Azure AD Connect v1.1.553.0 addresses a critical security vulnerability … and offers new functionality, too

Yesterday, Microsoft released a new version of Azure AD Connect, its free tool to synchronize objects from your on-premises Active Directory Domain Services environment to Azure Active Directory.

It addresses a critical security vulnerability, but also offers new functionality, like delegate write-back from Exchange Online to Exchange Server on-premises.,

 

Vulnerability could allow Elevation of Privilege

In this version of Azure AD Connect, an Elevation of Privilege vulnerability was fixed. This vulnerability is described in Microsoft Security Advisory 4033453 and CVE-2017-8613.

If the Password Writeback feature is enabled in Azure AD Connect, a malicious person who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary privileged user accounts, residing in the on-premises Active Directory Domain Services (AD DS) environment.

Version 1.1.553.0 of Azure AD Connect addresses this issue by blocking Password write-back request for on-premises privileged accounts (determined by querying the adminCount attribute) unless the requesting Azure AD Administrator is the owner of the account in the on-premises Active Directory Domain Services environment.

Call to action

Please update to Azure AD Connect version 1.1.553.0 as soon as possible,

Mitigating actions

If you are unable to immediately upgrade to the latest “Azure AD Connect” version, consider the following options:

  • If the account in the on-premises Active Directory Domain Services environment is a member of one or more on-premises privileged groups, consider removing the account from the group(s).
  • If an on-premises Active Directory administrator has previously created Control Access Rights on the adminSDHolder object for the account in the on-premises Active Directory Domain Services environment, which permits Reset Password operation, consider removing it.
  • It may not always be possible to remove existing permissions granted to the account in the on-premises Active Directory Domain Services environment. For example, the account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback.  In these cases, consider creating a DENY ACE on the adminSDHolder object to disallow the AD DS account with Reset Password permission.

 

What’s New

Azure AD Connect Sync

Previously, the ‘msDS-ConsistencyGuid as Source Anchor’ feature was available to new deployments only. Now, it is available to existing deployments.

Specific to the userCertificate attribute on Device objects, Azure AD Connect now looks for certificates values required for connecting domain-joined devices to Azure AD and filters out the rest before synchronizing to Azure AD.

Azure AD Connect now supports writeback of Exchange Online cloudPublicDelegates attribute to on-premises AD publicDelegates attribute. This enables the scenario where an Exchange Online mailbox can be granted SendOnBehalfTo rights to users with on-premises Exchange mailboxes. To support this feature, a new out-of-box sync rule “Out to AD – User Exchange Hybrid PublicDelegates writeback” has been added. This sync rule is only added to Azure AD Connect when the ‘Exchange Hybrid’ feature is enabled.

Azure AD Connect now supports synchronizing the altRecipient attribute from Azure AD.

The cloudSOAExchMailbox attribute in the Metaverse indicates whether a given user has an Exchange Online mailbox or not. Its definition has been updated to include additional Exchange Online RecipientDisplayTypes as Equipment and Conference Room mailboxes.

Several X509Certificate2-compatible functions for creating synchronization rule expressions to handle certificate values in the userCertificate attribute were added.

Metaverse schema changes have been introduced to allow customers to create custom synchronization rules to flow sAMAccountName, domainNetBios, and domainFQDN for Group objects, as well as distinguishedName for User objects.

The ADSyncDomainJoinedComputerSync PowerShell Cmdlet script now has a new optional parameter named AzureEnvironment. This parameter can be used to specify which region the corresponding Azure Active Directory tenant is hosted in.

The Sync Rule Editor has been update to use Join (instead of Provision) as the default value of link type during sync rule creation.

AD FS Management

Previously, the ADFS Certificate Management feature provided by Azure AD Connect could only be used with ADFS farms managed through Azure AD Connect. Now, you can use the feature with ADFS farms that are not managed using Azure AD Connect.

 

Fixes

Azure AD Connect Sync

Fixed an issue related to the ‘msDS-ConsistencyGuid as Source Anchor’ feature where Azure AD Connect does not write-back to on-premises AD msDS-ConsistencyGuid attribute. The issue occurs when there are multiple on-premises AD forests added to Azure AD Connect and the User identities exist across multiple directories option is selected.

