Azure AD Sync “Permissions-Issue” Error Code-8344

Azure AD Sync “Permissions-Issue”

Today i have been working on troubleshooting Azure AD Sync tool for one of my customer where they were having issues with the tool. MIIS client was reporting export errors for all the users in the organization and the error was “Permissions-Issue”. It was one of the interesting errors to work on and it took me a day to resolve the issue and i thought to share the remedy with all of you so that you should be able to resolve this issue within an hour.

Azure AD Sync Export Error

Whenever AAD Sync perform synchronization with office 365, evertime we were getting the error message on “Export”. If we look at the error message it says “Permissions-issue” and we verified that our on prem service account and Office 365 service account has all the required permission for AAD Sync tool. At one stage we thought it’s a false error but No it’s not a false error and it does have a solution. Below is the screenshot of error message that we were getting.

Azure AD Sync error When you click on permission-issue you’ll see the following screenshot which is giving us the details of error message along with error code.

AAD Sync permission error details

Let’s get started to resolve this error and below are the steps that we need to perform to resolve this issue.

Resolve AAD Sync Export Error

If you click on Permission-Issue to see the detail you’ll see that Connected date source error code is 8344. To resolve this issue, perform the following steps

1. Run Active Directory Inheritance script to get a list of users on which inheritance is blocked. Once you’ve the list pls make sure that you allow inheritance on those users/groups.

To allow inheritance, Make sure Advance Features are enabled in View then go to user properties –> Security –> Advanced –> Select the check box “to include inheritable permissions from this object’s parent”

2. Make sure you’ve the required on prem permissions assigned to Azure AD Sync tool service account. You can assign the appropriate permissions to Azure AD Sync tool by following this article.

3. Once you’ve check the inheritance and required permissions. Make sure that the service account is a part of AAD Sync security group in active directory. The name of security group is MSOL_AD_Sync_RichCoexistence. After you add the service account to the group, re-run the full synchronization and you will see that all permission-issue errors are gone.

In my case, customer was using AAD Sync along with password sync and they had Exchange 2010 SP3 hybrid configured.

Hope this article will help you resolve your issue with Azure AD Sync tool. Please feel free to ask us in case you have other issues. Thanks.

Change Default Sync time of Azure AD Sync (Part 5)

Change Default Sync time of Azure AD Sync

In Part 4 of this article series, we learned about how we can manually synchronize on prem identities and password hash with office 365. In this article we will learn how we can change the default synchronization time of Azure AD Sync tool to meet our requirements.

Let’s get started with Part 5 of this series and learn how to change the default sync time of Azure AD Sync.

Default Synchronization

By default Azure AD Sync tool synchronize with office 365 after every 3 hours just like Dir Sync tool. Dir Sync determines the time to synchronize with office 365 using Microsoft.Online.DirSync.Scheduler.exe.config file located in “C:Program FilesMicrosoft Online Directory Sync” but this has been changed with the new Azure AD Sync tool and now we have Windows Tasks Scheduler to determine / modify the time to sync with Office 365.

By Default, Azure AD Sync schedule runs after every 3 hours executed by a schedule tasks. This scheduled task actually runs DirectorySyncClientCmd.exe in the backend and perform delta sync.

To modify the default synchronization time, we need to perform following steps.

  • Log on to Sync server using on prem Sync service account. In our case, we’re using AAD@mstechtalk.com as service account.
  • Go to start menu and search for Windows Tasks Scheduler

1

  • In windows tasks scheduler Library, you can notice that a task with the name of Azure AD Sync Scheduler is defined to triggered after every 3 Hours.

2

  • We can’t modify the task if it’s enabled. To modify the scheduler Right Click on Task –> Click Disable to disable the task as shown below

3

  • After disabling the schedule, double click on task and go to Triggers as shown below

 

4

  • Select the Trigger and click on Edit to edit the schedule trigger. Currently you can see the trigger is defined to run after every 3 hours and it’s set to run for Indefinitely.

