How to schedule an Exchange Online PowerShell script for automation purposes? For example, you have…
How to fix Azure AD Connect permission-issue error code 8344
The Azure AD Connect synchronization service is not exporting the AD objects and shows the error permission-issue. Clicking on the error for more details shows insufficient access rights to perform the operation with error code 8344. Why is this happening and what is the solution? In this article, you will learn how to fix Azure AD Connect permission-issue error code 8344.
Table of contents
Error 8344 – Insufficient access rights to perform the operation
Sign in on the Azure AD Connect Server and start Azure AD Connect synchronization service.
You will see the export error(s): permission-issue.
Click on the permission-issue to check the error information.
The error information shows:
Error: permission-issue
Connected data source error code: 8344
Connected data source error: Insufficient access rights to perform the operation.
Why are we getting this error, and what is the solution for insufficient access rights to perform the operation with error code 8344 in Azure AD Connect synchronization service manager?
Solution for Azure AD Connect permission-issue error code 8344
The Azure AD DS connector account doesn’t have all the correct permissions set, and that’s why the error code 8344 permission-issue appears in Azure AD Connect when exporting the AD objects.
Note: Azure AD Connect uses 3 accounts to synchronize information between Windows Server Active Directory and Azure Active Directory.
Method 1. Set the correct permissions on the AD DS connector account
Go through the below steps to fix the Azure AD Connect insufficient access rights to perform the operation – error code 8344:
- Start Azure AD Connect.
- Click on Configure.
- Click on Troubleshoot.
- Click Next.
- Click on Launch.
- The AADConnect Troubleshooting screen appears (PowerShell).
----------------------------------------AADConnect Troubleshooting------------------------------------------
Enter '1' - Troubleshoot Object Synchronization
Enter '2' - Troubleshoot Password Hash Synchronization
Enter '3' - Collect General Diagnostics
Enter '4' - Configure AD DS Connector Account Permissions
Enter '5' - Test Azure Active Directory Connectivity
Enter '6' - Test Active Directory Connectivity
Enter 'Q' - Quit
Please make a selection:
- Select 4 and press Enter.
----------------------------------------AADConnect Troubleshooting------------------------------------------
Enter '1' - Troubleshoot Object Synchronization
Enter '2' - Troubleshoot Password Hash Synchronization
Enter '3' - Collect General Diagnostics
Enter '4' - Configure AD DS Connector Account Permissions
Enter '5' - Test Azure Active Directory Connectivity
Enter '6' - Test Active Directory Connectivity
Enter 'Q' - Quit
Please make a selection: 4
- Select 12 and press Enter.
--------------------------------------------Configure Permissions------------------------------------------
Enter '1' - Get AD Connector account
Enter '2' - Get objects with inheritance disabled
Enter '3' - Set basic read permissions
Enter '4' - Set Exchange Hybrid permissions
Enter '5' - Set Exchange mail public folder permissions
Enter '6' - Set MS-DS-Consistency-Guid permissions
Enter '7' - Set password hash sync permissions
Enter '8' - Set password writeback permissions
Enter '9' - Set restricted permissions
Enter '10' - Set unified group writeback permissions
Enter '11' - Show AD object permissions
Enter '12' - Set default AD Connector account permissions
Enter '13' - Compare object read permissions when running in context of AD Connector account vs Admin account
Enter 'B' - Go back to main troubleshooting menu
Enter 'Q' - Quit
Please make a selection: 12
- Select Y and press Enter.
This option will set permissions required for the following:
Password Hash Sync
Password Writeback
Hybrid Exchange
Exchange Mail Public Folder
MsDsConsistencyGuid
It will then restrict permissions
Confirm
Would you like to continue with these options?
[Y] Yes [N] No [?] Help (default is "Y"): Y
- Select E and press Enter.
Account to Configure
Would you like to configure an existing connector account or a custom account?
[E] Existing Connector Account [C] Custom Account [?] Help (default is "E"): E
- The output shows the AD DS connector account and more information.
Configured connectors and their related accounts:
ADConnectorName ADConnectorForest ADConnectorAccountName ADConnectorAccountDomain
--------------- ----------------- ---------------------- ------------------------
exoip.local exoip.local svc-adds EXOIP.LOCAL
- Fill in the ADConnectorName (exoip.local) and press Enter.
Name of the connector who's account to configure: exoip.local
- The Windows PowerShell credential request appears.
- Fill in the on-premises Administrator credentials and click OK.
Note: You will get asked 7 times if you are sure to set the permission on the AD DS connector account. Press A every time and Enter.
- Grant Password Hash Synchronization permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Hash Synchronization permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
- Grant Password Writeback permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Writeback permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
- Grant Password Writeback permission for Unexpire Password extended right.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Writeback permission for Unexpire Password extended right" on target
"exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
- Grant Exchange Hybrid permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Exchange Hybrid permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
- Grant Exchange Mail Public Folder permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Exchange Mail Public Folder permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
- Grant mS-DS-ConsistencyGuid permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant mS-DS-ConsistencyGuid permissions" on target "exoip.local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
- Set restricted permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Set restricted permissions" on target "CN=svc-adds,OU=Service
Accounts,OU=Company,DC=exoip,DC=local".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
- All the permissions are correctly set for the AD DS Connector account.
- Close the AADConnect Troubleshooting PowerShell and the Azure AD Connect window.
- Start Windows PowerShell and run a fully Azure AD Connect sync.
Start-ADSyncSyncCycle -PolicyType Initial
- Wait a few minutes and verify that all AD objects are synced, that there are no more 8344 permissions errors, and that the export statistics show values.
In our example, it did update the 5 users.
That’s it!
Method 2. Create AD DS connector account
Create the AD DS connector account with the correct permissions and change the AD DS connector in Azure AD Connect sync to fix the permission-issue error code 8344:
Which method did you choose?
Read more: Azure AD Connect sync export error dn-attributes-failure »
Conclusion
You learned how to fix Azure AD Connect permission-issue error code 8344. It’s essential to set the correct permissions on the AD DS connector account. Once that is set, you will not see the insufficient access rights to perform the operation error, and the synchronization will work.
Did you enjoy this article? You may also like Migrate Azure AD Connect to new server. Don’t forget to follow us and share this article.
By the way the solution to my error was to add the AD Connector users (MSOL_xxx) to the Administrators group in AD.
This work for me, thank you for posting this comment.
Hi Mahavir, where I can enable inheritance for objetcs? And which objects?
I still have the 8344 error even after following the precious guide of Ali…
One reason why users may see issue is Inheritance may be disabled on Objects. Enabling it fixes the issue right away
Thank you
Great article for an issue which i do see happening