![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 37%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESV%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,632 questions
The error code 8344 indicates a permission issue when performing a write operation on an object. You mentioned that the service account being used has inheritance disabled - that may not be relevant, however, as the object that you need to check is the one that the error is being generated on. If inheritance is enabled on the object, it may be disabled on an OU that the object is contained in.
First, check the pending export of the object in AAD Connect to see what change is being attempted. After that, you can open the advanced security settings on the object in Active Directory Users and Computers to see what permissions are applied to it. If you see the on-premises Active Directory service account listed, ensure that the specific permission needed (i.e.: write proxyAddresses) exists. If it doesn't, it could be that the permissions just don't exist - you can check the object generating the error or the OU that it is contained in to see if the necessary permissions exist. Inheritance has to be turned on not only on the object being modified, but also on any OUs it is contained in if the permission is not applied to that OU or object directly. As an example, sometimes permissions are applied to the root of the domain (e.g.: DC=Contoso,DC=com) and inherit down. If there are nested OUs between the root and the object generating the error, a single OU in the path between that object and the point where the permission is applied (root of domain in this example) not having inheritance disabled would cause the permissions to not inherit past that point.
If all else fails - I'd suggest opening a support case, this is a fairly common problem and a support engineer for Azure AD Connect should be able to assist you.