5

  • From the drop down menu of “Repeat task every” Select the time after which you want to trigger Azure AD sync with office 365. In our case I’ve modified the time to 10 minutes.

6

7

  • Click Ok to close the Trigger editor. Click on Ok to Azure AD Sync Scheduler Properties as well to complete the process.

8

  • When you click on Azure AD Sync Scheduler Properties, It will prompt you to enter the Password of Microsoft account created during the installation and configuration but we can replace that account with our Azure AD Sync on prem service account. Enter your on prem Azure AD Sync service account credentials and hit Ok.

10

  • After modifying the trigger settings, you can see that you have successfully modified the default sync time of Azure AD Sync tool to 10 minutes.

3

  • Last action that we need to perform after changing the default sync time is to enable the scheduler by Right Clicking on the scheduler and Click Enable.

This brings us to the end of this article in which we learned how to modify the default sync time of Azure AD Sync tool. If you want to read other articles of this series please go through the following URLs.

Azure AD Synchronization using PowerShell (Part 4)

Azure AD Synchronization using PowerShell

In Part 3 of this article series, we learned about different filtering options available to us and how we can use them to fulfill the requirements. In this article we will learn on how we can manually force a synchronization using PowerShell and how we can change the default synchronization time of Azure AD Sync.

Let’s get started with Part 4 of this series.

Azure AD Full Synchronization

We’ve a utility called DirectorySyncClientCmd.exe which executes the sequence of actions to synchronize on prem identities with office 365.

To run a full synchronization browse to “C:Program FilesMicrosoft Azure AD SyncBin” from windows powershell and run the cmdlet .DirectorySyncClientCmd.exe Initial as shown below. “Initial”will perform a full synchronization.

initial

It’s recommended that you perform a full synchronization after making a major change in your Azure AD Sync configuration like enabling password synchronization for user.

Azure AD Delta Synchronization

To perform the delta synchronization with Office 365, we need the same executable to perform delta synchronization of users from on prem to office 365. By default Azure AD Sync tool performs delta sync after every 3 hours. Later in this article we’ll learn on how we can change the default sync time of the tool. To perform the delta synchronization we use the .DirectorySyncClientCmd.exe executable with Delta keyword as shown below.

Delta

Azure AD Password Synchronization

Password Sync was one of those features which helped a lot of enterprises to manage their users password policies and change management from local active directory. Password Synchronization enables users to log into their Office 365 and other Microsoft online services like Intune, CRM etc using the same password as they use to log into their on-premises infrastructure. It is important to note that this feature does not provide a Single Sign-On solution because there is no token sharing in the Password Sync process. This feature is also referred as Same Sign-On.

Active Directory Domain Services that are configured for FIPS are not compatible with the Password Sync feature.  During Password Synchronization Plain text version of a user’s password is neither exposed to the password sync tool nor to Azure AD or any of the associated services. Azure AD Sync tool synchronize the user’s password in the form of hash.

When you’ve password synchronization enabled then password complexity policy and password expiry policy on office 365 will no longer be valid and on prem policies will be applicable.

To perform a Password Synchronization, We need to run the Password Synchronization with Office 365 using Azure AD Sync. You can download this script from Technet.

PSync

More details on password synchronization can be found on Technet.

Verifying Manual Synchronization

To verify the Full and Delta Synchronization, Log in to Office 365 Portal and Browse to users –> Active Users and check the last sync time. You can also check the MIISClient for last sync time and status of sync.

sync

To verify the password synchronization is completed successfully, Go to Event Viewer –> Application Logs and look for Event ID 656 and 657 as shown below.

656

657

If you want to read the other Parts in this series, then please go to:

Filtering in Azure AD Sync (Part 3)

In this article we will work on setting up different type of filtering in Azure AD Sync to synchronize only the required users with office 365. Part 1 and Part 2 of this article series revolves around the prerequisites, installation and configure of Azure AD Sync tool. We’re already done with Azure AD Sync tool prerequisites and installation and now it’s time to setup filtering in Azure AD Sync tool.