Previously, even if the ‘msDS-ConsistencyGuid as Source Anchor’ feature wasn’t enabled, the “Out to AD – User ImmutableId” synchronization rule was still added to Azure AD Connect. The effect is benign and does not cause write-back of the
msDS-ConsistencyGuid attribute to occur. To avoid confusion, logic has been added to ensure that the sync rule is only added when the feature is enabled.

Fixed an issue that caused password hash synchronization to fail with error event 611. This issue occurs after one or more domain controllers have been removed from the on-premises Active Directory Domain Services environment.

Previously, even if Automatic Upgrade had been disabled using the
Set-ADSyncAutoUpgrade cmdlet, the Automatic Upgrade process continued to check for upgrade periodically, and relied on the downloaded installer to honor disablement. With this fix, the Automatic Upgrade process no longer checks for upgrade periodically.

AD FS Management

The following URLs are new WS-Federation endpoints introduced by Azure AD to improve resiliency against authentication outage and will be added to the on-premises AD FS Replying Party Trust (RPT) configuration:

The team fixed an issue that caused AD FS to generate incorrect claim value for IssuerID. This issue occurs if there are multiple verified domains in the Azure AD tenant and the domain suffix of the userPrincipalName attribute used to generate the IssuerID claim is at least 3-levels deep (for example, johndoe@us.contoso.com). The issue is resolved by updating the regex used by the claim rules.

 

Important information on this release

There are schema and synchronization rule changes introduced in this build.
Azure AD Connect Synchronization Service will trigger Full Import and Full Sync steps after you upgrade to this version. In some environments these steps may take several hours. During this timeframe other information is not synchronized.

 

Version information

This is version 1.1.553.0 of Azure AD Connect.
It was signed off on on June 27, 2017.

 

Download information

You can download Azure AD Connect here.
The download weighs 79,6 MB.

Concluding

If your Azure AD Connect implementation hasn’t automatically upgraded to version 1.1.553.0 yet, please update your Azure AD Connect implementation as soon as possible.

In larger organizations and larger networking infrastructures, make sure to schedule the upgrade through lifecycle management in a period of time where the impact of the Full Synchronization cycle would not impact business processes.

0  

KnowledgeBase: When you activate the Microsoft Authenticator App on Android 5.x you receive “Your device does not trust the activation URL”

The mobile world is still a fragmented world, where various versions of Apple’s iOS and Google’s Android compete for usage share. With people still getting accustomed to today’s throw-away society and handset manufacturers and vendors tailoring to their needs, there’s people using three years old Operating Systems on mobile phones they just purchased.

 

The situation

When you implement Azure Multi-Factor Authentication (MFA) Server in a Hybrid Identity scenario, you’d be wise to use your Web Application Proxy infrastructure to publish Azure MFA Server’s User Portal and Mobile Portal.

  

The issue

With default settings, Web Application Proxies and Active Directory Federation Services (AD FS) Servers running Windows Server 2012 R2 (and up) don’t support Server Name Indication (SNI).

Server Name Indication (SNI) is an extension to the TLS protocol that allows any connecting device to indicate which hostname it is attempting to connect to at the start of the TLS handshake process. This allows a server to present multiple SSL/TLS certificates on the same IP address and TCP port. It allows multiple secure websites to be served by the same IP address without requiring all those sites to use the same certificate.

Therefore, when you try to activate a mobile device running Android 5.x, while accessing the Mobile Portal through a Web Application Proxy with default settings or any proxy, firewall and/or load balancer that doesn’t offer Server Name Indication), you receive the following error:

Unable to add the account

We couldn’t add the account as
your device does not trust the
activation URL. Please contact your
IT administrator.

 

CANCEL REPORT

 

The cause

Android 5 supports SNI, according to Qualys, but the official Microsoft Authenticator App on Android 5.x does not support it.

