Share via

successfactor to ad provisionig not working for some user failing with insufficent permission

Ankita Rani Patro 176 Reputation points
2021-12-09T20:00:36.9+00:00

Hi team,

I need urgent help. We are provisioning users from successfactor to ad. we are not able to sync couple of users due to insufficent permission error. it works for other users fine. Please help me on troubleshoot.

SystemForCrossDomainIdentityManagementBulkOperationResponseError

Error message
{"Exceptions":[{"SerializedExceptionString":"{\"ClassName\":\"Microsoft.ActiveDirectory.SynchronizationAgent.Contract.SerializableDirectoryOperationException\",\"Message\":\"The user has insufficient access rights.\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":null,\"RemoteStackTraceString\":null,\"RemoteStackIndex\":0,\"ExceptionMethod\":null,\"HResult\":-2146233088,\"Source\":null,\"WatsonBuckets\":null,\"ResponseResultCode\":\"InsufficientAccessRights\",\"ResponseErrorMessage\":\"00002098: SecErr: DSID-0315145A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\",\"SerializedException\":\"Details:\r\nType: System.DirectoryServices.Protocols.DirectoryOperationException\r\nThe user has insufficient access rights.\r\nStack trace:\r\n\r\nServer stack trace: \r\n at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)\r\n at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)\r\n at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)\r\n\r\nException rethrown at [0]: \r\n at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)\r\n at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.ActiveDirectory.SynchronizationAgent.ActiveDirectory.LdapConnectionExtensions.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,920 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 35,036 Reputation points Microsoft Employee
    2021-12-09T21:36:38.263+00:00

    If you are receiving this error in Azure AD Connect, make sure that the users have security inheritance enabled.

    156218-image.png

    156280-image.png

    Reference: related answer by AndyDavid.

    I would also review the step-by-step troubleshooting guidance in the video, Azure AD Connect Insufficient Access Rights | Error 8344 Permission Issue Insufficient Access Rights

    If this doesn't resolve the problem it may also be worth reaching out on the SuccessFactors forum.

    1 person found this answer helpful.
    0 comments
  2. Danny Zollner 9,531 Reputation points Microsoft Employee
    2021-12-09T21:40:51.21+00:00

    The error message is fairly straightforward in that the actions being attempted by the Azure AD Provisioning agent are unable to be performed due to insufficient permissions. What action is being attempted and what permissions are needed are things that aren't clear from the data you've provided. If other users are working, it's probably worth comparing the effective permissions for the service account on the working user and the not-working user (or OU, if the user can't be created) to see if you can identify the difference.

    If you can't figure it out with the above, I'd recommend opening a support case.

    0 comments