Disabling Synchronization Rule - Out to AD – User NGCKey in AzureAD Connect

Question

I have an on-premise deployment of Windows Hello for business [Certificate Trust] using ADFS 4.0 DRS. I also have an O365 Apps for Enterprise (Pro-plus) subscription. The identities (users only) are synced from on-premise to Azure AD. Only 8 attributes (Required for O365 Pro-plus is synced), [App Filtering in used]

accountEnabled cn displayName objectSID pwdLastSet samAccountName sourceAnchor usageLocation userPrincipalName

No device/group write-back is enabled, no other O365 applications are used.

I am seeing plenty of errors like ones mentioned in blog below (Q4) in Synchronization Service , where the service is trying to overwrite/remove the msds-keycredentialLink attribute [Populated to due WH4B provisoning] for insufficient permissions.

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-mailbag-windows-hell...

They should be triggered by the synchronization rules listed below

IN from AAD - User NGCKey (to DeviceKey in mv) Out to AD – User NGCKey (from DeviceKey in mv to msds-keycredentialLink in AD)

My questions,

1. Why does it need to writeback the NGCkey ?

2. Why the errors still persists even if the below rules are disabled ?

Answer 1

Those attributes are part of the WHfB deployment, you shouldn't be disabling them so maybe that's why you're getting errors.

Reference: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-mailbag-windows-hello-for-business/ba-p/445349

NGC are also set of attributes required for WHfB to work, check out Jairo Cadena's blog who is a Program Manager in the Identity Services Division at Microsoft answering a question about NGCs: https://jairocadena.com/2016/01/18/how-domain-join-is-different-in-windows-10-with-azure-ad/

Answer 2

The WHFB onpremise deployment need not have the msds-keycredentialLink written back to onpremise AD. I think this a design flaw in the system, where microsoft have not considered purely onpremise deployments of WH4B with some Azure AD/O365 services with directory synchronization (AADConnect)

I saw after the below rules are disabled the key value is not written back anymore. The errors i was facing was with regards to old objects in AAD connect Metaverse. Once those objects were refreshed the errors pertaining to them disappeared,