Skip to main content

The Azure AD Connect synchronization service is not exporting the AD objects and shows the error permission-issue. Clicking on the error for more details shows insufficient access rights to perform the operation with error code 8344. Why is this happening and what is the solution? In this article, you will learn how to fix Azure AD Connect permission-issue error code 8344.

Error 8344 – Insufficient access rights to perform the operation

Sign in on the Azure AD Connect Server and start Azure AD Connect synchronization service.

You will see the export error(s): permission-issue.

Azure AD Connect permission-issue error code 8344 errors

Click on the permission-issue to check the error information.

The error information shows:

Error: permission-issue
Connected data source error code: 8344
Connected data source error: Insufficient access rights to perform the operation.

Azure AD Connect permission-issue error code 8344 export error

Why are we getting this error, and what is the solution for insufficient access rights to perform the operation with error code 8344 in Azure AD Connect synchronization service manager?

Solution for Azure AD Connect permission-issue error code 8344

The Azure AD DS connector account doesn’t have all the correct permissions set, and that’s why the error code 8344 permission-issue appears in Azure AD Connect when exporting the AD objects.

Note: Azure AD Connect uses 3 accounts to synchronize information between Windows Server Active Directory and Azure Active Directory.

Method 1. Set the correct permissions on the AD DS connector account

Go through the below steps to fix the Azure AD Connect insufficient access rights to perform the operation – error code 8344:

  1. Start Azure AD Connect.
  2. Click on Configure.
Azure AD Connect configure
  1. Click on Troubleshoot.
  2. Click Next.
Troubleshoot
  1. Click on Launch.
Azure AD Connect troubleshooting tool
  1. The AADConnect Troubleshooting screen appears (PowerShell).
----------------------------------------AADConnect Troubleshooting------------------------------------------


        Enter '1' - Troubleshoot Object Synchronization
        Enter '2' - Troubleshoot Password Hash Synchronization
        Enter '3' - Collect General Diagnostics
        Enter '4' - Configure AD DS Connector Account Permissions
        Enter '5' - Test Azure Active Directory Connectivity
        Enter '6' - Test Active Directory Connectivity
        Enter 'Q' - Quit


        Please make a selection:
  1. Select 4 and press Enter.
----------------------------------------AADConnect Troubleshooting------------------------------------------


        Enter '1' - Troubleshoot Object Synchronization
        Enter '2' - Troubleshoot Password Hash Synchronization
        Enter '3' - Collect General Diagnostics
        Enter '4' - Configure AD DS Connector Account Permissions
        Enter '5' - Test Azure Active Directory Connectivity
        Enter '6' - Test Active Directory Connectivity
        Enter 'Q' - Quit


        Please make a selection: 4
  1. Select 12 and press Enter.
--------------------------------------------Configure Permissions------------------------------------------


        Enter '1' - Get AD Connector account
        Enter '2' - Get objects with inheritance disabled
        Enter '3' - Set basic read permissions
        Enter '4' - Set Exchange Hybrid permissions
        Enter '5' - Set Exchange mail public folder permissions
        Enter '6' - Set MS-DS-Consistency-Guid permissions
        Enter '7' - Set password hash sync permissions
        Enter '8' - Set password writeback permissions
        Enter '9' - Set restricted permissions
        Enter '10' - Set unified group writeback permissions
        Enter '11' - Show AD object permissions
        Enter '12' - Set default AD Connector account permissions
        Enter '13' - Compare object read permissions when running in context of AD Connector account vs Admin account
        Enter 'B' - Go back to main troubleshooting menu
        Enter 'Q' - Quit


        Please make a selection: 12
  1. Select Y and press Enter.
This option will set permissions required for the following:
    Password Hash Sync
    Password Writeback
    Hybrid Exchange
    Exchange Mail Public Folder
    MsDsConsistencyGuid
It will then restrict permissions

Confirm
Would you like to continue with these options?
[Y] Yes  [N] No  [?] Help (default is "Y"): Y
  1. Select E and press Enter.
Account to Configure
Would you like to configure an existing connector account or a custom account?
[E] Existing Connector Account  [C] Custom Account  [?] Help (default is "E"): E
  1. The output shows the AD DS connector account and more information.
Configured connectors and their related accounts:

ADConnectorName ADConnectorForest ADConnectorAccountName ADConnectorAccountDomain
--------------- ----------------- ---------------------- ------------------------
exoip.local     exoip.local       svc-adds               EXOIP.LOCAL
  1. Fill in the ADConnectorName (exoip.local) and press Enter.
Name of the connector who's account to configure: exoip.local
  1. The Windows PowerShell credential request appears.
  2. Fill in the on-premises Administrator credentials and click OK.
Windows PowerShell credential request

Note: You will get asked 7 times if you are sure to set the permission on the AD DS connector account. Press A every time and Enter.

  1. Grant Password Hash Synchronization permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Hash Synchronization permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
  1. Grant Password Writeback permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Writeback permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
  1. Grant Password Writeback permission for Unexpire Password extended right.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Password Writeback permission for Unexpire Password extended right" on target
"exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
  1. Grant Exchange Hybrid permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Exchange Hybrid permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
  1. Grant Exchange Mail Public Folder permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant Exchange Mail Public Folder permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
  1. Grant mS-DS-ConsistencyGuid permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Grant mS-DS-ConsistencyGuid permissions" on target "exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
  1. Set restricted permissions.
Confirm
Are you sure you want to perform this action?
Performing the operation "Set restricted permissions" on target "CN=svc-adds,OU=Service
Accounts,OU=Company,DC=exoip,DC=local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
  1. All the permissions are correctly set for the AD DS Connector account.
  2. Close the AADConnect Troubleshooting PowerShell and the Azure AD Connect window.
  3. Start Windows PowerShell and run a fully Azure AD Connect sync.
Start-ADSyncSyncCycle -PolicyType Initial
  1. Wait a few minutes and verify that all AD objects are synced, that there are no more 8344 permissions errors, and that the export statistics show values.

In our example, it did update the 5 users.

Azure AD Connect export errors clean

That’s it!

Method 2. Create AD DS connector account

Create the AD DS connector account with the correct permissions and change the AD DS connector in Azure AD Connect sync to fix the permission-issue error code 8344:

  1. Create AD DS connector account
  2. Change AD DS Connector account

Leave a Reply