This is a piece of missing functionality in the Microsoft Authenticator App. There are no indications that indicate Microsoft is spending resources on fixing this issue in the Microsoft Authenticator App on this platform.

 

The workaround

To workaround this issue, accommodate non- Server Name Indication (non-SNI) capable devices on your Web Application Proxies by specifying a fallback TLS certificate, following these steps:

  • Log on interactively on a Windows Server that acts as a Web Application Proxy with an account with local administrator privileges.
  • Open a command prompt as an administrator, by either:
    • Typing in cmd and then right-clicking on the Command Prompt search result and selecting Run as administrator from the context menu, or
    • Pressing Windows + R simultaneously, typing cmd.exe and hitting Ctrl + Shift + Enter all at the same time.
  • Enter the following command at the command prompt:

netsh http show sslcert

  • This will output the certificate bindings in use. Copy the application globally unique identifier (GUID), including its brackets and the certificate thumbprint hash of the federation service.
  • Now construct the following command at the command prompt:

netsh http add sslcert ipport=0.0.0.0:443 certhash=CertThumbPrint
appid={ApplicationGUID}

  • Next, run the following command:

net stop appproxysvc && net start appproxysvc

  • Close the command prompt window.
  • Log off.

 

Concluding

This challenge with Microsoft’s Authenticator App will go away, because Android 5.x devices will, eventually, go away. Until that time, accommodate non-SNI capable devices on your Web Application Proxies by specifying a fallback TLS certificate.

Further reading

Azure Authenticator App on Android – your device does not trust the activation url 
Server Name Indication 
Server Name Indication (SNI) 
How to support non-SNI capable Clients with Web Application Proxy and AD FS 
Federation with ADFS 3.0 and SNI Support 
ADFS 3.0, WAP, SNI and Network Load Balancing

0  

KnowledgeBase: When you activate the Microsoft Authenticator App you receive “The remote server returned an error: NotFound”

I’ve written about the Multi-Factor Authentication server quite extensively. I’ve been pretty content with text messages for authentication, but since DRAFT NIST Special Publication 800-63B, Out-of-Band (OOB) using the PSTN (SMS or voice) is deprecated (ref 5.1.3.2) I’ve been taking a closer look at the Microsoft Authenticator app.

 

The situation

Microsoft’s on-premises Multi-Factor Authentication Server and the accompanying Azure MFA Service, luckily, supports more authentication methods, besides voice calls and text messages (in random order):

  1. Phone call
  2. Two-way SMS
  3. Two-way SMS with PIN
  4. One-way SMS
  5. One-way SMS with PIN
  6. OATH token
  7. Mobile App

I’ve done an extensive review of the pros and cons of each authentication method, so I decided to take a closer look at the Mobile App, especially, since Microsoft has put quite some work in it recently.

To this purpose, I added the Multi-Factor Authentication Mobile Portal to an existing Multi-Factor Authentication Server implementation.

I then logged on to the Multi-Factor Authentication User Portal with a user account, performed the second authentication method assigned to the user account and choose Activate Mobile App from the menu in the left pane.

Screenshot of the Activate Mobile App screen in the MFA User Portal (click for original screenshot)

The issue

After I hit the Generate Activation Code and scanned the barcode with my phone, the app responded with an error:

The remote server returned an error: NotFound

 

The cause

The existing Multi-Factor Authentication Server implementation, I reused to this purpose, uses a TLS certificate that was issued by a private Certification Authority (CA).

Although the root certificate was added to the certificate store of the phone and any desktops with the root certificate installed gain access to the Mobile Portal without problems, the certificate will not work on phones.

 

The solution

To make the Microsoft Authenticator app work, use a publicly trusted TLS certificate with your Multi-Factor Authentication (MFA) Server Mobile Portal(s).

 

Related blogposts

Choosing the right Azure MFA authentication methods 
Microsoft Authenticator – One easy-to-use app for all your MFA needs

Further reading

Time is running out for this popular online security technique

0  

Pictures of CSN Academy 2017

I was invited to co-present with my colleague Carlo Schaeffer at CSN Group’s CSN Academy 2017 event at the campus of the Royal Dutch Football Association (KNVB) in Zeist, the Netherlands.

