msDS-KeyCredentialLink exported back to AD

Mishaua 721 Reputation points
2022-08-09T22:11:39.683+00:00

I am doing a swing migration from a v1 Azure ad connector to a v2. In the export to the local ad I am seeing a handful of updates for users for the msDS-KeyCredentialLink attribute. I believe this attribute did not sync in the past because AADConnect v1 was installed prior to a 2016 Dc being added to the domain. We now have a 2016 dc as well that was installed before configuring AAD connect v2 so none of the current local AD users have this attribute set. A small amount of computers do though. We are currently not using intune yet but Windows Hello for business is disabled there so I am curious why it would be populated in Azure? Perhaps because a user joined or registered a device with Azure and has Hello for business enabled? Is there any danger in syncing this attribute back to AD?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,771 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Andy David - MVP 147.9K Reputation points MVP
    2022-08-09T22:32:00.323+00:00

    Ran into the same issue. Add the AADSync account to the "Enterprise Key Admins" group and you wont see any permissions errors on the writeback.
    No problems encountered doing this.

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync


  2. Mishaua 721 Reputation points
    2022-08-16T22:12:13.11+00:00

    I would leave it enabled if I had all the prerequisites for it but currently I don't. My fsmo role is not on a 2016 dc, I also do not have any of the groups required for the sync to successfully complete so having the rules enabled will just generate errors. I disabled these sync rules IN from AAD - User NGCKey (to DeviceKey in mv) Out to AD – User NGCKey (from DeviceKey in mv to msds-keycredentialLink in AD), ran full imports and full synchronizations on both connectors but on the export to AD I still see exports for the msds-keycredentialLink for the AD connector. Why does disabling the sync rules have no effect? Something similar is referenced here https://serverfault.com/questions/1029701/disabling-synchronization-rule-out-to-ad-user-ngckey-in-azuread-connect. They mention refreshing the metaverse which I would expect a full import and sync to do?


  3. Mishaua 721 Reputation points
    2022-08-27T20:53:05.81+00:00

    Deleting the connector spaces and restarting an initial sync stopped the data from flowing back.


  4. Alexandros Kanakaris 36 Reputation points
    2022-12-15T11:32:56.137+00:00

    What happened to you is the exact same scenario that happened to us.
    We were on Azure AD Connect v1 with a schema of Server 2016 (87).

    After the migration to Azure AD Connect 2, Event 6100 was throwed for all accounts.
    I checked the value that was failing to be Added and it was msDS-KeyCredentialLink.

    Adding permissions for updating this value is shown in this article.
    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync#configure-permissions-for-key-synchronization

    The thing is that those AD groups only appear after you have at least one Domain Controller => Server 2016.

    Read msDS-KeyCredentialLink and Write msDS-KeyCredentialLink.

    And since the documentation is a bit unclear, for any of those groups to appear, you have to have at least one DC on server 2016.


  5. Craig Vibert 1 Reputation point
    2022-12-20T12:37:20.31+00:00

    Hello,

    We had an issue where we created a second synchronization to a second Azure AD tenant. At first it appeared to work fine. We then started getting tickets from people unable to logon to Windows Hello for Business. When we checked the AD sync logs on both AD connect on the new tenant and our normal one we saw completed with warnings on the delta import. Drilling into it further the error stated exported-change-not-reimported and looking further the attribute with the problem was msDS-KeyCredentialLink. To fix the issue we stopped the sync on our sandbox tenant and did a Full Sync on the normal AD connect and it fixed the issue. Did we do something wrong?

    Kind Regards


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.