connect version 1.1.553.0, and up.

The 8344 errors appear  to be related to the ConsistencyGuid as that is the only new field being written down to AD.

Found this blog that explains what is needed to set the rights.  ConsistencyGuid

Answer 3

Insufficient access means that your AAD account doesn't have writeback permissions.  I created a tool for AAD writeback permissions that can help with this:

https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74

Answer 4

Lovely tool. Thanks for the assistance!

Answer 5

This is 2 years later, but hopefully this helps someone. Before you go running crazy scripts from a blog and weird tutorials, the situations I've see is the very common "you need to enable inherited rights on the user". The second situation is the sync user needs proper permissions. I had my sync user use a service account with Domain Admin permissions, but nothing worked until I added Administrators. 

Hope this helps someone down the line (before you run scripts to set crazy permissions in AD)

Answer 6

This is 2 years later, but hopefully this helps someone. Before you go running crazy scripts from a blog and weird tutorials, the situations I've see is the very common "you need to enable inherited rights on the user". The second situation is the sync user needs proper permissions. I had my sync user use a service account with Domain Admin permissions, but nothing worked until I added Administrators. 

Hope this helps someone down the line (before you run scripts to set crazy permissions in AD)

For those who are wondering how and where...

1) On ADUC, open user properties. Go to the Security tab and click Advanced.

2) Click Enable Inheritance. The error should go away next time you sync.

Answer 7

sydwys's solution resolved my problem. No need to run any scripts, just enable inheritance on the user's account and sync should work fine.

Answer 8

Thanks NotAWizard

I have this exact issue, adding my account to the administrators group was the solution!