KnowledgeBase: High CPU Usage for Azure AD Connect Health Sync Monitor with .NET Framework 4.7.2 Installed

Smoking CPU

KnowledgeBaseToday, there is an issue in a component of Azure AD Connect version 1.1.819.0, Microsoft free Hybrid Identity bridge product, that enables you to synchronize objects and their attributes between your on-premises Active Directory Domain Services (AD DS) environment(s) and Azure Active Directory.

The Azure AD Connect Health Sync Monitor Service consumes lots of CPU.


About Azure AD Connect Health

Azure AD Connect Health helps administrators monitor and gain insights into their Hybrid Identity implementations. It enables you to maintain a reliable connection to Office 365 and Microsoft Online Services by providing monitoring capabilities for your key identity components:

  • Azure Active Directory Connect installations
  • Active Directory Federation Services (AD FS) servers
  • Web Application Proxies
  • Active Directory Domain Controllers

Azure AD Connect Health makes the key data points about these components easily accessible in the Azure AD Connect Health portal so performance monitoring, usage analysis, troubleshooting and gaining other important insights becomes easy.

The Azure AD Connect Health component is installed, by default, with Azure AD Connect and, by default, sends diagnostic data to Microsoft. However, an Azure AD Premium license is needed to access the Azure AD Connect Health Portal.


The situation

You have installed Azure AD Connect version 1.1.819.0 or your Azure AD Connect version has automatically upgraded to version 1.1.819.0, along with the auxiliary components, like Azure AD Conect’s Health Agent for Sync. Version 1.1.819.0 of Azure AD Connect comes with Health Agent for Sync version 3.0.164.

You can check these versions in Programs and Features:

Azure AD Connect's version and components in Programs and Features (click for original screenshot)


The issue

The Azure AD Connect Health Sync Monitoring Service with version 3.0.164 of the Health Agent for Sync (AzureADConnectHealthSyncMonitor) is always running with high CPU usage. When you stop the service and start it again, CPU usage is normal for the service for a few minutes, before it starts consuming many CPU cycles again.

Reinstalling or reregistering the Azure AD Connect Health Sync Monitoring Service does not resolve the situation.


The cause

Azure AD Connect Health’s Sync Monitoring Service is causing high CPU usage, because of .NET Framework 4.7.2.


The solution

Uninstalling the package that upgrades .NET Framework to version 4.7.2 from the Windows (Server) installation that runs Azure AD Connect solves the issue:

    • On Windows Server 2012, uninstall the Update for Microsoft Windows (KB4054542).
    • On Windows 8.1 and Windows Server 2012 R2, uninstall the Update for Microsoft Windows (KB4054566).
    • On Windows 10 Anniversary Update, Windows 10 Creators Update and Windows Server 2016, uninstall the Update for Microsoft Windows (KB4054590).
    • In Windows 10 Fall Creators Update, uninstall the Update for Microsoft Windows (KB4073120).

.NET Framework 4.7.2 is not a security release of .NET Framework, but a compatibility update…



Software isn’t perfect. It has bugs and vulnerabilities, but the speed in which a software vendor remedies these brings trust. When two teams in a large software vendor, like Microsoft, create incompatibilities, this reduces trust.

Further reading

What’s new in the .NET Framework
Azure AD Connect Health Sync Monitor High CPU Usage


I’m speaking at Journée aOS Aix-en-Provence

aOS Aix en Provence 21-6-2018

Some opportunities are too much fun to pass up on. So, when the aOS Community asked me if I’d be willing to help them out by speaking at their Aix-en-Provence event, of course, I said “Yes”.


About aOS

aOS Community LogoaOS Community (which stand for Azure, Office 365, SharePoint) is an international non-profit gathering of professionals working on the Microsoft Collaborative platform.

The aOS Community is an independent organization, open to all, whose members aim to share and exchange ideas around Microsoft technologies in the area of Azure, Office 365 and SharePoint.

aOS organizes, participates and supports event, promoting the sharing and exchange of these ideas, targeting French-speaking countries, primarily, but expanding globally.

aOS is open to everybody.


