P3 · Microsoft 365 & Collaboration

Azure AD Connect Export Error 8344: Insufficient Access Rights on AD Connector Account

During Azure AD Connect synchronization, export operations fail with error code 8344 ('Insufficient access rights to perform the operation') when the AD DS connector account (MSOL_ or ADSync account) lacks the necessary permissions on Active Directory OUs or objects. This typically occurs after permission changes, new OU creation, or misconfiguration during setup. Resolution involves identifying the affected connector account and using ADSyncConfig PowerShell cmdlets or the Azure AD Connect wizard to restore the required AD permissions, followed by triggering a fresh sync cycle.

Indicators

Export Error: permission-issue displayed in Azure AD Connect Synchronization Service Manager Operations tab
Error code 8344 logged during the synchronization export phase
Source error message: 'Insufficient access rights to perform the operation'
On-premises AD users or devices fail to synchronize to Microsoft 365
Objects fail to export to Azure AD during scheduled or manual sync cycles
Export step completes with errors visible in Azure AD Connect sync logs
Azure AD Connect Health alerts reporting export failures on the AD connector

Likely causes

Azure AD Connect AD DS connector account (MSOL_ or ADSync) lacks sufficient permissions on specific Active Directory OUs or objects
AD DS connector account permissions were not correctly configured during initial Azure AD Connect setup
Permissions were manually modified or removed from the connector account after installation
New OUs or objects were added to Active Directory without granting the sync account the required permissions
Group Policy or security policy changes inadvertently revoked permissions from the AD Connect connector account
Custom AD attribute write-back was configured without granting corresponding permissions to the sync account

Diagnostic steps

Open Azure AD Connect Synchronization Service Manager (miisclient.exe), navigate to the 'Operations' tab, and identify failed export operations. Note the specific objects affected and confirm error code 8344 is present in the error detail.
In Synchronization Service Manager, go to the 'Connectors' tab, select the on-premises Active Directory connector, and click 'Properties'. Record the AD DS connector account name (typically prefixed MSOL_ or ADSync) listed under 'Connect to Active Directory Forest'.
Open Active Directory Users and Computers (dsa.msc), enable 'Advanced Features' from the View menu, then right-click the domain root or the specific OU containing the failing objects and select 'Properties' > 'Security'. Verify whether the identified connector account has the required permissions (Read, Write, and any write-back permissions needed).
Open PowerShell as Administrator and import the ADSync module: Import-Module ADSync. Run Get-ADSyncConnector to confirm the connector account in use, then identify which Set-ADSync*Permissions cmdlets are needed based on your synchronization feature set (e.g., password hash sync, device write-back, ms-DS-ConsistencyGuid).
Run the appropriate ADSyncConfig permission cmdlets to restore missing permissions. Examples: Set-ADSyncBasicReadPermissions -ADConnectorAccountName '<account>' -ADConnectorAccountDomain '<domain>' for basic read; Set-ADSyncPasswordHashSyncPermissions for password hash sync; Set-ADSyncMsDsConsistencyGuidPermissions for anchor attribute write. Scope to the affected OU using -ADobjectDN if needed.
Alternatively, re-run the Azure AD Connect configuration wizard, select 'Customize synchronization options', and use the built-in permission repair step to automatically re-apply all required AD permissions for the configured features.
After applying permissions, confirm they are visible in Active Directory Users and Computers under the Security tab of the affected OU. Then trigger a full synchronization by running in PowerShell: Start-ADSyncSyncCycle -PolicyType Initial. Monitor the Operations tab in Synchronization Service Manager and confirm exports complete without error code 8344.

Resolution path

Open Synchronization Service Manager (miisclient.exe) and confirm error code 8344 on failed export operations; note the affected objects and OUs
Identify the AD DS connector account name from the Connectors tab in Synchronization Service Manager
Review the connector account's current permissions on the affected OUs and domain root in Active Directory Users and Computers (Advanced Features enabled)
Import the ADSync PowerShell module (Import-Module ADSync) and run the appropriate Set-ADSync*Permissions cmdlets to restore or grant the missing permissions
Alternatively, re-run the Azure AD Connect wizard and use the built-in permission repair option to automatically re-apply all required permissions
Verify the permissions are correctly applied by reviewing the Security tab of the affected OU in Active Directory Users and Computers
Trigger a new full synchronization cycle with Start-ADSyncSyncCycle -PolicyType Initial and confirm all exports complete successfully without error 8344

Prevention

Document and back up the Azure AD Connect connector account permissions immediately after initial setup, including screenshots of OU-level security entries
Avoid manually modifying permissions on the MSOL_ or ADSync connector account in Active Directory — use only the ADSyncConfig cmdlets or wizard
When creating new OUs in Active Directory, immediately grant the AD Connect connector account the required permissions before enabling synchronization scope for that OU
Regularly review Azure AD Connect sync logs and configure alerts for export errors using Azure AD Connect Health to catch permission issues early
Enrol Azure AD Connect Health to monitor synchronization status and receive proactive notifications on export failures
Include the AD Connect connector account permissions in periodic Active Directory access reviews to detect unintended changes
Test any Group Policy or security policy changes in a staging environment before applying to production to ensure they do not affect the sync account

Tools

Azure AD Connect Synchronization Service Manager (miisclient.exe)
Azure AD Connect Configuration Wizard
Active Directory Users and Computers (dsa.msc)
PowerShell with ADSync module (Import-Module ADSync)
ADSyncConfig PowerShell module (Set-ADSyncBasicReadPermissions, Set-ADSyncPasswordHashSyncPermissions, Set-ADSyncMsDsConsistencyGuidPermissions)
ADSI Edit (adsiedit.msc) — for advanced permission inspection
Azure AD Connect Health — for proactive sync monitoring and alerting
Event Viewer (Application and Services Logs > Directory Service)

References

Azure AD ConnectActive DirectoryMicrosoft 365Hybrid IdentitySynchronization ErrorError Code 8344Permission IssueAD DS ConnectorExport ErrorMSOL AccountADSyncConfigPowerShell ADSyncEntra ID Connect