Pimp Juice IT's questions

Whenever I block a sender in the Outlook M365 desktop app by right-clicking on an email and selecting "Block Sender" to move it to junk email, an error occurs in AD/Entra Connect, indicating "insufficient access rights to perform the operation".

I resolve this by accessing AD Users and Computers, right-clicking on my account, and navigating to: Properties > Security tab > Advanced > Restore Defaults > Apply > OK, and then AD/Entra Connect syncs work without error.

The issue is related to the msExchBlackedSenderHash attribute. The problem appears to affect AD user accounts with Domain Admins or Account Operators access. However, the resolution remains consistent across all accounts, requiring the applied fix mentioned earlier.

Some Technical Details

• On-prem AD using Microsoft Azure AD Connect version 2.2.1.0
• Forest and domain functional levels both Windows Server 2016
• 4 domain controllers none of which are read-only across two sites/subnets
• Hybrid Entra ID/Azure AD environment, all mailboxes are on M365/Exchange Online. While we're in the process of decommissioning Exchange 2010, there's still work to be done. External emails (inbound to our domain) are currently routed directly to M365.

Questions

• Is there a configuration in Azure AD Connect, M365, or on-premises Active Directory to prevent the 'insufficient access rights' error when blocking a sender in Outlook M365, especially for accounts with elevated privileges like Domain Admins or Account Operators?

• Is there a technical explanation for the root cause of this issue and any clarity as to why it poses a problem?

The server was unable to process the request due to an internal error

I ran into the below error message when running the Get-ADPrincipalGroupMembership account Powershell commands for certain user accounts in AD.

I searched the Internet thoroughly and couldn't find much at all so I kept digging, turned on verbose, tracing, testing, comparing, and so on.

I finally found the cause and a solution (in my case) so I wanted to post this here as both a question and an answer since I couldn't find much elsewhere during my troubleshooting process.

This may help someone get a quick solution and save them some headaches if they're working on something urgent or critical.

Full Powershell Error Message

PS C:\Users\User> Get-ADPrincipalGroupMembership <AccountName>
Get-ADPrincipalGroupMembership : The server was unable to process the request due to an 
internal error.  For more information about the error, either turn on 
IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the 
<serviceDebug> configuration behavior) on the server in order to send the exception 
information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 
SDK documentation and inspect the server trace logs.
At line:1 char:1
+ Get-ADPrincipalGroupMembership <AccountName>
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (<AccountName>:ADPrincipal) [Get-ADPrincipalGr 
   oupMembership], ADException
    + FullyQualifiedErrorId : The server was unable to process the request due to an inter 
   nal error.  For more information about the error, either turn on IncludeExceptionDetai  
  lInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configurati   
 on behavior) on the server in order to send the exception information back to the clie    
nt, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and i    
nspect the server trace logs.,Microsoft.ActiveDirectory.Management.Commands.GetADPrinc    
ipalGroupMembership