cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Disabling Synchronization Rule - Out to AD – User NGCKey in AzureAD Connect.

RajexMSFT
Copper Contributor

‎Aug 11 2020 06:37 AM - last edited on ‎Jan 14 2022 04:56 PM by

‎Aug 11 2020 06:37 AM - last edited on ‎Jan 14 2022 04:56 PM by

Disabling Synchronization Rule - Out to AD – User NGCKey in AzureAD Connect.

I have an on-premise deployment of Windows Hello for business [Certificate Trust] using ADFS 4.0 DRS.

I also have an O365 Apps for Enterprise (Pro-plus) subscription.

The identities (users only) are synced from on-premise to Azure AD. 

Only 8 attributes (Required for O365 Pro-plus is synced), [App Filtering in used]


accountEnabled
cn
displayName
objectSID
pwdLastSet
samAccountName
sourceAnchor
usageLocation
userPrincipalName

 

No device/group write-back is enabled, no other O365 applications are used.

I am seeing plenty of errors like ones mentioned in blog below (Q4) in Synchronization Service , where the service is trying to overwrite/remove the msds-keycredentialLink attribute [Populated to due WH4B provisoning] for insufficient permissions. 

 

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-mailbag-windows-hell...

 

They should be triggered by the synchronization rules listed below

.

IN from AAD - User NGCKey (to DeviceKey in mv)

Out to AD – User NGCKey (from DeviceKey in mv to msds-keycredentialLink in AD)

 

My questions,

 

1. Why does it need to writeback the NGCkey ?

2. Why the errors still persists even if the below rules are disabled ?

 

 

 

4,953 Views
0 Likes
0 Replies
Reply
0 Replies