7,023 questions
I can confirm that this issue was resolved by the last Entra ID Connect update for me as well.
Delta import completed warnings exported-change-not-reimported - msDS-KeyCredential-Link attribute
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 26%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
Denis Debijađi
15
Reputation points
Hello everyone
I have a hybrid setup (PHS) in which the clients are Azure Ad Join and users use WHFB with cloud trust to log in to them. In the synchronization service manager, every now and then it gets the status for Delta import completed warnings exported-change-not-reimported for some users, and when I go to the details, it shows me the msDS-KeyCredential-Link attribute. Under the event log, I get the event ID: 6951:" The export change was not confirmed by the import operation". Mention users get Kerberos TGT from DC after logging in with WHFB. This warning seems to be present only when users login to laptops via the corporate network. Anyone know why this warning is showing up, if this is a problem, and how to resolve it? I didn't find anything useful on blogs.
Thank you in advance.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,179 questions
{count} votes
-
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator2023-09-25T19:34:00.9233333+00:00 I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
-
Denis Debijađi 15 Reputation points
2023-09-27T12:09:04.6533333+00:00 I still get exported-change-not-reimported with the msDS-KeyCredential-Link value after adding Azure AD Sync (MSOLXXXX)user as a member of the Enterprise Key Admins security group and run Initial Sync. We use cloud Kerberos trust technology for WHFB for log in to clients.
I have an additional question unrelated to this case. I intend to filter the synchronization of user objects using attributes, and I have configured a rather complex rule in the synchronization rules editor and customer have more then 2000 users, so I would like to know if there is some possibility of a preview so that I can see what will be affected by the rule before I start the initial synchronization.
When i try this method I always get empty template:After the synchronization, all changes are staged to be exported. Before you actually make the changes in Microsoft Entra ID, you want to verify that all these changes are correct.
- Start a command prompt, and go to
%ProgramFiles%\Microsoft Azure AD Sync\bin. - Run
csexport "Name of Connector" %temp%\export.xml /f:x.
The name of the Connector is in Synchronization Service. It has a name similar to "contoso.com – Microsoft Entra ID" for Microsoft Entra ID. - Run
CSExportAnalyzer %temp%\export.xml > %temp%\export.csv. - You now have a file in %temp% named export.csv that can be examined in Microsoft Excel. This file contains all the changes that are about to be exported.
- *Make the necessary changes to the data or configuration, and run these steps again (Import, Synchronize, and Verify) until the changes that are about to be exported are what you expect.
Thank you in advance.
BR
- Start a command prompt, and go to
Sign in to comment
3 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2023-09-14T21:36:16.8533333+00:00 Hi @Denis Debijađi ,
The warning "exported-change-not-reimported" means that the imported object's attributes do not match with the object attribute set when it was last exported. One of the *potential *reasons this happens is the value being deleted or changed in the connected data source after being set through the export of Azure AD Connect.
Are you able to see the value that was exported in the destinated connected data source? Since you mentioned msDS-KeyCredential-Link , it sounds like there could be a permissions issue. Make sure that the following permissions are added:
- Add the AADSync account to the "Enterprise Key Admins" group
- Make sure you have added all of the permissions and prerequisites for updating this value is shown in this article.
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync#configure-permissions-for-key-synchronization
You can also try running a full sync cycle with: Start-ADSyncSyncCycle -PolicyType Initial
Let me know if this helps and if you still face this issue.
If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.
-
Denis Debijađi 15 Reputation points
2023-09-15T07:31:39.2466667+00:00 Yes, I am able to see export values, and it shows values that are deleted and added (export change:update).
I also added the Azure AD Sync user as a member of the Enterprise Key Admins security group and run Initial Sync, but the situation is the same. I still get exported-change-not-reimported with the msDS-KeyCredential-Link value. We use cloud Kerberos trust technology for WHFB. -
Denis Debijađi 15 Reputation points
2023-09-27T08:41:28.8966667+00:00 Yes, I am able to see export values, and it shows values that are deleted and added (export change:update).
I also added the Azure AD Sync user as a member of the Enterprise Key Admins security group and run Initial Sync, but the situation is the same. I still get exported-change-not-reimported with the msDS-KeyCredential-Link value. We use cloud Kerberos trust technology for WHFB. -
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
2023-09-28T21:41:47.7933333+00:00 I'm sorry to hear that you are still facing this issue. It sounds like it's an issue with mismatched values then.
What's the conflicting attribute value you are seeing?
If you would like to open a support case to look into your environment, you can send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID, and I can get a one-time free case opened for you.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
Denis Debijađi 20 Reputation points2023-10-02T08:27:16.36+00:00 I think the exported-change-not-reimported warning appears when users login to their clients via WHFB (cloud trust).
The binary portion of this attribute is in conflict because they differ in the export part in the row representing the added and deleted parts.
This is how it looks when I click on detail:
If it's easier for you, I can open a support case, as you recommended.
-
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
2023-10-16T22:25:47.13+00:00 Hi Denis,
Apologies for the delayed response. Feel free to send your subscription ID to the email provided if you would like a support case opened to address this. Seeing some other customers facing similar issues and will need to investigate further.
-
Denis Debijađi 15 Reputation points
2023-11-17T10:21:17.6+00:00 Hi, @Marilee Turscak-MSFT any news? I sent mail to AzCommunity@microsoft.com on October 27. I added you to CC, but I didn't get any response. Can you give some feedback about this case?
Thank you!
Sign in to comment -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 71%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
Dustin Berkley 5 Reputation points2024-02-20T17:05:38.82+00:00 I have the same issue as explained here. It started happening after we implemented WHfB. The errors never seems to have any real impact, in that users are able to authenticate to their workstation, they are authenticated to the network share, and SSO to MS365 works. The Imported Value and Export Value are always the same. The errors usually show up in the morning, and clear out throughout the day. Also, usually if I do an Initial Sync, or two Delta Syncs in a row, there usually aren't any errors. Also there's usually no errors overnight. My hunch is that it happens when someone uses WHfB to login to their computer, then on the next Delta sync, it throws the issue. It's almost as if the key is getting re-registered, (even though it's the same key) and then it tries to sync, but the update doesn't work because it's not actually an update. It seems harmless enough, but I'd love some insight on this. It seems like something isn't quite right.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 70%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Andreas Nilsson 0 Reputation points2024-03-01T11:57:10.95+00:00 We have had the exact same issue and analysis of why it appears, but the problem was apparently resolved with the latest update of Microsoft Entra Connect (2.3.6.0) although there is no mentioning of this bug fix in the release notes...
-
Dustin Berkley 5 Reputation points
2024-03-04T19:26:54.53+00:00 We're on that version and still getting the errors.
Since there's at least 3 ways to enable people to register for WHfB (tenant wide, Intune Windows Enrollment, enabling through on-prem GPO), and I was testing all of them, I'm wondering if there is just something weird with those methods interacting with each other.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 64%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Damm, Martin 0 Reputation points2024-04-29T15:21:09.2666667+00:00 Can confirm what Dustin says. Were on the same version and see these errors. This can not be a permission issue, because in nighttime, when no user logs in we do not see any sync issues. Due working hours we see a lot of them. Strangely enough, only for some users who keep appearing in the error log.
Sign in to comment -