I arrived on time at the venue, to enjoy the lunch and Frank Smilda’s keynote on cyber security.

Entrance of the CSN Academy event (click for larger photo)
Lunch in the lobby at the KNVB Campus (click for larger photo by Carlo Schaeffer)
Keynote by a cop in uniform. Like! (click for larger photo)

Then, after the inspiring keynote, it was time to shine for Carlo and me in room 4.

We were scheduled for a 45-minute session on Identity and Access Management (IAM) with Microsoft in the cloud and decided to make it part inspiring and part technical. Of course, the technical part was where I came in.

Quiet before the storm ;-) (click for larger photo)Carlo Schaeffer kicking it off! (click for larger photo)Scary statistics, but don't worry. We have solutions. (click for larger photo)Counting to Five with a potential customer... 2 AD FS Servers, 2 Web App Proxies and an Azure AD Connect box. Yep, that's a lot of iron (click for larger photo by Carlo Schaeffer)Conditional Access requires Azure AD Premium. I know, right!? (click for larger photo by Carlo Shaeffer) 

After session we had talks with potential customers coming up to us with questions on deploying and managing Azure, Active Directory and Azure Active Directory. Next week, we’ll be following up with them to see how we can make them happy with Hybrid Identity.

A big shout-out to CSN Group for this wonderful event and our audience.
Thank you! Glimlach

0  

Pictures of the 2017 Experts Live Summer Night

Yesterday, Raymond Comvalius and I presented a 45-minute session on Shielded VMs at the Experts Live Summer Night, the IT Pro BBQ of the year,

We arrived together at de Landgoederij in Bunnik, because we both parked our electric cars at the same location, a little outside the venue. Therefore, we received our speaker badges simultaneously.

Speaker Badges (click for larger photo)

At 3:40PM we could enter the room, which is the main room at the venue. We set up our presentation and then kicked it off at 4PM.

Title Slide (click for larger photo)Our audience (click for larger photo)Introduction (click for larger photo by Robert Smit)Wasn't BitLocker supposed to be the solution? (click for larger photo by Erik Loef)Interacting with the audience (click for larger photo)Raymond Comvalius presenting (click for larger photo)What's the Issue? (click for larger photo by James vd Berg)Presenting (Click for larger photo by Jaap Brasser)

Right on time, we rounded up our questions and made room for Jaap Brasser who presented on JEA and JIT. 

We had tons of fun! Emoticon met brede lach 
Thank you!

 

You were expecting pictures of IT Pros BBQ’ing or me eating in the sun?
I’m sorry.

Unfortunately I had to leave right after the presentation to make it in time to other appointments.

0  

I’m co-presenting at the Experts Live Summer Night 2017

Experts Live Summer Night 2017This Wednesday, the Experts Live Netherlands foundation hosts the second edition of its Experts Live Summer Night event.

Branded ‘Security Edition’, it should not come as a surprise that I’m presenting. This time around, I’m co-presenting a 45-minute session with Raymond Comvalius on Shielded VMs.

 

About Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. Next to its yearly Experts Live knowledge event, the Experts Live Netherlands foundation also incorporates the yearly Summer BBQ, previously hosted yearly by the Dutch System Center User Group

Because security is hot, this years Summer Night is about security. The Keynote, starting at 2PM, is delivered by Roel Bierens and Pieter Westein, cybersecurity specialists at DeLoitte. Then, two tracks (Modern Workplace and Modern Datacenter) unfold, each featuring three sessions. At 6:45 PM, food is served from the infamous BBQ at De Landgoederij in Bunnik Dutch.

 

About our session

Raymond and I will be delivering a 45-minute session,

Introducing Shielded VMs

4PM – 4:45PM Room 2, Modern Datacenter Track

The efficiency of virtualization is great. But do you trust the admin of your virtualization host that much? As the owner of the platform your hoster usually owns your VMs as well. Shielded VMs are about to change that. This session will show how Shielded VMs allow you significantly enhance security of virtual machines in a way that you can finally be sure that only you own the contents of your virtual machines and that your hoster can just be the hoster.

