- Changes that are made to objects through the Exchange admin center or Exchange Online PowerShell aren't synced to the on-premises Active Directory installation.
- Exchange Server features that are expected to work together for the cloud and on-premises don't work as expected.
- You can't view or share online calendars with on-premises users or Exchange Online users.
- You don't receive the most current free/busy information between on-premises and cloud users.
- An error 8344 occurs in Microsoft Identity Integration Server (MIIS) that says, "Insufficient access rights to perform the operation."
Step 1: Run the Azure Active Directory Sync tool Configuration WizardMake sure that the latest version of the Directory Sync tool is installed and that you run the Azure Active Directory Sync tool Configuration Wizard. When you run the wizard, one screen prompts you to enable rich coexistence. Complete the wizard, and then start directory synchronization.
Alternatively, you can run the Enable-MSOnlineRichCoexistence cmdlet after the Directory Sync tool is installed to enable the write-back feature. This cmdlet must be run by using enterprise credentials or should be run by the enterprise admin.
Step 2: Confirm MSOL_AD_Sync_RichCoexistence permissionsIf step 1 doesn't resolve the issue, check that the MSOL_AD_Sync user belongs to the MSOL_AD_Sync_RichCoexistence group and that the group has Allow permissions to the user who is experiencing the issue, where write-back is not working for the following attributes:
- In Active Directory, make sure that the MSOL_AD_Sync_RichCoexistence group exists and that the MSOL_AD_Sync user is a member of the group.
- In the on-premises environment, use Active Directory Users and Computers to open the user properties for the user who is experiencing the issue.
- On the Security tab, click Advanced.
Note You must enable advanced features to complete step 3.
- Make sure that the MSOL_AD_Sync_RichCoexistence group is listed. If it's not listed, add the group, and then make sure that the group is granted Allow permissions to write to the attributes that are listed previously.
- Open Windows PowerShell, type Import-Module DirSync, and then press Enter.
- Type the following cmdlet, and then press Enter:
- When you're prompted for credentials, enter your enterprise admin credentials.
- Checks that directory synchronization is running. If directory synchronization is running, the following warning message is displayed:
- Sets Write permissions on all attributes for the MSOL_AD_SYNC account that directory synchronization created in the on-premises environment.
- Loads the Source MA and metaverse configurations for the write-back option that was selected. To do this, the Set-MSOnlineWriteBack cmdlet runs the Import-MIISServerConfig [-file path] cmdlet, where file path represents the location of the MA and metaverse config files that are included with the directory synchronization installation.
- Sets the AD MA credentials because the cmdlet has installed a “new” Source MA by using the following cmdlet:
Set-MIISADMAconfiguration [-forest] [-login] [-password] [-MA Name]
- Sets the Target MA credentials by using the following cmdlet.
Set-MIISExtMAConfiguration [-MOAC login] [-MOAC password] [-connection URL] [-MA Name]
- Sets the FullSyncNeeded registry value to indicate a full synchronization.
- Calls Start-OnlineCoexistenceSync to start directory synchronization by using the new configurations. The first sync is a full synchronization.
Article ID: 2406830 - Last Review: Dec 16, 2016 - Revision: 1