Hey guys hope you are doing well today, today blog post is about Azure AD Connect permission issue. If you have been doing new infra deployment for years and very less in terms of troubleshooting and yes you will not expect what is the cause to this problem. The impact of this problem, is that user’s password won’t able to be sync to office 365 and they will have issue login to their office 365 portal and would required reset of their password from office 365 portal.
I had written about this issue before but it was 2018, the version of Azure AD Connect was much older. If you look into the Azure AD Connect deployment Microsoft article, version about 1.148 would required a write permission for the attribute “ms-ds-consistencyguid” to the service account that you are using to deploy the Azure AD Connect.
Minimum permission required for the service account are:
Replicate directory changes
Replicate directory changes all
Write permission , for attribute ms-ds-consistencyguid
After providing the permissions to the service account, you would need to re-run the Azure AD Connect execution file or tool, for the changes that you made to that service account to take reflect.
After that the sync would start to run and I notice that are still some accounts giving “permission issue” error. So the next dependency was looking into the “inheritance” function, was it disable or not. I was able to identify that the particular OU have its inheritance enabled but on the single user object inside that OU, its inheritance was disabled.
This inheritance is from user’s object > Security tab > Advanced, at bottom.