Let’s get started with Part 3 of this series.

Azure AD Sync Filtering Types

Azure AD Sync tool support three types of filtering and you can choose the type of filtering based on your requirements.

  • OU Based Filtering
  • Domain Based Filtering
  • Attribute Based Filtering

You can enable filtering in Azure AD Sync at any time. If you have already run the default configurations of directory synchronization and then configured the filtering, the objects that are filtered out are no longer synchronized to Azure AD. As a result, any objects in Azure AD that were previously synchronized but were then filtered are deleted in Azure AD. If objects were inadvertently deleted because of a filtering error, you can re-create the objects in Azure AD by removing your filtering configurations, and then synchronize your directories again.

OU Based Filtering

With organizational based filtering, you can explicitly specify which OU’s can synchronize with office 365. In our case I’ve only synchronized 2 OUs with office 365 “Users” & “Admin Users”. To setup OU filtering follow the steps .

  • Log in to the Sync server using the local active directory service account for Azure AD Sync. In our case we’re using AAD@mstechtalk.com as service account and I’ve logged in to the server using AAD@mstechtalk.com.
  • Browse to “C:Program FilesMicrosoft Azure AD SyncUIShell” and run “MIISClient”

abc

  • After running the client, Click on “Connectors” to modify the connectors for filtering

2

  • Select on prem AD Connector and go to the properties  –> Configure Directory Partition –> Containers. On prem connector type will always be “Active Directory Domain Services”

3

4

  • Unchecked the OU’s which you don’t want to synchronize. By default all OU’s will be selected.

5

  • Click Ok and close the MIISClient. OU filtering has been set.

Domain Based Filtering

At times, you need to work on multiple domains for large organization or with multiple business units. Scanerio’s comes when one of your business units move to office 365 and rest of the business units remains on their existing systems. Requirments like synchronizing users with only specific UPN/Domain can be achieved using Domain Based filtering. Using domain based filtering, you can specify which users can synchronize with office 365 based on their domain name. Steps to setup domain based filtering are as below.

  • Run MIISClient –> Connectors –> On Prem Connector –> Properties

3b

  • Go to Configure Directory Partitions –> Select Directory Partition and select the domains which you want to synchronize with office 365. In our case, We’ve 2 domains installed in our lab (mstechtalk.com and contoso.mstechtalk.com) and we’re only synchronizing mstechtalk.com users with office 365. All other partitions and domains are unchecked.

21

32

 

We can apply all 3 type of filtering to synchronize the required users. Sometimes domain filtering does not clear up your Run Profile for other domains and you need to manually remove your run profile to complete the domain filtering.

Attribute Based Filtering

Attribute based filtering is used to synchronize on prem users with office 365 based on attribute field values.

There are several ways to configure filtering based on attributes. Configuration on inbound from AD is recommended since these configuration settings will be kept even after an upgrade to a newer version. Configuration on outbound to AAD is supported, but these settings will not be kept after an upgrade to a newer version and should only be used when it is required to look at the combined object in the metaverse to determine filtering.

Inbound Filtering

  • To setup inbound filtering, go to “Synchronization Rules Editor” on sync server. You can find the “Synchronization Rules Editor” in start menu on Windows Server 2012 R2.

ac

  • Make sure that Inbound Rule type is selected on the left side and click on Add New Rule

abc

  • Select Connected Systems (Source Forest), CS Object Type as user because we’re doing filtering based on users.

 

1

Name field represents the name of the rule, Connected System is the source such as the Active Directory forest. The Connected System Object Type is the type of AD object like  user, groups, contacts etc. Link Type is the action which you want your rule to perform. It has 3 values or actions like Join, StickyJoin or Provisioned. Join action will merge or update the object. Provisioned action will create the object. Link Type option will be superseded by Join rule configured in a later step.