 

Join us!

Join Raymond and me for another fun and interactive session.

If you haven’t purchased a ticket yet, then don’t worry. Tickets are still available at EUR 75 on the Experts Live website. Dutch

See you there? Knipogende emoticon

0  

I’m co-presenting at CSN Academy 2017

Logo CSN GroepWith our partner-friendly model, we work together with partners like Microsoft and Veeam.

We also work with other partners, including the CSN Group, formerly known as CAD Services Nederland.

Building on our strong bond, formed by working together on our bespoke solutions for multiple organizations, next week, Carlo Schaeffer and I are presenting a session on CSN’s Academy event.

 

About CSN Academy 2017

CSN Academy is CSN Group’s yearly event to inspire customers and potential customers to think about new technological advancements, products and challenges.

For CSN Academy 2017, the event offers multiple gems: A Cybercrime session with Frank Smilda, from the Dutch police, a juridical session with Mathieu Paapst, a VDI session, a software asset management (SAM) session, a customer reference and multiple partner sessions for IoT and cloud.

Impression of the KNVB Campus

The event takes place at the campus of the Royal Dutch Football Association (KNVB) in Zeist, the Netherlands on Thursday afternoon June 15, 2017. No wonder, then, the closing keynote speaker is Jan Smit, (former) chairman of Heracles Almelo, one of the more recently promoted Dutch Football Honor division.

 

About our session

Carlo and I present a 45-minute session:

Identity and Access Management with Microsoft Azure, manageable and secure

1:30 PM – 2:15 PM

Identity is hot! We mindlessly authenticate at the office and in the cloud. How do we transform this to a manageable and secure process? In this session, SCCT’s experts explain the challenges at hand and how to effectively tackle them using Microsoft Azure Active Directory,

 

Join us!

You can join us for free Dutch on June 16 and upgrade your IT knowledge.

See you there? Knipogende emoticon

0  

Pictures of Techorama 2017

Yesterday, I drove to Antwerp to present at Techorama, Belgium’s unique conference geared towards developers, IT professionals, data professionals and SharePoint professionals.

I left home at about 6:30 AM and arrived at Kinepolis Antwerp around 7:45 AM. Even this early, the event was already alive with crowds queuing outside for registration.

Outside of the Kinepolis Event Center (click for larger photo)Welcome to Techorama 2017 (click for larger photo with Aleksandar Nikolic)The Techorama Speaker Lounge in subtropic theme, including hammock! :-) (click for larger photo)

From the Speaker Room, Aleksandar Nikolic and I ambushed Scott Guthrie, Executive Vice President of the Cloud and Enterprise group in Microsoft, at his all-red shirts booth. The aim, of course, was to get a selfie ahead of the Red Shirt Tour in Amsterdam today and to have discussions on our respective areas of interest.

Red Shirt Selfie with Scott Guthrie (click for larger photo)

Right after the delicious and abundant lunch, it was time to present 60 minutes on ‘Azure AD Connect, Inside Out’.

Moments before starting my presentation, silencing my phone (Click for larger photo by Arnold)
Introduction. My head was never this big! ;-P (click for larger photo by Aleksandar Nikolic)Sharing my agenda (click for larger photo by Aleksandar Nikolic)Show of hands! (click for larger photo by Aleksandar Nikolic)
A brief history of Azure AD Connect (click for larger photo)

After my session, I chatted with John Craddock and Joachim Nässlander, but had to leave the event early to attend to one of my other communities, the Municipal Council of the City of Schiedam.

I had a great time.
Thank you! Glimlach

Further reading

I’m speaking at Techorama Belgium 2017 
Pictures of ITPROceed 2016 
I’ll be speaking at ITPROceed 2016 
Pictures of ITPROceed 2015 
I’ll be speaking at ITPROceed 2015 
Pictures of the Belgian 2013 Community Day

0  

I’m speaking at Techorama Belgium 2017

A while back, I heard from the Techorama Belgium organization that they merged their Microsoft developer-focused event with ITPROceed to create one big Belgium Microsoft Community event: Techorama

I was invited to share any presentations I deemed fit for such a conference and the organization actually picked one…

 

About Techorama

TechoRamaLogo

Techorama is a yearly international technology conference that takes place at Kinepolis Metropolis Antwerp. Techorama welcomes about 1500 attendees, a healthy mix between developers, IT Professionals, Data Professionals and SharePoint professionals. Techoramas commitment is to create a unique conference experience with quality content and the best speaker line-up.

