AWS AD Connect Replication permissions

Question

by default, "AWS Delegated Replicate Directory Changes Administrators" have "Replicate Directory Changes" permissions and don't have "Replicate Directory Changes All" which  prevent password hash synchronization with Azure AD in case of AD Connect usage.  
https://social.technet.microsoft.com/wiki/contents/articles/51110.azure-ad-sync-troubleshooting-error-611-replication-access-was-denied-password-synchronisation-failed.aspx  
        Is it by design?  
        Is it possible add "Replicate Directory Changes All" permission?  
        What is the possible work around?

Answer

Yes this is by design.  As managed service we can not allow our passwords to replicate to a 3rd party.  This blog post describes the AD Connect scenario that we do support.  
  
https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/

AWS AD Connect Replication permissions

Contenido relevante