About ‘Journée AOS Aix-en-Provence’

You are invited by CMD (Cloud Mobility Datacenter) and aOS (azure Office 365 SharePoint) to the third of the aOS Aix-en-Provence meeting at Cési Aix en Provence on June 21st, 2018. For an entire day, experts in Office 365 and Azure share their experiences from the field.


About my session

I’ll deliver a 45-minute session from 1:30 PM to 2:15PM in the Office 365 track:

Seven ways Identity enriches your Office 365 and Azure experience

Azure and Office 365 rely on Azure Active Directory as their identity store.

As tenfold MVP, I think I know a little about identity. My experience with numerous organizations, ranging from enterprises to small business, have taught me that good identity is important to embracing cloud services. I’ll show you seven ways identity enriches the experience you, your colleagues and your customers have when using Azure and Office 365, in my typical humorous but straight to the point style.


You’re welcome!

We welcome you on June 21st at CESI in Aix-en-Provence! Access is free of charge, but you will need to register for it on EventBrite.

I studied French for six years when I was in high school. As I’m arranging travel for this event and communicating with the event organizers, it’s all coming back to me. I’m looking forward to it!


I’m speaking at Experts Live Netherlands 2018

Advertised as the biggest Microsoft IT Pro event in the Netherlands, Experts Live Netherlands will take place Tuesday June 19th, 2018 at Cinemec Ede.

As at previous Experts Live Netherlands editions, you’ll find several DirTeam bloggers presenting at this event.

About Experts Live

Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. Almost every year, Experts Live organizes its knowledge event in the Netherlands. Started as an idea from a small group of Dutch Microsoft MVPs, Experts Live has become the largest Microsoft community event in the Netherlands, with over a thousand visitors.

Both national and international speakers update the visitors in one day on the latest Microsoft technologies. Subsequently, through the years, many famous and notorious speakers delivered sessions on the Experts Live events.

This year, Experts Live is hosted at CineMec in Ede, the Netherlands again, and scheduled for Tuesday June 19th, 2018. The event offers over 40 break-out sessions, an opening keynote and a closing keynote.


About my session

I’ll deliver one 60-minute session in the security track:

Azure Multi-Factor Authentication: Who do you think you are?

4:15PM – 5:15PM, Expo Theater

Passwords have been introduced to solve the authentication problems decades ago. Today, we have different challenges and we need more in-depth solutions for authentication assurance. Office365- and Azure Multi-Factor Authentication (MFA) offer this solution for both your organizations’ cloud and on-premises resources. Your organization will no longer be in the dark on the person on the other side of the line: it’s really you and you’ve got the means to prove it!

With several large and complex Azure MFA implementations and upgrades under their belts, Sander Berkouwer (Directory Services and Enterprise Mobility MVP) shares his experiences with these products, their licensing, on-premises deployment scenarios, end-user expectations and the inner workings of the product line-up, including MFA Server, the Security Graph and Azure AD Identity Protection.

Looking for your next-generation identity primer? Look no further!


Join us!

Dave Stork is co-presenting with Jetze Mellema on moving mailboxes cross-premises, from on-premises, from other groupware solutions and between Office 365 tenants. It’s a session you don’t want to miss, either!

Although it’s been a while (almost 19 months after the previous Experts Live Netherlands edition), I’m looking forward to it. I hope you are, too.

Although over 80% of the tickets has already been sold, tickets are still available, so pick up yours before June 14th Dutch and join us!


What’s New in Azure Active Directory for May 2018

Azure AD

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following new functionality for Azure Active Directory for May 2018:


What’s New

Graph APIs for administrative scenarios for Terms of use

Service category: Terms of Use
Product capability: Developer Experience

Microsoft has added Microsoft Graph APIs for administration operation of the Azure AD Terms of Use feature. You are now able to create, update and delete the Terms of Use object.


Add Azure AD multi-tenant endpoint as an identity provider in Azure AD B2C

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

Using custom policies, you can now add the Azure AD common endpoint as an identity provider in Azure AD B2C. This allows you to have a single point of entry for all Azure AD users that are signing into your applications.