The Techorama 2017 keynote is delivered by Scott Guthrie, who will talk about Azure, the intelligent cloud. Other national and International speakers you might have heard of also joined the line-up, including Dominick Baier, Aleksandar Nikolic, Dandy Weyn, Dieter Wijckmans, Tim de Keukelaere, John Craddock, Johan Delimon, Peter de Tender, Peter Daalmans, Rasmus Hald and Joachim Nässlander.

 

About my session

I’m presenting a 60-minute session on Tuesday May 23:

Azure AD Connect, Inside Out

Tuesday May 23, 2017 1:45PM – 2:45PM Room 11

New hybrid cloud scenarios introduce new identity challenges. But how do you overcome these? How do you properly design and implement Hybrid Identity in real world scenarios?

In this demo-packed session I’ll turn Microsofts free Hybrid Identity ‘bridge’ product, Azure AD Connect, inside out, showing all the good stuff, but also the gory details! This session is one no Active Directory admin should miss!

 

Join me!

Techorama 2017 has sold out. When you’re among the lucky people to have grabbed a ticket, join me for this session.

We’ll have a lot of fun! Emoticon met brede lach

0  

Azure AD Connect 1.1.524.0 brings a ton of new functionality to Hybrid Identity

Microsoft released a new version of its Azure AD Connect tool earlier this week (May 15) dubbed the May 2017 release.

This is the big release, a lot of us have been hoping for, because it brings a ton of new functionality. Personally, this release solves one of my ten biggest pains with Azure AD Connect in one fell swoop!

Also, since the last version, the accompanying text for the releases is more human readable. I provided feedback on the brevity of these texts a couple of times and it’s refreshing to see someone describing issues and functionality this clearly!

 

What’s New

Azure AD Connect sync

  • Sync Rule Changes
    The following sync rule changes have been implemented:

    • Updated the default sync rule set to not export attributes userCertificate and userSMIMECertificate if these attributes have more than 15 values.
    • AD attributes employeeID and msExchBypassModerationLink are now included in the default sync rule set.
    • AD attribute photo has been removed from the default sync rule set.
    • Added preferredDataLocation to the Metaverse schema and Azure AD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so.
    • Added userType to the Metaverse schema and AAD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so.
    • Azure AD Connect now automatically enables the use of the ConsistencyGuid attribute as the Source Anchor attribute for on-premises Active Directory objects
      Further, Azure AD Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it is empty.

Note:
This latter feature is applicable to new deployment only.

  • New PowerShell troubleshooting functionality
    New troubleshooting Windows PowerShell Cmdlet Invoke-ADSyncDiagnostics has been added to help diagnose Password Hash Synchronization related issues.
  • Support for synchronizing Public Folders
    Azure AD Connect now supports synchronizing Mail-Enabled Public Folder objects from on-premises AD to Azure AD. You can enable the feature using the Azure AD Connect wizard under Optional Features.
  • Automatic creation of Service Accounts with Custom Settings
    Azure AD Connect requires AD DS accounts to synchronize from on-premises AD.
    Previously, if you install Azure AD Connect using Express mode, you can provide the credential of an Enterprise Admin account in Azure AD Connect and leave it to Azure AD Connect to create the AD DS account required. However, for custom installations and adding forests to existing deployments, you must provide the AD DS account instead. Now, you also have the option to provide the credentials of an Enterprise Admin account during custom installation and let Azure AD Connect create the AD DS account required.
  • Azure AD Connect now supports SQL Always On Availability (AOA).
    However, you must configure the SQL Server infrastructure before installing Azure AD Connect. During installation, Azure AD Connect detects whether the SQL instance provided is enabled for SQL AOA or not. If SQL AOA is enabled, Azure AD Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication.

