Delta import completed warnings exported-change-not-reimported - msDS-KeyCredential-Link attribute

Denis Debijađi 0 Reputation points
2023-09-14T06:35:05.4166667+00:00

Hello everyone

I have a hybrid setup (PHS) in which the clients are Azure Ad Join and users use WHFB with cloud trust to log in to them. In the synchronization service manager, every now and then it gets the status for Delta import completed warnings exported-change-not-reimported for some users, and when I go to the details, it shows me the msDS-KeyCredential-Link attribute. Under the event log, I get the event ID: 6951:" The export change was not confirmed by the import operation". Mention users get Kerberos TGT from DC after logging in with WHFB. This warning seems to be present only when users login to laptops via the corporate network. Anyone know why this warning is showing up, if this is a problem, and how to resolve it? I didn't find anything useful on blogs.

Thank you in advance.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,632 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,862 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 27,721 Reputation points Microsoft Employee
    2023-09-14T21:36:16.8533333+00:00

    Hi @Denis Debijađi ,

    The warning "exported-change-not-reimported" means that the imported object's attributes do not match with the object attribute set when it was last exported. One of the *potential *reasons this happens is the value being deleted or changed in the connected data source after being set through the export of Azure AD Connect.

    Are you able to see the value that was exported in the destinated connected data source? Since you mentioned msDS-KeyCredential-Link , it sounds like there could be a permissions issue. Make sure that the following permissions are added:

    You can also try running a full sync cycle with: Start-ADSyncSyncCycle -PolicyType Initial 

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base

    Let me know if this helps and if you still face this issue.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.