Improvements to the B2B redemption experience and leave an org

Service category: B2B
Product capability: B2B/B2C

Three improvements have been made to Azure AD B2B feature:

  1. Just in time redemption
  2. Modern redemption experience
  3. Guest users can leave the org


Use Internal URLs to access apps from anywhere with the My Apps Sign-in Extension and the Azure AD Application Proxy

Service category: My Apps
Product capability: SSO

Users can now access applications through internal URLs even when outside your corporate network by using the My Apps Secure Sign-in Extension for Azure AD. This will work with any application that you have published using the Azure AD Application Proxy, on any browser that also has the Access Panel browser extension installed. The URL redirection functionality is automatically enabled once a user logs into the extension. The extension is available for download on Edge, Chrome, and Firefox.


Enterprise Applications Search – Load More Apps

Service category: Enterprise Apps
Product capability: SSO

Microsoft has added the ability to load more applications in your enterprise applications all applications list. This helps when you’re having trouble finding applications and/or security principals. By default, 20 applications are shown. Admins can now click load more to view additional applications.


View legacy authentications through Sign-ins activity logs

Service category: Reporting
Product capability: Monitoring & Reporting

With the introduction of a field called Client App in the Sign-in activity logs, Customers now can see users that are using legacy authentications. Customers will be able to access this information using the Sign-ins MS Graph API or through the Sign-in activity logs in Azure AD portal where you can use the Client App control to filter on legacy authentications.


New Federated Apps available in Azure AD App gallery

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2018, Microsoft has added the following 18 new apps in the Azure AD App gallery with Federation support:


New user provisioning SaaS app integrations

Service category: App Provisioning
Product capability: 3rd Party Integration

Azure AD allows you to automate the creation, maintenance and removal of user identities in SaaS applications such as Dropbox, Salesforce, ServiceNow and more. For May 2018, we have added user provisioning support for the following applications in the Azure AD app gallery:


Azure AD access reviews of groups and app access now provides recurring reviews

Service category: Access Reviews
Product capability: Governance

Access reviews of groups and apps is now generally available (GA) as part of Azure AD Premium P2. Administrators will be able to configure access reviews of group memberships and application assignments to automatically recur at regular intervals, such as monthly or quarterly.


Azure AD Activity logs (sign-ins and audit) are now available through Microsoft Graph

Service category: Reporting
Product capability: Monitoring & Reporting

Azure AD Activity logs, which, includes Sign-ins and Audit logs, are now available through MS Graph. We have exposed 2 end points through MS Graph to access these logs.


What’s Changed

Public Preview of new and improved Sign-ins User experience in Azure Portal  

Service category: Reporting
Product capability: Monitoring & Reporting

With the new Sign-ins User experience, customers now can get the following:

  • Improved latency from 2 hours to within 5 mins.
  • Ability to add filters dynamically using the “Columns” button. By adding columns to the Sign-in report in UX, you can automatically see them as filters for you to use.
  • Ability to sort by Date, User Name and Application.
  • Inclusion of legacy authentications and ability to filter for legacy authentications using the “Client App” column.
  • Inclusion of a downloadable PowerShell script which is customized based on the filter conditions you choose in the UX. With this PowerShell script, you can get as many rows of data as you want (based on your filter criteria) which will provide the output in a .csv format.


Azure AD access reviews: auto-apply

Service category: Access Reviews
Product capability: Governance

Access reviews of groups and apps are now generally available as part of Azure AD Premium P2. An administrator can configure to automatically apply the reviewer’s changes to that group or app as the access review completes. The administrator can also specify what happens to the user’s continued access if reviewers didn’t respond, remove access, keep access or take system recommendations.


ID tokens can no longer be returned using the query response_mode for new apps.

Service category: Authentications (Logins)
Product capability: User Authentication

Apps created on or after 4/25/2018 will no longer be able to request an id_token using the query response_mode. This brings Azure AD inline with the Open ID Connect (OIDC) specifications and helps reduce your apps’ attack surface.



Not a technical change, but more of a legal change, is the advent of a Microsoft Docs page that details where data is stored for Azure Active Directory tenants in the North Europe and West Europe regions.


Pictures of Techorama Belgium 2018

Last week, I presented at Techorama Belgium 2018 in Antwerp.

In terms of travel, this was the ideal event for me, since the organization scheduled my presentation for the last time slot on Day 1. Being an early starter, this meant I could work a normal day (for me, that’s 7AM – 3:30PM), then travel to Antwerp, throw my slide deck together and still be in time for the session, starting at 5:45 PM.

Outside of Techorama Belgium (Click for larger photo)
Techorama Banners (Click for larger photo)A Renault Kadjar dressed up as Chewbaca for the Solo Premiere (Click for larger photo)

On Wednesday May 23, I arrived at around 16:30 at Kinepolis. I talked to a couple of speakers and a couple of attendees, who happened to be former colleagues. Then, I put the finishing touches to my slide deck and headed over to room 16 for my presentation on Azure AD Connect.

Introduction slide (Photo by Thijs Moerman, click for larger photo)What is Azure AD? This slide keeps expanding... (Photo by Thijs Moerman, click for larger photo)Using Azure AD Connect Staging Mode for Lifecycle Management, not for High Availability (Photo by Thijs Moerman, click for larger photo)The differences between Azure AD Registered, Azure AD Joined and Hybrid Azure AD Joined (Photo by Thijs Moerman, click for larger photo)

After my session it was time for the Techorama speaker buffet in the Lindner Hotel, next to Antwerp Central train station. Leaving my car at Kinepolis for the night, I hopped on the shuttle to the hotel, checked in, and enjoyed the evening with my fellow speakers.

Having Fun with Dieter and Thomas at the Techorama Speaker Buffet (Photo by Thomas Maurer, click for larger photo)
Cheers! Rasmus Hald and René van Osnabrugge (Click for larger photo)Time for bed at the Lindner Hotel (Click for larger photo)

After a good night’s rest and some breakfast, I opted for the shuttle again to get me back to Kinepolis. Hanging out with some of the speakers, having lunch and attending sessions were the highlights of this day.

Paula's Keynote at Techorama Day 3 (Click for larger photo)

After a couple of drinks at the Techorama 5 Year Celebration, where I mostly spoke to the guys from Synergics and Fabian Williams, I drove home with a smile on my face.


Thank you! Thumbs up

Thanks to all the people attending, sitting in on my session and, of course, the people who stuck around after my session for the interesting discussions. Thanks to the Techorama organization for making it better every year and, of course, my fellow speakers who are always fun to hang out with.


Pictures of Heliview’s 2018 IAM Congress

Last week, I was at Heliview’s 2018 IAM Congress in Nieuwegein, the Netherlands. My employer, SCCT, offered a booth, besides many great names like Okta, One Identity, Bomgar, Thycotic and CyberArk.

As a Microsoft Cloud-focused Systems Integrator (SI), we were in a good spot to tell attendees how to leverage their identity and access management, using whatever product on display.

We arrived early to set up the booth and enjoy breakfast. After that, we took a look at the main stage, where preparations were in full swing for a privacy panel.

 The SCCT Booth at the 2018 Heliview IAM Congres, right next to our friends from Tools4Ever (click for larger photo)Our conversations tables, where we could engage (potential) customers. (Click for larger photo)The Main Stage getting prepared

At 11:20 AM, I was scheduled to present for 25 minutes on going password-less.

Presenting in Room 15 at Heliview's 2018 IAM Congress (Click for larger photo)About Us (click for larger photo)

As not a lot of organizations focus in this area (yet), we thought it would be a good idea to talk about SCCT, our company and our vision, but most of all about Windows Hello for Business and the FIDO 2.0 login possibilities in Azure AD-joined Windows 10 version 1803 devices.

We believe end users should not have to mess with passwords for their day to day work (Click for larger photo)
Password Research (Click for larger photo)Windows Hello for Business (Click for larger photo)

After the session, we enjoyed some more conversations with customers and potential customers, to better understand their needs, their worries about GDPR and the legacy stuff that’s keeping them back. Our team has a lot of answers and offers help in many of these areas.

I enjoyed Heliview’s IAM congress. Open-mouthed smile

Thanks to all the people attending, sitting in on my session and, of course, the people that took the time out of their busy schedule to talk to us. We felt we brought unique value to the event as the only booth without products to sell.

Hat tip

Carlo Shaeffer has made SCCT’s presence possible at Heliview’s 2018 IAM Congress.


Self-Service leaving a lingering Azure AD tenant as an admin

"So long and thanks for all the fish."

Have you been invited to someone’s Azure tenant as an admin? Did you do the work and left, but are you still seeing the tenant? Or did you quit, only to find the tenant still staring at you in the Azure portal? Can’t be invited to Azure tenants, because you’re already invited to about 20 tenants?

Frustrating, I know.

… But now there’s a solution!

People can now self-service leave an organization they were invited in. This feature was announced on May 14, 2018 in a blogpost dedicated to all the new stuff in Azure AD B2B by Alex Simons. While the blogpost aims at user access, this news is great news for admins who were invited to ‘Hotel California’-style Azure AD tenants.


About Self-Service leaving an organization

This feature is good news for anyone who is invited to any organization and/or tenant with either their Office 365 (“work or school”) account or Microsoft (“personal”) account, because he or she can now easily leave an organization to which he or she has been invited, once his or her relationship with that organization has come to an end. It’s no longer necessary to contact an admin of the inviting organization to have his or her account removed.

Before this feature was released, admins couldn’t delete their own guest accounts from Azure Active Directory tenants, and needed to contact another global admin in the Azure tenant to perform this action. Many times, Conditional Access rules wouldn’t even permit access to the Azure Portal when not present at the organization’s location(s).


A positive effect of GDPR

Many people aren’t too happy with Europe’s General Data Protection Regulation (GDPR). Of course, it entails work for many organizations who haven’t been up to spec for the last couple of years and are only scrambling to comply because sanctions will apply starting May 25, 2018.

However, this feature was introduced to meet the requirements in Europe’s General Data Protection Regulation (GDPR), where Article 17 provides people the right to erasure, also referred to as the right to be forgotten.

An Azure Active Directory (Azure AD) B2B guest user can decide to leave an organization at any time if they no longer need to use apps from that organization or maintain any association.

When a user leaves an organization, the user account is “soft deleted” in the directory. By default, the user object moves to the Deleted users state in Azure AD but is not permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions), if the user makes a request to restore the account within the 30-day period.


How to leave a lingering organization

To leave an organization, perform these steps:

Access Panel for my Berkouwer Office 365 account

  • Next to Organizations, select the settings icon (gear).

If you can’t see the settings icon (gear), widen the browser screen. The Access Panel user interface is a reactive interface that adepts to the width of the screen. If the screen is too narrow, a hamburger menu will be shown. In this menu, the settings icon (gear) is not (yet) present.


  • Under Organizations, find the organization that you want to leave, and select Leave organization. If you’re not already signed in to the organization that you want to leave, select your name in the upper-right corner, and click the organization you want to leave or follow the Sign in to leave organization link and repeat the last two steps.


  • When asked to confirm, select Leave.

Repeat the steps above to leave the organizations you want to leave and keep the organizations you want to keep.



My Microsoft account had hit the limit of 23 Azure AD tenants and couldn’t be used to redeem invitations from other organizations. This account had a couple of lingering tenants it was invited to, but was never removed from, by other admins.

These lingering tenants were all customers from previous employers, who restricted me from having any contact with them through anti-compete clauses.

So long and thanks for all the fish! Hot smile


Further reading

Exciting improvements to the B2B collaboration experience
Azure Active Directory B2B collaboration invitation redemption
Leave an organization as a guest user


I’m speaking at Techorama Belgium 2018

Techorama Belgium 18

I’m back at Techorama Belgium! I’m proud to announce that, just like last year, I’m presenting at Belgium’s biggest Microsoft IT professional and developer conference.


