Hi
Based on the article https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/plan-cloud-hr-provision#configure-active-directory-ou-container-assignment
I tried to manipulate the parentDistinguishedName based on the country. Apparently when trying to provision the existing user it cannot update the parentDistinguishedName and throws an error:
Error code
SystemForCrossDomainIdentityManagementBulkOperationResponseError
Error message
{"Exceptions":[{"SerializedExceptionString":"{\"ClassName\":\"Microsoft.ActiveDirectory.SynchronizationAgent.Contract.SerializableDirectoryOperationException\",\"Message\":\"The user has insufficient access rights.\",\"Data\":null,\"InnerException\":null,\"HelpURL\":null,\"StackTraceString\":null,\"RemoteStackTraceString\":null,\"RemoteStackIndex\":0,\"ExceptionMethod\":null,\"HResult\":-2146233088,\"Source\":null,\"WatsonBuckets\":null,\"ResponseResultCode\":\"InsufficientAccessRights\",\"ResponseErrorMessage\":\"00000005: SecErr: DSID-0315274B, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\",\"SerializedException\":\"Details:\r\nType: System.DirectoryServices.Protocols.DirectoryOperationException\r\nThe user has insufficient access rights.\r\nStack trace:\r\n\r\nServer stack trace: [...]
I have checked Event logs on the local AD DC server where I have Azure AD Connect Provisioning Agent installed and there are no errors.
I noticed that the Azure AD Connect Provisioning Agent runs under provAgentgMSA$ service account. So I granted this account full access to the Organization Unit (OU) I operate within, but this didn't help.
Can you tell what user and what rights I need to adjust to get it to work?
/Michal