I have an on-premise deployment of Windows Hello for business [Certificate Trust] using ADFS 4.0 DRS.
I also have an O365 Apps for Enterprise (Pro-plus) subscription.
The identities (users only) are synced from on-premise to Azure AD.
Only 8 attributes (Required for O365 Pro-plus is synced), [App Filtering in used]
No device/group write-back is enabled, no other O365 applications are used.
I am seeing plenty of errors like ones mentioned in blog below (Q4) in Synchronization Service , where the service is trying to overwrite/remove the msds-keycredentialLink attribute [Populated to due WH4B provisoning] for insufficient permissions.
They should be triggered by the synchronization rules listed below
IN from AAD – User NGCKey (to DeviceKey in mv)
Out to AD – User NGCKey (from DeviceKey in mv to msds-keycredentialLink in AD)
Why does it need to writeback the NGCkey ?
Why the errors still persists even if the below rules are disabled ?
Those attributes are part of the WHfB deployment, you shouldn’t be disabling them so maybe that’s why you’re getting errors.
NGC are also set of attributes required for WHfB to work, check out Jairo Cadena’s blog who is a Program Manager in the Identity Services Division at Microsoft answering a question about NGCs: https://jairocadena.com/2016/01/18/how-domain-join-is-different-in-windows-10-with-azure-ad/