About Techorama

Techorama Belgium is a yearly international technology conference that takes place at Kinepolis Metropolis Antwerp. Techorama welcomes about 1500 attendees, a healthy mix between developers, IT Professionals, Data Professionals and SharePoint professionals. Techorama’s commitment is to create a unique conference experience with quality content and the best speaker line-up.

This year’s Techorama is a special edition, because Techorama Belgium celebrates its fifth anniversary from May 22, 2018 to May 24, 2018.

The Day 1 Techorama 2018 keynote is delivered by Steven van Belleghem. Day 2 keynotes, are delivered straight after lunch by Jeffrey Snover, Sander Hoogendoorn, Dandy Weyn, Paula Januszkiewicz, and others. Other national and International speakers you might have heard of also joined the line-up, including Mirko Colemberg, Dieter Wijckmans, Tim de Keukelaere, John Craddock, Johan DelimonPeter Daalmans, Rasmus Hald and Thomas Maurer.


About my session

I’m presenting a 60-minute session on Wednesday May 23:

Under the hood of Azure AD Connect

Wednesday May 23 2018, 5:45PM – 6:45PM, Room 16

Did you ever wonder how Azure AD Connect works? Do you want to know what connector spaces, the metaverse, tens of rules, attribute flows, soft matching, write-back and source anchors do and how they help you synchronize objects and their attributes between Active Directory Domain Services, LDAP stores and Azure AD.

After attending this session you’ll have the tools to meet the hardest Azure AD Connect challenges out there. You’ll also have laughed really loud, I promise.


Join us!

Techorama 2018 has sold out. When you’re among the lucky people to have grabbed a ticket, join me for this session.

We’ll have a lot of fun! Emoticon met brede lach


Azure AD Connect version 1.1.819.0 offer numerous fixes and PingFederate support

Azure AD Connect

Last week, Microsoft released Azure AD Connect version 1.1.819.0. This release of Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory.

What’s Fixed

SQL Server Express 2012 Service Pack 4

This release updates the SQL Server Express installation to SQL Server 2012 SP4, which, among others, provides fixes for several security vulnerabilities.

Sync Rule Processing

No longer do you have to de-apply outbound Join sync rules with no Join Condition in the scenario where the parent synchronization rule is no longer applicable.


Several accessibility fixes have been applied to the Synchronization Service Manager User Interface and the Sync Rules Editor.

AD Connector account error

When you use the Azure AD Connect Wizard you might receive an error when you create the Active Directory Connector account when Azure AD Connect is in a workgroup. This has been fixed.

display of the verification checkbox

On the Azure AD Sign-in page, the verification checkbox is now displayed whenever there is any mismatch in Active Directory domains and Azure AD verified domain names.


The auto upgrade state was incorrectly set in certain cases after auto upgrade of Azure AD Connect was attempted. This has been fixed in the PowerShell code.


The Azure AD Connect Wizard has been updated to include telemetry to capture previously missing information.

Change User Sign-In Improvements

The following changes have been made in the Azure AD Connect Wizard, when you use the Change user sign-in task to switch from Active Directory Federation Services (AD FS) to Pass-through Authentication (PTA) as the authentication method:

  • The Pass-through Authentication Agent is installed on the Azure AD Connect server and the Pass-through Authentication feature is enabled, before we convert domain(s) from federated to managed.
  • Users are no longer converted from federated to managed. Only domain(s) are converted.

AD FS Regex Improvement

The AD FS Multi Domain Regex was not correct when the user’s userPrincipalName attribute had ‘ special character. The Regex is updated to support special characters.

Configure source anchor messages

When using the Azure AD Connect Wizard, you might encounter several out of place “Configure source anchor attribute” messages when no settings have changed. This has been fixed.

Support for Dual Federation

The Azure AD Connect Wizard now supports Active Directory Federation Services (AD FS) in dual federation scenarios.

