msDS-ExternalDirectoryObjectID attribute and Exchange Hybrid configuration

When using Azure AD Connect (AAD Connect) to synchronize identities between on-premises AD and Azure AD, there is one new attribute that's written back to on-premises AD with Exchange Hybrid Configuration. This attribute is named msDS-ExternalDirectoryObjectID and it essentially holds the username of the object from the cloud. The catch with this attribute is that it isn't mentioned in some of the older documentation, and you might miss it when configuring permissions for writeback to local AD. So, if using AAD Connect to synchronize and you have Exchange hybrid configuration turned on, make sure that the credential used to read/write to local AD/ADs also has write permissions to this attribute (in addition to having write-permission to the other 7 attributes written back in hybrid mode).

If you are experiencing this problem, it is quite easy to spot in Synchronization Service Manager:

You can also look at the connector space (on-premises AD connector) and search for errors, this will show you that the attribute AAD Connect tries to write to is indeed msDS-ExternalDirectoryObjectID

Newer documentation on AAD Connect synchronized attributes already has this attribute listed like Azure AD Connect sync: Attributes synchronized to Azure Active Directory