If you used a custom install of Azure AD Connect and created your own service account for the connection to your on-premises AD, you will find that you get permissions errors in Azure AD Connect unless you assign some permissions to the service account. Specifically, this can happen after enabling Exchange Hybrid, although there are other instances as well e.g. if you enable password writeback.
Errors may look like below in the Synchronisation Manager:
If you open the error you will see what it is trying to update, in this case, it is adding an X500 address to the proxyAddresses attribute:
The Set-ADSyncExchangeHybridPermissions command will fix the permissions required for Exchange Sync, and allow the account used by the connector to write back the required Exchange related AD attributes. However, you may wonder what this command is going to do, and how you can test and limit the permissions to specific OUs.
You might also wonder what attributes are changed, and why they are required. This is detailed here: https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#exchange-hybrid-writeback
A couple of important ones:
proxyAddresses: the X500 address is written back, which allows users to to reply to old email and modify old calendar items (see https://blogs.technet.microsoft.com/sbs/2009/05/21/cannot-reply-to-old-emails-or-modify-old-calendar-items-after-pst-mail-migration/ for a nice explanation of this.
Also publicDelegates, which ‘Allows an Exchange Online mailbox to be granted SendOnBehalfTo rights to users with on-premises Exchange mailbox’, again useful functionality.
So you can see why it is important to resolve this.
You have two options to fix this:
- Set the permissions manually using AD Users and Computers.
- Use Set-ADSyncExchangeHybridPermissions.
For the first fix, just set the permission using ADUC and add Read/Write permissions for the Azure AD Connect account.
The second fix is better, however, since it sets all permissions required, and allows you to easily target individual OUs with a PowerShell command.
First, you need to import the AdSyncConfig module, see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account for more info on this. You install need RSAT installed in case you don’t have that since it uses tools such as dsacls.
Install-WindowsFeature RSAT-AD-Tools
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"To check all the cmdlets included in this module you can type:
Get-Command -Module AdSyncConfigDouble check which account you are using:
Get-ADSyncADConnectorAccountGet the DN of your OU and then run the command for that OU:
Get-ADOrganizationalUnit -Filter * | Where-Object {$_.DistinguishedName -like "*active users*"}
Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName 'svc_adsync' -ADConnectorAccountDomain 'mds.cloudrun.uk' -ADobjectDN 'OU=Active users,OU=Cloud,OU=Users,OU=Domain Management,DC=mds,DC=cloudrun,DC=uk'This cmdlet will set the following permissions:
Type
Access
Applies To
Allow
Read/Write all properties
Descendant User objects
Allow
Read/Write all properties
Descendant InetOrgPerson objects
Allow
Read/Write all properties
Descendant Group objects
Allow
Read/Write all properties
Descendant Contact objects
You could equally manually set Read/Write permissions using the security tab on the OU, or on individual user accounts.
The output of the command looks like below (click)
