Fixing Azure AD Connect permissions errors using Set-ADSyncExchangeHybridPermissions

 

If you used a custom install of Azure AD Connect and created your own service account for the connection to your on-premises AD, you will find that you get permissions errors in Azure AD Connect unless you assign some permissions to the service account. Specifically, this can happen after enabling Exchange Hybrid, although there are other instances as well e.g. if you enable password writeback.

Errors may look like below in the Synchronisation Manager:

clip_image002

If you open the error you will see what it is trying to update, in this case, it is adding an X500 address to the proxyAddresses attribute:

clip_image003

The Set-ADSyncExchangeHybridPermissions command will fix the permissions required for Exchange Sync, and allow the account used by the connector to write back the required Exchange related AD attributes. However, you may wonder what this command is going to do, and how you can test and limit the permissions to specific OUs.

You might also wonder what attributes are changed, and why they are required. This is detailed here: https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#exchange-hybrid-writeback

A couple of important ones:

proxyAddresses: the X500 address is written back, which allows users to to reply to old email and modify old calendar items (see https://blogs.technet.microsoft.com/sbs/2009/05/21/cannot-reply-to-old-emails-or-modify-old-calendar-items-after-pst-mail-migration/ for a nice explanation of this.

Also publicDelegates, which ‘Allows an Exchange Online mailbox to be granted SendOnBehalfTo rights to users with on-premises Exchange mailbox’, again useful functionality.

So you can see why it is important to resolve this.

You have two options to fix this:

  1. Set the permissions manually using AD Users and Computers.
  2. Use Set-ADSyncExchangeHybridPermissions.

For the first fix, just set the permission using ADUC and add Read/Write permissions for the Azure AD Connect account.

The second fix is better, however, since it sets all permissions required, and allows you to easily target individual OUs with a PowerShell command.

First, you need to import the AdSyncConfig module, see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account for more info on this. You install need RSAT installed in case you don’t have that since it uses tools such as dsacls.

1
2
3
Install-WindowsFeature RSAT-AD-Tools

Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

To check all the cmdlets included in this module you can type:

1
Get-Command -Module AdSyncConfig

Double check which account you are using:

1
Get-ADSyncADConnectorAccount

Get the DN of your OU and then run the command for that OU:

1
2
3
Get-ADOrganizationalUnit -Filter * | Where-Object {$_.DistinguishedName -like "*active users*"}

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName 'svc_adsync' -ADConnectorAccountDomain 'mds.cloudrun.uk' -ADobjectDN 'OU=Active users,OU=Cloud,OU=Users,OU=Domain Management,DC=mds,DC=cloudrun,DC=uk'

This cmdlet will set the following permissions:

Type

Access

Applies To

Allow

Read/Write all properties

Descendant User objects

Allow

Read/Write all properties

Descendant InetOrgPerson objects

Allow

Read/Write all properties

Descendant Group objects

Allow

Read/Write all properties

Descendant Contact objects

You could equally manually set Read/Write permissions using the security tab on the OU, or on individual user accounts.

The output of the command looks like below:

clip_image004

Posted in Azure AD, Azure AD Connect, Exchange Online, Office 365

Related Posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: