It’s been a while since I’ve updated this popular tool, and the need was brought to my attention by a peer who noticed an attribute being exported to on-premises AD (but failing):
As it turns out, the msDS-KeyCredentialLink is required for Windows Hello for Business Hybrid.
I’ve updated the permissions tool to handle the msDS-KeyCredentialLink attribute (which is used in Windows Hello for Business). I’m sure there are some weird edge cases, so I’ve not only added the user to the Key Admins group, but I have also delegated RP and WP on the objects directly (I’m a belt and suspenders kind of guy).
Go grab the new version at http://aka.ms/aadpermissions.