Last week, Microsoft released a new version of Azure AD Connect, dubbed version 1.1.380.0, that contains a bug fix that is especially applicable to organizations using Azure AD Connect in a networking environment consisting of multiple Active Directory domains and/or Active Directory Forests.
In this build of Azure AD Connect, an issue was fixed where the IssuerID claim rule for AD FS is missing.
This snag has been bugging Azure AD Connect implementations since version 1.1.343.0.
If you have multiple federated domains in Azure AD, then a Claims Issuance Rules containing the IssuerID claimtype is required.
The IssuerID claimtype offers the functionality for every federated domain in Azure AD to have a unique identifier. If multiple federated domains point to the same Active Directory Federation Services (AD FS) implementation, the identifier would be the same across multiple federated domains, and Azure AD does not allow that. The additional IssuerID claimtype allows for this scenario, creating a custom and unique issuer identifier, based on the DNS domain name.
Claims Issuance Rules are configured automatically to issue the IssuerID claimtype when you use the –SupportMultipleDomain switch for the Convert-MSOLDomaintoFederated Windows PowerShell Cmdlet, but apparently, the last two version of Azure AD Connect did not correctly configure the Claims Issuance Rules for multi-domain and multi-forest scenarios.
This is version 1.1.380.0 of Azure AD Connect.
It was signed off on on December 28th, 2016.
You can download Azure AD Connect here.
The download weighs 78,0 MB.
If you've previously upgraded your Azure AD Connect installation to version 1.1.371.0, you can download and install this version of Azure AD Connect above and upgrade to this version.
When you've installed Azure AD Connect using Express Settings, the Automatic Updating functionality will not upgrade your Azure AD Connect installation(s) to this version. Installations configured with Express Settings will continue to run version 1.1.343.0