Unable to update users synced to AAD from AD using the AAD connect app

  • 16 February 2021
  • 0 replies
  • 111 views

Userlevel 5
Badge +20
 

Known Issue: Unable to update users synced to AAD from AD using the AAD connect app

KB003474

PRODUCT
K2 Five

 

Issue

Executing the Update method of the K2 Azure Active Directory (AAD) SmartObject to manage an identity in AAD fails with the following error: “Insufficient privileges to complete the operation.”
Insufficient privileges to complete the operation

 

 

Cause

If you create identities in Active Directory (AD) and then use the Azure Active Directory Connect app to sync these identities with AAD, you get the error when you use the K2 AAD SmartObject Update method to manage the identities in AAD.

As you can see in this image, AAD shows the source of each identity:
aadsource.png

When you create the identity in AAD, the source is Azure Active Directory. When you create the identity in AD and synchronized it to AAD using the Azure Active Directory Connect app, the source is Windows Server AD.

To manage AAD identities either in AAD or using the K2 AAD SmartObject Update method, the source of the identity must be Azure Active Directory. To confirm you have this issue, if you get the error when trying to update an identity using the K2 AAD SmartObject Update method, check the Source of the identity in AAD. If the Source is Windows Server AD, you have this issue.

Resolution 1: Manage identity updates in AD

Make all identity updates in AD on the Windows Server. These changes will flow through to AAD on the next Azure Active Directory Connect app sync run. This is the recommended method.

For information on the Microsoft Azure Active Directory Connect app, see the article What is Azure AD Connect?

Resolution 2: Disable directory sync and manage identities in AAD

Disable the directory sync and uninstall Azure Active Directory Connect from your Windows Server, then manage the identities in AAD. This will change the identities’ Source from Azure Active Directory to Windows Server AD in AAD. Refer to this article for more information: Proper way to Remove Azure AD Connect.

With this approach, the changes will not sync back to your Windows Server AD (on-prem) users. Please work with your Microsoft representative if you have questions about disabling Azure Active Directory Connect and syncing identities between AD and AAD

 


0 replies

Be the first to reply!

Reply