Addressing 'Insufficient Access' When Blocking Senders in Outlook M365

Whenever I block a sender in the Outlook M365 desktop app by right-clicking on an email and selecting "Block Sender" to move it to junk email, an error occurs in AD/Entra Connect, indicating "insufficient access rights to perform the operation".

I resolve this by accessing AD Users and Computers, right-clicking on my account, and navigating to: Properties > Security tab > Advanced > Restore Defaults > Apply > OK, and then AD/Entra Connect syncs work without error.

The issue is related to the msExchBlackedSenderHash attribute. The problem appears to affect AD user accounts with Domain Admins or Account Operators access. However, the resolution remains consistent across all accounts, requiring the applied fix mentioned earlier.

Some Technical Details

• On-prem AD using Microsoft Azure AD Connect version 2.2.1.0
• Forest and domain functional levels both Windows Server 2016
• 4 domain controllers none of which are read-only across two sites/subnets
• Hybrid Entra ID/Azure AD environment, all mailboxes are on M365/Exchange Online. While we're in the process of decommissioning Exchange 2010, there's still work to be done. External emails (inbound to our domain) are currently routed directly to M365.

Questions

• Is there a configuration in Azure AD Connect, M365, or on-premises Active Directory to prevent the 'insufficient access rights' error when blocking a sender in Outlook M365, especially for accounts with elevated privileges like Domain Admins or Account Operators?

• Is there a technical explanation for the root cause of this issue and any clarity as to why it poses a problem?