Updating claims

When you convert a managed domain to federated, the Active Directory Federation Services (AD FS) claims were not updated for an added domain. This has been fixed.

updated claims

In this version, two additional AD FS claims were added to the federation trust created to support MFA scenarios.

Web App Proxy deployments

Fixed an issue where adding a Web Application Proxy would fail to use new certificate.

Auto-Uninstall of stale versions

When, during detection of installed packages, Azure AD Connect Setup finds stale DirSync, Azure AD Sync or Azure AD Connect products,  the setup wizard will now attempt to uninstall these stale products.

Improved PTA Error messages

When you install the Pass-through Authentication (PTA) agent and it fails, the correct errors are now shown. The Error Message Mapping was incorrect.

Logging of Domain and OU Filtering

The logging of Domain and OU filtering selections was improved.

Configuration Container

The “Configuration” container has been removed from the Domain OU Filtering page in the Azure AD Connect wizard.

Password Hash Sync Popup

The pop-up help text on the Optional Features page for Password Hash Sync has been changed, to correctly explain password hashes are synchronized and not plain passwords.

AD Account Privilege issue

An issue resolving a custom Sync Service Account which has no AD Read privileges, was fixed.

Synchronization engine installation

Now, when you install the Synchronization Engine, unnecessary legacy logic that occasionally would cause the Sync Engine install to fail, has been removed.

Synchronization Engine improvements

Three fixes were made to the synchronization engine:

  • The scenario where a Connector Space object had an imported delete and Sync Rules attempt to re-provision the object, has been fixed.
  • A help link has been added for the Online connectivity troubleshooting guide to the event log entry for an Import Error
  • The memory usage of Sync Scheduler when enumerating Connectors was reduced

What’s New

PingFederate Integration

This release includes the public preview of the integration of PingFederate in Azure AD Connect. With this release organizations can easily and reliable configure their Azure Active Directory environment to leverage PingFederate as their federation provider.

New troubleshooting scenarios

Microsoft updated the Azure AD Connect Wizard Troubleshooting Utility, where organizations can now analyze more error scenarios, such as Linked Mailboxes and AD Dynamic Groups.

Device Writeback Management

Device Writeback configuration is now managed solely within the Azure AD Connect Wizard. There is no need to run PowerShell anymore to this purpose. The ADPrep.psm1 module has been deprecated.

New Tools PowerShell module

A new PowerShell Module called ADSyncTools.psm1 is added that can be used to troubleshoot SQL Connectivity issues. It also contains various other troubleshooting utilities.

Configure device options

A new additional task “Configure device options” has been added. You can use the task to configure Hybrid Azure AD Join and Device writeback.


Version information

This is version 1.1.819.0 of Azure AD Connect.
It was signed off on on May 4, 2018.


Azure AD Connect version 1,1.819.0 offers numerous fixes, that make your life as a Hybrid Identity admin more enjoyable.


Best Practices for Pulling Identities Together with Redmond Magazine

Redmond Magazine

On Wednesday May 2nd, I featured in a webcast from the editors of Redmond Magazine. This webcast, sponsored by Okta, is now available on demand.

Best Practices for Pulling Identities Together: What Enterprises Are Doing Now to Stay Secure

OktaIn this editorial webcast, Lafe Low from Redmond Magazine, Daniel Lu from Okta and I walk through the best practices organizations are using to corral all the accounts an average employee uses today to log into tens of applications, and make sure these accounts are being used in a way that doesn’t compromise the rest of the organization.


Questions we covered included:

  • How are organizations unifying their identity and authentication processes through Single Sign-On, especially in organizations with an Active Directory environment?
  • How do organizations gain visibility into the SaaS apps that are being used by their employees?
  • How can organizations enforce secure password policies for their users on SaaS apps that are hosted by third parties?
  • What kind of education is most effective in preventing users from reusing passwords or otherwise skirting company policies?

Watch it now

Come away from this session with actionable tactics for minimizing the gaps in your company’s identity and authentication security posture.

Register for the on-demand version of the webcast here.

We’re sure you’ll enjoy it. Thumbs up