Attributes for Exchange Online aren't written back to the on-premises Active Directory directory service in an Exchange hybrid deployment
After you set up Exchange federation for a hybrid deployment scenario, when you try to use the Microsoft Azure Active Directory Sync tool to sync Azure Active Directory (Azure AD) with your on-premises Active Directory, the following issues may occur:
- Changes that are made to objects through the Exchange admin center or Exchange Online PowerShell aren't synced to the on-premises Active Directory installation.
- Exchange Server features that are expected to work together for the cloud and on-premises don't work as expected.
- You can't view or share online calendars with on-premises users or Exchange Online users.
- You don't receive the most current free/busy information between on-premises and cloud users.
- An error 8344 occurs in Microsoft Identity Integration Server (MIIS) that says, "Insufficient access rights to perform the operation."
To resolve this issue, follow these steps.
Step 1: Run the Azure Active Directory Sync tool Configuration WizardMake sure that the latest version of the Directory Sync tool is installed and that you run the Azure Active Directory Sync tool Configuration Wizard. When you run the wizard, one screen prompts you to enable rich coexistence. Complete the wizard, and then start directory synchronization.
Alternatively, you can run the Enable-MSOnlineRichCoexistence cmdlet after the Directory Sync tool is installed to enable the write-back feature. This cmdlet must be run by using enterprise credentials or should be run by the enterprise admin.
Step 2: Confirm MSOL_AD_Sync_RichCoexistence permissionsIf step 1 doesn't resolve the issue, check that the MSOL_AD_Sync user belongs to the MSOL_AD_Sync_RichCoexistence group and that the group has Allow permissions to the user who is experiencing the issue, where write-back is not working for the following attributes:
- In Active Directory, make sure that the MSOL_AD_Sync_RichCoexistence group exists and that the MSOL_AD_Sync user is a member of the group.
- In the on-premises environment, use Active Directory Users and Computers to open the user properties for the user who is experiencing the issue.
- On the Security tab, click Advanced.
Note You must enable advanced features to complete step 3.
- Make sure that the MSOL_AD_Sync_RichCoexistence group is listed. If it's not listed, add the group, and then make sure that the group is granted Allow permissions to write to the attributes that are listed previously.
To run the Enable-MSOnlineRichCoexistence cmdlet, follow these steps:
- Open Windows PowerShell, type Import-Module DirSync, and then press Enter.
- Type the following cmdlet, and then press Enter:
- When you're prompted for credentials, enter your enterprise admin credentials.
- Checks that directory synchronization is running. If directory synchronization is running, the following warning message is displayed: MSO directory sync is syncing please try again later.
- Sets Write permissions on all attributes for the MSOL_AD_SYNC account that directory synchronization created in the on-premises environment.
- Loads the Source MA and metaverse configurations for the write-back option that was selected. To do this, the Set-MSOnlineWriteBack cmdlet runs the Import-MIISServerConfig [-file path] cmdlet, where file path represents the location of the MA and metaverse config files that are included with the directory synchronization installation.
- Sets the AD MA credentials because the cmdlet has installed a “new” Source MA by using the following cmdlet:
Set-MIISADMAconfiguration [-forest] [-login] [-password] [-MA Name]
- Sets the Target MA credentials by using the following cmdlet.
Set-MIISExtMAConfiguration [-MOAC login] [-MOAC password] [-connection URL] [-MA Name]
- Sets the FullSyncNeeded registry value to indicate a full synchronization.
- Calls Start-OnlineCoexistenceSync to start directory synchronization by using the new configurations. The first sync is a full synchronization.
Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Article ID: 2406830 - Last Review: 12/12/2014 03:27:00 - Revision: 36.0
Microsoft Azure cloud services, Microsoft Azure Active Directory, Microsoft Office 365, Microsoft Intune, CRM Online via Office 365 E Plans, Microsoft Azure Recovery Services, Microsoft Exchange Online, Office 365 Identity Management
- o365 o365a o365e o365m o365022013 hybrid KB2406830