Lately, I had an issue with Office 365′s MIISClient.exe
MIISClient.exe shows that a bunch of user accounts failed to sync with the error “Insufficient Permission”.
Certain permissions needed by MSOL Service Account went missing (for whatever reason!). All we had to do is to recheck back the permissions.
Step 1: Run the Azure Active Directory Sync tool Configuration Wizard
Make sure that the latest version of the Directory Sync tool is installed and that you run the Azure Active Directory Sync tool Configuration Wizard. When you run the wizard, one screen prompts you to enable rich coexistence. Complete the wizard, and then start directory synchronization.
Alternatively, you can run the Enable-MSOnlineRichCoexistence cmdlet after the Directory Sync tool is installed to enable the write-back feature. This cmdlet must be run by using enterprise credentials or should be run by the enterprise admin.
Step 2: Confirm MSOL_AD_Sync_RichCoexistence permissions
If step 1 doesn’t resolve the issue, check that the MSOL_AD_Sync user belongs to the MSOL_AD_Sync_RichCoexistence group and that the group has Allow permissions to the user who is experiencing the issue, where write-back is not working for the following attributes:
To do this, follow these steps:
- In Active Directory, make sure that the MSOL_AD_Sync_RichCoexistence group exists and that the MSOL_AD_Sync user is a member of the group.
- In the on-premises environment, use Active Directory Users and Computers to open the user properties for the user who is experiencing the issue.
- On the Security tab, click Advanced.
Note You must enable advanced features to complete step 3.
- Make sure that the MSOL_AD_Sync_RichCoexistence group is listed. If it’s not listed, add the group, and then make sure that the group is granted Allow permissions to write to the attributes that are listed previously.
Note Step 2 may be required if the object does not inherit permissions from the parent. This issue may be resolved by making sure that the object inherits permissions from the parent object.
Source: Microsoft KB 2406830
Hope this helps!