Disabling Synchronization Rule - Out to AD – User NGCKey in AzureAD Connect.

%3CLINGO-SUB%20id%3D%22lingo-sub-1581277%22%20slang%3D%22en-US%22%3EDisabling%20Synchronization%20Rule%20-%20Out%20to%20AD%20%E2%80%93%20User%20NGCKey%20in%20AzureAD%20Connect.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1581277%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20an%20on-premise%20deployment%20of%20Windows%20Hello%20for%20business%20%5BCertificate%20Trust%5D%20using%20ADFS%204.0%20DRS.%3C%2FP%3E%3CP%3EI%20also%20have%20an%20O365%20Apps%20for%20Enterprise%20(Pro-plus)%20subscription.%3C%2FP%3E%3CP%3EThe%20identities%20(users%20only)%20are%20synced%20from%20on-premise%20to%20Azure%20AD.%26nbsp%3B%3C%2FP%3E%3CP%3EOnly%208%20attributes%20(Required%20for%20O365%20Pro-plus%20is%20synced)%2C%20%5BApp%20Filtering%20in%20used%5D%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EaccountEnabled%3CBR%20%2F%3Ecn%3CBR%20%2F%3EdisplayName%3CBR%20%2F%3EobjectSID%3CBR%20%2F%3EpwdLastSet%3CBR%20%2F%3EsamAccountName%3CBR%20%2F%3EsourceAnchor%3CBR%20%2F%3EusageLocation%3CBR%20%2F%3EuserPrincipalName%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20device%2Fgroup%20write-back%20is%20enabled%2C%20no%20other%20O365%20applications%20are%20used.%3C%2FP%3E%3CP%3EI%20am%20seeing%20plenty%20of%20errors%20like%20ones%20mentioned%20in%20blog%20below%20(Q4)%20in%20Synchronization%20Service%26nbsp%3B%2C%20where%20the%20service%20is%20trying%20to%20overwrite%2Fremove%20the%20msds-keycredentialLink%20attribute%20%5BPopulated%20to%20due%20WH4B%20provisoning%5D%20for%20insufficient%20permissions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fazure-ad-mailbag-windows-hello-for-business%2Fba-p%2F445349%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fazure-ad-mailbag-windows-hello-for-business%2Fba-p%2F445349%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThey%20should%20be%20triggered%20by%20the%20synchronization%20rules%20listed%20below%3C%2FP%3E%3CP%3E.%3C%2FP%3E%3CP%3E%3CSTRONG%3EIN%20from%20AAD%20-%20User%20NGCKey%20(to%20DeviceKey%20in%20mv)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EOut%20to%20AD%20%E2%80%93%20User%20NGCKey%20(from%20DeviceKey%20in%20mv%20to%20msds-keycredentialLink%20in%20AD)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20questions%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Why%20does%20it%20need%20to%20writeback%20the%20NGCkey%20%3F%3C%2FP%3E%3CP%3E2.%20Why%20the%20errors%20still%20persists%20even%20if%20the%20below%20rules%20are%20disabled%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1581277%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAAD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Hello%20for%20Business%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

I have an on-premise deployment of Windows Hello for business [Certificate Trust] using ADFS 4.0 DRS.

I also have an O365 Apps for Enterprise (Pro-plus) subscription.

The identities (users only) are synced from on-premise to Azure AD. 

Only 8 attributes (Required for O365 Pro-plus is synced), [App Filtering in used]


accountEnabled
cn
displayName
objectSID
pwdLastSet
samAccountName
sourceAnchor
usageLocation
userPrincipalName

 

No device/group write-back is enabled, no other O365 applications are used.

I am seeing plenty of errors like ones mentioned in blog below (Q4) in Synchronization Service , where the service is trying to overwrite/remove the msds-keycredentialLink attribute [Populated to due WH4B provisoning] for insufficient permissions. 

 

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-mailbag-windows-hell...

 

They should be triggered by the synchronization rules listed below

.

IN from AAD - User NGCKey (to DeviceKey in mv)

Out to AD – User NGCKey (from DeviceKey in mv to msds-keycredentialLink in AD)

 

My questions,

 

1. Why does it need to writeback the NGCkey ?

2. Why the errors still persists even if the below rules are disabled ?

 

 

 

0 Replies