Azure AD Sync: ‘Insufficient access rights to perform this operation’

KB ID 0001636


With Azure AD Replication, you may notice that you have the following error when you take a look at your connector status;

AAD Permission Issue Insufficient Rights

Error: permission-issue
Connected data source error code: 8344
Connected data  source error: Insufficient access rights to perform this operation.


Firstly ensure that the user you are running AAD sync under, has the following permissions on the ‘root’ of your local AD domain.

  • Replicating Directory Changes: Allow
  • Replicating Directory Changes All: Allow

AAD Replication User Rights

If the problem persists it’s usually because the account that is running the AAD sync does not have the appropriate rights to the mS-DS-ConsitencyGuid attribute for the affected users in the local Active Directory. The following commands will add the appropriate rights you ALL your local users;

$accountName = "Domain-Name\User-Name" 
$ForestDN = "DC=Domain-Name,DC=Domain-Extension"
$cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"
Invoke-Expression $cmd

Grant AAD User Replication Rights

Lastly, if you have this problem on some ‘sporadic’ users, check to ensure that their individual user objects and inheritance enabled on their user object, before retrying.

Allow Inhritance on AD User

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

1 Comment

  1. enable inheritance worked for me, spot on once again!

    Post a Reply

Leave a Reply to Ashley Cancel reply

Your email address will not be published. Required fields are marked *