Contents
Update 18/08/2021
Added some details about v. 1.6.11.3 which fixes a security issue.
Microsoft released a major update of Azure AD Connect. This major release brings a lots of new features and requirements for the local infrastructure. In this article I will cover the latest information and how you can upgrade to the new release.
The new version 2 of Azure AD Connect was released on 20/07/2021 and bring the product to the version 2.0.3.0 the lastet release of version 1 was 1.6.4.0 1.6.11.3. Microsoft found a security issue in 1.6.4.0 and 2.0.3.0 and updated the Azure AD Connect v2 to 2.0.8.0.
Microsoft released also an update for AAD Connect v1 and brings it to 1.6.11.3. This is for customers who running an older version of Windows Server who can not upgrade to WS 2016 and fixes an security issue in 1.6.4.0.
Azure AD V2 API
One of the biggest changes on the Azure side in recent months has been the move of the Azure AD API to version 2. This move was firstly covered with the release of Azure AD Connect 1.6.2.4 but this release had a bug and was shortly replace by v. 1.6.4.0. The new release will use the new V2 API per default. The new API brings the following improvements:
- syncing groups with up to 250k members
- performance gains on export and import to Azure AD
Azure AD Connect lifetime
On November 2020 the Azure AD Connect team announced a new lifecycle for all Azure AD Connect versions. The team announced the following important notice
we will begin implementing a deprecation process whereby versions of Azure AD Connect that were released more than 18 months ago will be deprecated.
This means all Azure AD connect there where older then 18 months are out of support. So it is really important to update regulary the Azure AD connect service. Currently, versions older than 1.5.2.0 are no longer supported.
For small and medium business sizes, the auto update functionallity hold the Azure AD Connect server up to date. For Azure AD Connect services with customized sync rules, I prefer to manually update the service, but this need additional overhead.
Azure AD Connect v2 Improvements
Azure AD Connect v2 brings a tons of improvements and some big changes. The biggest change is, that Azure AD Connect v2 is only supported on Windows Server 2016 or newer. Older Windows Server versions are not more supported and you canĀ“t install AAD Connect on older WS versions. Inplace upgrades for servers with installed AAD Connect are not supported.
- AAD Connect v2 needs WS 2016 or newer
- this release enfore use of TLS 1.2 – if TLS 1.2 is not activated installation will fail
- upgraded the LocalDB components to SQL 2019
- this relase avoid the need of a Global Admin account for authentication against AAD Connect setup
- Visual C++ runtime library use version 14 as prerequisite for SQL Server 2019
- release use MSAL library for authentication, the older ADAL library was removed
- release two new cmdlets to ADSyncTools module to enable or retrieve TLS 1.2 settins from Windows Server (Get-ADSycnToolsTls12 | Set-ADSycnToolsTls12)
- ADSyncTools are revamed with several improved and new cmdlets
- added new user properties to sync from ADDS to Azure AD
- employeeType
- employeeHireDate
- release needs PowerShell version 5 or newer installed on the Windows Server (is installed per default on WS 2016 or newer)
- Generic LDAP Connector and SQL Connector updated to latest version
- The M365 Admin Center now report the AADConnect client version whenever there is export activity to Azure AD
Azure AD Connect v2 Installation
The installation or upgrade process is the same as in version 1 releases. But remeber Azure AD Connect v2 is only supported on Windows Server 2016 or newer and the Server must have TLS 1.2 enabled.
Check and activate for TLS 1.2 enforcement
When you installing Azure AD connect v2 or update the existing installation, please check the Windows Server registry for TLS 1.2 enforcement. Otherwise you get the the error message in the picture below.
Activate TLS 1.2 for the selected server can be easily done with the Powershell script from the MS Docs site about TLS 1.2 enforcement for Azure AD Connect.
After TLS 1.2 is enabled, the upgrade process is straight forward and no different to Azure AD Connect version 1.
Azure AD Cloud Sync
The goal of Cloud migration is to minimize administrative overhead, automate existing workloads and get fully managed solutions from the provider. Microsoft released Azure AD Cloud Sync some months ago as a fully cloud managed solution for hybrid synchronization, Azure AD Connect always requires an existing server to install. Azure AD Cloud sync is a Azure platform solution that syncs your existing identities to the Cloud without an on-premises installation. The service is fully managed by Microsoft natively in the Azure portal. For synchronization is only the need to install an local agent.
Short note
Did you interested in learn more about Identity Management and Identity Security, please take a look at our free community-driven Cloud Identity Summit. We organized this free event as part of our Azure Bonn Meetup on 30/09/21.
Links
- MS Docs – Azure AD Connect sync V2 endpoint
- MS Docs – Azure AD Connect: ADSyncTools PowerShell Reference
- Microsoft release Azure AD Connect 1.6.2.4/1.6.4.0
- MS Docs – What is Azure AD cloud sync
- MS Docs – TLS 1.2 enforcement for Azure AD Connect
- Azure AD Cloud Sync
- Cloud IdentitySummit – free Online conference about Cloud Identity
- DirTeam.com – Two new Azure AD connect versions was released to prevent MiM attacks towards DCs