FIX: Azure AD Connect Permission Issue 8344 in Export.
If you have setup AD Connect to synchronize local AD users and devices to Microsoft 365 and you get the Export Error: permission-issue, Error Code: 8344, Source error: Insufficient access rights to perform the operation, read this guide to fix the problem.
Symptom: When synchronizing on-premises Active Directory to Microsoft 365 with Azure AD Connect (aka "Microsoft Entra Connect Sync"), the synchronization service manager shows the error "permission-issue" in Export profile.
The "permissions issue" in Azure AD connect synchronization may occur for the following reasons:
A. The synchronized user in the error belongs to "Domain Admins" or "Enterprise Admins" groups and therefore cannot be synchronized. In this case, the error is normal and can be ignored because Azure AD connect does not synchronize users belonging to these groups.
B. The domain user account reported in the synchronization error has incorrect permissions.
C. The Azure AD connect account has insufficient permissions to write back the value in mS-DS-ConsistencyGuid attribute and for that reason fails with Connected data source error code: 8344.
How to FIX: Permission error 8344 in Azure AD Connect Synchronization.*
* Important: If the Azure AD connect permissions error occurs for a user who belongs to the Domain Admins group or the Enterprise Admins group, ignore it, because this is normal.
Method 1. Enable Permissions Inheritance on the Affected Account.
On the account where the permissions issue occurred during synchronization, enable permissions inheritance. To do that:
1. Open Active Directory Users and Computers.
2. On the View menu, enable the "Advanced Features" option.
3. Then, right-click the domain user that is having permissions issues during Azure AD Connect synchronization and open its Properties.
4. Navigate to Security tab and click Advanced.
5. On Permissions tab, click Enable inheritance.
6. Click Apply > OK and then OK again to close the 'User Properties' window.
7. Now open the Synchronization Service Manager and run a manual synchronization* to see if the problem is fixed.
* Note: To perform a manual synchronization:
a. Go to Connectors tab right-click on your local domain and select Run.
b. On 'Run Connector' window select Export > OK.
c. Finally select the Operations tab and verify that the Export status is success with no Export errors.
Method 2. Restore Default Permissions on the Affected Account.
1. Follow again the steps 1-4 of the above method to open the Permissions properties of the affected user account with the permissions issue.
2. Click Restore defaults and then Apply > OK and OK again to close the 'User Properties' window.
3. Open the Synchronization service Manager and run a manual synchronization to see if the problem is fixed.
Method 3. Check the AzureAD Connect account permissions and Add it to the Administrators group.
When you configure the Microsoft Entra Connect sync tool to synchronize your on-premises Active Directory with your Microsoft Entra ID, you can either use an existing AD account or create a new domain account for periodic synchronization. This AD account is then called as "AD DS Connector account" or "Azure AD Connect account" or "AAD Connect account").
If you have chosen to use an existing AD account during the Microsoft Entra Connect synchronization configuration, first of all ensure that this account has the required permissions. To do this:
1. Open Active Directory Users and Computers.
2. Right-click on your domain and select Properties.
3. Navigate to Security tab, select the user who is set as "Azure AD Connect account" and assign to it the following permissions.*
- Replicate Directory Changes
- Replicate Directory Changes All
* Note: If the above permissions have already been granted to the user, proceed below.
4. Open Active Directory Users and Computers, select Builtin and then open the Administrators group.
5. Select the Members tab, click Add, and then add the user you have defined as the Azure AD connect account to Administrators group.
6. When you're done, close all open windows and try syncing again.
Additional help: If the permissions issue persists, read the following article to grant the required permissions on the Azure AD Connect account:
That's it! Which method worked for you?
Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.
Frequently Asked Questions
What does the Export Error: permission-issue, Error Code: 8344 mean in Azure AD Connect?
This error indicates that there are insufficient access rights to perform certain operations during synchronization between local Active Directory and Microsoft 365 using Azure AD Connect.
What could cause the Export Error: permission-issue, Error Code: 8344 in Azure AD Connect?
Potential causes include the synchronized user belonging to 'Domain Admins' or 'Enterprise Admins' groups (which are not supported for synchronization), incorrect permissions for the domain user account, or insufficient permissions for Azure AD Connect to write back values to certain attributes.
How can I resolve Permission Error 8344 in Azure AD Connect Synchronization?
You can resolve the error by enabling permissions inheritance on the affected account, restoring default permissions, or reviewing and adjusting the Azure AD Connect account's permissions and group memberships.
How do I enable permissions inheritance for an account facing synchronization issues?
Open Active Directory Users and Computers, enable 'Advanced Features' from the View menu, navigate to the affected user's Properties, go to the Security tab, click Advanced, and enable inheritance on the Permissions tab.
What should be done if the Azure AD Connect account has insufficient permissions?
Ensure the Azure AD Connect account has 'Replicate Directory Changes' and 'Replicate Directory Changes All' permissions. Additionally, consider adding the account to the Administrators group if necessary.