  • Click Next. As we’re synchronizing those users with office 365 who has company field value of either Ms Tech Talk or NullWe do not need to configure anything in Scoping Filter and Join Rules. (This needs to be configured in more details based on your filtering).
  • On the transformation screen, Add the value as  “IIF(IsNullOrEmpty([company]),NULL,IIF([company]<>”MS Tech Talk”,”DoNotSync”,NULL))” and click on ADD button.

a

It is recommended to use Inbound Filtering. Outbound filtering is not recommended. More information on attribute based filtering can be found on Technet.

Outbound Filtering

  • To perform outboud filtering, run “Synchronization Rules Editor
  • Make Sure Rule type “Outbound” is selected.
  • Click on Add Rule on the right hand side and provide the parameters for Connected Systems, CS Object Type and define the rules based on your rule.

Outbound filtering is recommended and used in Resource Forest / Account Forest topology. It is recommended to perform Full Sync after configuring filtering

Couple of examples on attribute based filtering can be found on David’s blog here and here.

If you want to read the other Parts in this series, then please go to:

Step by Step Azure AD Sync Installation Guide (Part 2)

In this article we will install and configure the Azure AD Sync tool to synchronize on prem identities with office 365. Part 1 of this article series revolves around the prerequisites required to install and configure Azure AD Sync tool. We’re already done with Azure AD Sync tool prerequisites and has created the required service account on Office 365 and on prem active directory.

Let’s get started with Part 2 of this series.

Azure AD Sync Installation

  • To install Azure AD Sync tool, login to Sync server using the on prem local active directory service account. In our case, local active directory service account name is AAD@mstechtalk.com
  • You can download the most recent version of Azure AD Sync using the following link of Microsoft Website.
  • If there are 100,000 or less objects in AD to sync to Office 365 you can use SQL express, If more objects are needed then a full version of SQL is required.
  • The minimum recommended hardware requirements for the synchronization server in relation to how many objects you have in your on-premises Active Directory can be found on Technet.

It’s recommended that you should use a separate machine for Azure AD Sync tool installation. Azure AD Sync tool should not be installed and configured on Domain Controller and ADFS server as it’s not recommended.

  • Let’s get started with the installation of Azure AD Sync tool. To start the installation process, launch the executable called MicrosoftAzureADConnectionTool.exe

Setup

  • Once you run the executable, Click YES on User Account Control pop up to start the process.

a (2)

  • Windows Azure AD Sync setup will being, specify the path to install the tool. In our case, we’re using the default installation path.

Step by Step Azure AD Sync Installation Guide

  • Once you click on install, Azure AD Sync will start installing components like SQL Express, Connectors etc.

Step by Step Azure AD Sync Installation Guide

  • After the installation of required components is completed, you’ll be prompted for below screen to provide your Azure AD Credentials. This needs to be your office 365 Global Admin credentials. We’re using AzureAD@UCTechTalk.onmicrosoft.com as a service account created in part 1 of this series.

a (5)

  • After connecting with Office 365 using Global Admin Credentials, the next screen will be presented to enter your on prem active directory account credentials. In our case, We’ve already setup a service account in our local active directory and we will use the same account  here as shown below.

a (7)

  • After providing the credentials, click on Add Forest and Active Directory forest will be added as shown below. Repeat the same steps to add multiple forests.

a (8)

 

  • Next Screen will be presented for User Matching, You can uniquely identify your users based on criteria defined here. We’re using the default settings.

a (9)

 

  • Next screen will be presented to choose the Optional Features and the new features that comes with Azure AD Sync tool.

a (10)

 

  • Once you’re done with all the information and tool is able to connect with both on prem AD and Office 365 using the credentials provided during the configuration click on Configure to start the configuration

a (11)

a (12)

  • Once the configuration is completed, Click on Finish and the Wizard begins the process of synchronizing on prem identities with Office 365.

a (13)

  • To verify that the users have been synchronized with Office 365, login to Office 365 –> Users –> Active Users and verify the last sync time and Status.

1

By Default, Azure AD Sync tool Synchronized with office 365 after every 3 Hours. We can change this time at any time.

If you want to read the other Parts in this series, then please go to:

1 2