Tip!
When setting up the Availability Group Listener, it is recommended that you set the RegisterAllProvidersIP property to 0. This is because Azure AD Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of MultiSubNetFailover property.

  • New Database cleanup PowerShell functionality
    If you are using LocalDB as the database for your Azure AD Connect server (as with Express Settings) and it has reached its 10-GB size limit, the Synchronization Service would no longer start. Previously, you needed to perform a ShrinkDatabase operation on the LocalDB to reclaim enough database space for the Synchronization Service to start, after which, you could use the Synchronization Service Manager to delete run history to reclaim more database space.
    Now, you can use the Start-ADSyncPurgeRunHistory PowerShell Cmdlet to purge run history data from LocalDB to reclaim database space. Further, this cmdlet supports an offline mode (by specifying the -offline parameter) that can be used when the Synchronization Service is not running.

Note:
The offline mode can only be used if the Synchronization Service is not running and the database used is LocalDB.

  • Automatic compression of sync error details
    To reduce the amount of storage space required, Azure AD Connect now compresses sync error details before storing them in LocalDB/SQL databases. When upgrading from an older version of Azure AD Connect to this version, Azure AD Connect performs a one-time compression on existing sync error details.
  • Improved Full import triggering
    Previously, after updating OU filtering configuration, you must manually run Full import to ensure existing objects are properly included/excluded from directory synchronization. Now, Azure AD Connect automatically triggers Full import during the next sync cycle. Further, Full import is only be applied to the AD connectors affected by the update.

Note:
This improvement is applicable to OU filtering updates made using the Azure AD Connect wizard, only. It is not applicable to OU filtering updates made using the Synchronization Service Manager.

  • Group-based filtering support for computer objects
    Previously, Group-based filtering supported Users, Groups, and Contact objects only. Now, Group-based filtering also supports Computer objects.
  • Improved Connector Space data deletion logic
    Previously, you could delete Connector Space data without disabling the Azure AD Connect sync scheduler. Now, the Synchronization Service Manager blocks the deletion of Connector Space data if it detects that the scheduler is enabled. Further, a warning is returned to inform you about potential data loss if the Connector space data is deleted.
  • Partial PowerShell transcription requirement resolved
    Previously, you had to disable PowerShell transcription for the Azure AD Connect wizard to run correctly. This issue is partially resolved. You can enable PowerShell transcription if you are using Azure AD Connect wizard to manage the synchronization configuration. You must disable PowerShell transcription if you are using the Azure AD Connect wizard to manage an AD FS configuration.

