Azure AD Connect Permission issue: Error 8344 insufficient access rights to perform the operation
Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including sync and sign-on. Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. Here is a guide on how to synchronize your on-premises AD with Azure Active Directory using the Azure AD Connect tool. How to use the built-in AAD Connect troubleshooting tool. In this article, you will learn how to fix the Azure AD Connect Permission issue: Error 8344 insufficient access rights to perform the operation.
Note: Microsoft Entra ID is the new name for Azure AD. The names Azure Active Directory, Azure AD, and AAD are replaced with Microsoft Entra ID. Microsoft Entra is the name for the product family of identity and network access solutions.
Azure AD Connect uses 3 accounts in order to synchronize information from on-premises (Active Directory to Azure Active Directory).
However, These accounts are: AD DS Connector account used to read/write information to Windows Server Active Directory, and ADSync service account used to run the synchronization service and access the SQL database, and Azure AD Connector account used to write information to Azure AD.
Azure Hybrid Identity Features
Furthermore, Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:
1: Password hash synchronization: A sign-in method that synchronizes a hash of a user’s on-premises AD password with Azure AD.
2: Pass-through authentication: A sign-in method that allows users to use the same password on-premises and in the cloud. But doesn’t require the additional infrastructure of a federated environment.
3: Federation integration: Federation is an optional part of Azure AD Connect. It can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
4: Synchronization: Responsible for creating users, groups, and other objects. As well as making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
5: Health Monitoring: Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
Reason for the Error “Azure AD Connect Permission issue: Error 8344 insufficient access rights to perform the operation”
You may also encounter issues adding the directories with the service account. You can still add the on-premise environment (directory) even without having the right permission tied to the service account.
But you may find in the “Synchronization Service Manager“, the following error “permission issues with error code 8344: insufficient access rights to perform the operation”.
Fix the “Azure AD Connect Permission issue”
To resolve this issue, please provide the necessary permission to the service account on the AD Connect Server. This can be done by adding the service account to the Administrators Group (Built-in OU).
It is recommended to let Azure AD Connect or you can specify a synchronization account with the correct permission. I pre-provisioned one and this is absolutely fine!
Most times, this isn’t sufficient. You will have to add the service account as a member of the Administrator’s group in Active Directory.
You cannot use your Enterprise or Domain administrator account for your AD Forest account. 
This resolved my import issue. Please proceed to the Azure Synchronization Service Manager server and rerun the synchronization. Check the Sync status whether it is completed without error.
Note: If you are using Password Hash Sync (PHS), you may want to use PowerShell script to configure the required permission or by enabling inheritance for the specific users. To resolve this issue, perform the following steps
- Run
Active DirectoryInheritance script to get a list of users on which inheritance is blocked. Once you have the list pls make sure that you allow inheritance on those users/groups. - To allow inheritance, Make sure Advance Features are enabled in View then go to user properties –>
Security–>Advanced–> Select the check box “to Include inheritable permissions from this object’s parent”
I hope you found this blog post helpful on how to fix the Azure AD Connect Permission issue: Error 8344 insufficient access rights to perform the operation. If you have any questions, please let me know in the comment session.
Thank you Christian.
This worked for me.
You are welcome
Most other forums talk about the “Replicating Directory Changes” permission to the domain but my sync account already had this so it wasn’t useful.
This worked for me after a long search. Thanks
Thank you James for finding the guide useful
Hi Christian,
Thank you for the solution. Adding the service account to Administrators group solved the issue for me.
But why exactly does this solve the issue? I’d like to understand what exactly does this do?
Hi Christian,
Any response to my query?
Yes, in the resolution block in the guide, I explained why you would need to grant the service account the necessary rights. Kindly take a look at this guide for more information: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions
Sorry about the delays! Since you are using a service account, this is used to run the synchronization service and access the SQL database, and the right permission is needed to perform the sync operation.
thank you so much for your efforts, this worked for me.
You are welcome!
Wonderful. Thanks for your help.
You are welcome
This worked for me too. Thanks, Christian
Thanks a lot for the kind words…