Attributes for Exchange Online aren't written back to the on-premises Active Directory directory service in an Exchange hybrid deployment

Article translations Article translations
Article ID: 2406830 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

After you set up Exchange federation for a hybrid deployment scenario, when you try to use the Microsoft Azure Active Directory Sync tool to sync Azure Active Directory (Azure AD) with your on-premises Active Directory, the following issues may occur:
  • Changes that are made to objects through the Exchange admin center or Exchange Online PowerShell aren't synced to the on-premises Active Directory installation.
  • Exchange Server features that are expected to work together for the cloud and on-premises don't work as expected.
  • You can't view or share online calendars with on-premises users or Exchange Online users.
  • You don't receive the most current free/busy information between on-premises and cloud users.
  • An error 8344 occurs in Microsoft Identity Integration Server (MIIS) that says, "Insufficient access rights to perform the operation."
These symptoms may occur if shared Exchange features aren't enabled and if the incorrect permissions are applied to Active Directory attributes.

RESOLUTION

To resolve this issue, follow these steps.

Step 1: Run the Azure Active Directory Sync tool Configuration Wizard

Make sure that the latest version of the Directory Sync tool is installed and that you run the Azure Active Directory Sync tool Configuration Wizard. When you run the wizard, one screen prompts you to enable rich coexistence. Complete the wizard, and then start directory synchronization.

Alternatively, you can run the Enable-MSOnlineRichCoexistence cmdlet after the Directory Sync tool is installed to enable the write-back feature. This cmdlet must be run by using enterprise credentials or should be run by the enterprise admin.

Step 2: Confirm MSOL_AD_Sync_RichCoexistence permissions

If step 1 doesn't resolve the issue, check that the MSOL_AD_Sync user belongs to the MSOL_AD_Sync_RichCoexistence group and that the group has Allow permissions to the user who is experiencing the issue, where write-back is not working for the following attributes:
  • msExchSafeSendersHash
  • msExchBlockedSendersHash
  • msExchSafeRecipientHash
  • msExchArchiveStatus
  • msExchUCVoiceMailSettings
  • ProxyAddresses
To do this, follow these steps:
  1. In Active Directory, make sure that the MSOL_AD_Sync_RichCoexistence group exists and that the MSOL_AD_Sync user is a member of the group.
  2. In the on-premises environment, use Active Directory Users and Computers to open the user properties for the user who is experiencing the issue.
  3. On the Security tab, click Advanced.

    Note
    You must enable advanced features to complete step 3.
  4. Make sure that the MSOL_AD_Sync_RichCoexistence group is listed. If it's not listed, add the group, and then make sure that the group is granted Allow permissions to write to the attributes that are listed previously.
Note Step 2 may be required if the object does not inherit permissions from the parent. This issue may be resolved by making sure that the object inherits permissions from the parent object.

MORE INFORMATION

To run the Enable-MSOnlineRichCoexistence cmdlet, follow these steps:
  1. At a command prompt, navigate to where the Directory Sync tool is installed. By default, it's installed in the following location:
    C:\Program Files\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1
  2. Type the following command, and then press Enter:
    DirSyncConfigShell.psc1
  3. Type the following cmdlet, and then press Enter:
    Enable-MSOnlineRichCoexistence
  4. When you're prompted for credentials, enter your enterprise admin credentials.
Note When you run the Enable-MSOnlineRichCoexistence cmdlet, the cmdlet performs the following actions:
  • Checks that directory synchronization is running. If directory synchronization is running, the following warning message is displayed:
    MSO directory sync is syncing please try again later.
  • Sets Write permissions on all attributes for the MSOL_AD_SYNC account that directory synchronization created in the on-premises environment.
  • Loads the Source MA and metaverse configurations for the write-back option that was selected. To do this, the Set-MSOnlineWriteBack cmdlet runs the Import-MIISServerConfig [-file path] cmdlet, where file path represents the location of the MA and metaverse config files that are included with the directory synchronization installation.
  • Sets the AD MA credentials because the cmdlet has installed a “new” Source MA by using the following cmdlet:
    Set-MIISADMAconfiguration [-forest] [-login] [-password] [-MA Name]
  • Sets the Target MA credentials by using the following cmdlet.
    Set-MIISExtMAConfiguration [-MOAC login] [-MOAC password] [-connection URL] [-MA Name]
  • Sets the FullSyncNeeded registry value to indicate a full synchronization.
  • Calls Start-OnlineCoexistenceSync to start directory synchronization by using the new configurations. The first sync is a full synchronization.

REFERENCES

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2406830 - Last Review: July 9, 2014 - Revision: 33.0
Applies to
  • Microsoft Azure
  • Microsoft Office 365
  • Windows Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Microsoft Exchange Online
  • Office 365 Identity Management
Keywords: 
o365 o365a o365e o365m o365022013 hybrid KB2406830

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com