During synchronization of Active Directory with Office 365 via Azure AD Connect I was greeted with a list of accounts that have permission-issue. Error message by itself gives you a slight hint, but it doesn't tell you exactly where to look.
Reason for this error is usually lack of permissions for an account that is responsible for synchronization. During setup of Azure AD Connect you either configure account name yourself, or you let setup do it for you. Regardless of which route you choose the most likely reason for your problem is broken inheritance at some point where your synchronization account has access to the top level but the lower it goes, the harder it gets. Therefore, to fix my problem, I had to start with one of the accounts and see if an account in question has a synchronization account in its Security properties.
If you don't see your account on this list, click Advanced and verify that Inheritance is Enabled. If it is you need to go up and check every Organizational Unit above to see which of the above OU's have Inheritance disabled. It's also possible there are legitimate reasons for this, so an alternative way to fix this is adding your Azure Sync Account (MSOL_*) with proper permissions to OU with problems. However, keep in mind that giving correct permissions is key to this and is not as easy as fixing inheritance.
If you're not sure, your safest bet will be to Enable inheritance. My second choice would be assigning permissions by hand unless you know what you are doing.