Fixes

Azure AD Connect sync

  • Improved Automatic Upgrade Logic
    Fixed an issue that causes Automatic Upgrade to occur on the Azure AD Connect server even if customer has disabled the feature using the Set-ADSyncAutoUpgrade cmdlet. With this fix, the Automatic Upgrade process on the server still checks for upgrade periodically, but the downloaded installer honors the Automatic Upgrade configuration.
  • Improved DirSync Upgrade resiliency
    During DirSync in-place upgrade, Azure AD Connect creates an Azure AD service account to be used by the Azure AD connector for synchronizing with Azure AD. After the account is created, Azure AD Connect authenticates with Azure AD using the account. Sometimes, authentication fails because of transient issues, which in turn causes DirSync in-place upgrade to fail with error “An error has occurred executing Configure AAD Sync task: AADSTS50034: To sign into this application, the account must be added to the xxx.onmicrosoft.com directory.” To improve the resiliency of DirSync upgrade, Azure AD Connect now retries the authentication step.
  • Improved DirSync Upgrade logic
    There was an issue with version 1.1.443.0 that causes DirSync in-place upgrade to succeed but run profiles required for directory synchronization are not created. Healing logic is included in this build of Azure AD Connect. When you upgrade to version 1.1.524.0 or beyond, Azure AD Connect detects missing run profiles and creates them.
  • Improved DirSync Upgrade logic
    Fixed an issue that causes DirSync upgrade to fail with error “a deadlock occurred in sql server which trying to acquire an application lock” when the mailNickname attribute is found in the on-premises AD schema, but is not bounded to the AD User object class.
  • Improved Password Synchronization logic
    Fixed an issue that causes Password Synchronization process to fail to start with Event ID 6900 and error “An item with the same key has already been added”. This issue occurs if you update OU filtering configuration to include AD configuration partition. To fix this issue, Password Synchronization process now synchronizes password changes from AD domain partitions only. Non-domain partitions such as configuration partition are skipped.
  • Azure AD Connects on-premises Service account no longer has PASSWD_NOTRQ flag set
    During Express installation, Azure AD Connect creates an on-premises AD DS account to be used by the AD connector to communicate with on-premises AD. Previously, the account is created with the PASSWD_NOTREQD flag set on the user-Account-Control attribute and a random password is set on the account. Now, Azure AD Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account.
  • Improved Device Write-Back logic
    Fixed an issue that causes the Device Write-Back feature to automatically be disabled when an administrator is updating the Azure AD Connect synchronization configuration using the Azure AD Connect wizard. This issue is caused by the wizard performing pre-requisites checks for the existing Device Write-Back configuration in the on-premises Active Directory environment and the check fails. The fix is to skip the check if Device Write-Back was already enabled previously.
  • Improved OU Filtering logic
    To configure OU filtering, you can either use the Azure AD Connect wizard or the Synchronization Service Manager. Previously, if you used the Azure AD Connect wizard to configure OU filtering, new OUs created afterwards were included for directory synchronization. If you do not want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior using the Azure AD Connect wizard.
  • Improved Stored Procedure logic
    Fixed an issue that causes stored procedures required by Azure AD Connect to be created under the schema of the installing admin, instead of under the dbo schema.
  • Improved TrackingId resiliency
    Fixed an issue that causes the TrackingId attribute returned by Azure AD to be omitted in the Azure AD Connect Server Event Logs. The issue occurs if Azure AD Connect receives a redirection message from Azure AD and Azure AD Connect is unable to connect to the endpoint provided. The TrackingId is used by Support Engineers to correlate with service side logs during troubleshooting.
  • Improved large object logic
    When Azure AD Connect receives LargeObject error from Azure AD, Azure AD Connect generates an event with EventID 6941 and message “The provisioned object is too large. Trim the number of attribute values on this object.” At the same time, Azure AD Connect also generates a misleading event with EventID 6900 and message “Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active Directory service.” To minimize confusion, Azure AD Connect no longer generates the latter event when LargeObject error is received.
  • Improved Synchronization Service Manager responsiveness
    Fixed an issue that causes the Synchronization Service Manager to become unresponsive when trying to update the configuration for the Generic LDAP connector.

 

Important information on this release

There are schema and synchronization rule changes introduced in this build.
Azure AD Connect Synchronization Service will trigger Full Import and Full Sync steps after you upgrade to this version. In some environments these steps may take several hours. During this timeframe other information is not synchronized.

 

Version information

This is version 1.1.524.0 of Azure AD Connect.
It was signed off on on May 15, 2017.

 

Download information

You can download Azure AD Connect here.
The download weighs 78,4 MB.

 

Concluding

To finally be able to use SQL Server Always-On Availability as the back-end database for Azure AD Connect implementations is a god send. Public Folder synchronization, as well as group filtering for device objects is also welcome, but not that important in the environments I manage.

With its many features, this is a good version to test your Azure AD Connect lifecycle management processes on.

Further reading

Ten things you should know about Azure AD Connect and Azure AD Sync
Azure AD Connect versions 1.1.484.0 and 1.1.486.0 offer great enhancements
Azure AD Connect v1.1.443.0 is here
Version 1.1.380.0 of Azure AD Connect fixes a bug in multi-domain scenarios
Azure AD Connect 1.1.371.0 offers PTA and S3O preview capabilities
Azure AD Connect version 1.1.343.0 with support for Windows and SQL Server 2016
Azure AD Connect version 1.1.281.0 has been released

5