Yesterday, Microsoft released a new version of Azure AD Connect, its free tool to synchronize objects from your on-premises Active Directory Domain Services environment to Azure Active Directory.
It addresses a critical security vulnerability, but also offers new functionality, like delegate write-back from Exchange Online to Exchange Server on-premises.,
Vulnerability could allow Elevation of Privilege
If the Password Writeback feature is enabled in Azure AD Connect, a malicious person who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary privileged user accounts, residing in the on-premises Active Directory Domain Services (AD DS) environment.
Version 1.1.553.0 of Azure AD Connect addresses this issue by blocking Password write-back request for on-premises privileged accounts (determined by querying the adminCount attribute) unless the requesting Azure AD Administrator is the owner of the account in the on-premises Active Directory Domain Services environment.
Call to action
Please update to Azure AD Connect version 1.1.553.0 as soon as possible,
If you are unable to immediately upgrade to the latest “Azure AD Connect” version, consider the following options:
- If the account in the on-premises Active Directory Domain Services environment is a member of one or more on-premises privileged groups, consider removing the account from the group(s).
- If an on-premises Active Directory administrator has previously created Control Access Rights on the adminSDHolder object for the account in the on-premises Active Directory Domain Services environment, which permits Reset Password operation, consider removing it.
- It may not always be possible to remove existing permissions granted to the account in the on-premises Active Directory Domain Services environment. For example, the account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback. In these cases, consider creating a DENY ACE on the adminSDHolder object to disallow the AD DS account with Reset Password permission.
Azure AD Connect Sync
Previously, the ‘msDS-ConsistencyGuid as Source Anchor’ feature was available to new deployments only. Now, it is available to existing deployments.
Specific to the userCertificate attribute on Device objects, Azure AD Connect now looks for certificates values required for connecting domain-joined devices to Azure AD and filters out the rest before synchronizing to Azure AD.
Azure AD Connect now supports writeback of Exchange Online cloudPublicDelegates attribute to on-premises AD publicDelegates attribute. This enables the scenario where an Exchange Online mailbox can be granted SendOnBehalfTo rights to users with on-premises Exchange mailboxes. To support this feature, a new out-of-box sync rule “Out to AD – User Exchange Hybrid PublicDelegates writeback” has been added. This sync rule is only added to Azure AD Connect when the ‘Exchange Hybrid’ feature is enabled.
Azure AD Connect now supports synchronizing the altRecipient attribute from Azure AD.
The cloudSOAExchMailbox attribute in the Metaverse indicates whether a given user has an Exchange Online mailbox or not. Its definition has been updated to include additional Exchange Online RecipientDisplayTypes as Equipment and Conference Room mailboxes.
Several X509Certificate2-compatible functions for creating synchronization rule expressions to handle certificate values in the userCertificate attribute were added.
Metaverse schema changes have been introduced to allow customers to create custom synchronization rules to flow sAMAccountName, domainNetBios, and domainFQDN for Group objects, as well as distinguishedName for User objects.
The ADSyncDomainJoinedComputerSync PowerShell Cmdlet script now has a new optional parameter named AzureEnvironment. This parameter can be used to specify which region the corresponding Azure Active Directory tenant is hosted in.
The Sync Rule Editor has been update to use Join (instead of Provision) as the default value of link type during sync rule creation.
AD FS Management
Previously, the ADFS Certificate Management feature provided by Azure AD Connect could only be used with ADFS farms managed through Azure AD Connect. Now, you can use the feature with ADFS farms that are not managed using Azure AD Connect.
Azure AD Connect Sync
Fixed an issue related to the ‘msDS-ConsistencyGuid as Source Anchor’ feature where Azure AD Connect does not write-back to on-premises AD msDS-ConsistencyGuid attribute. The issue occurs when there are multiple on-premises AD forests added to Azure AD Connect and the User identities exist across multiple directories option is selected.
Previously, even if the ‘msDS-ConsistencyGuid as Source Anchor’ feature wasn’t enabled, the “Out to AD – User ImmutableId” synchronization rule was still added to Azure AD Connect. The effect is benign and does not cause write-back of the
msDS-ConsistencyGuid attribute to occur. To avoid confusion, logic has been added to ensure that the sync rule is only added when the feature is enabled.
Fixed an issue that caused password hash synchronization to fail with error event 611. This issue occurs after one or more domain controllers have been removed from the on-premises Active Directory Domain Services environment.
Previously, even if Automatic Upgrade had been disabled using the
Set-ADSyncAutoUpgrade cmdlet, the Automatic Upgrade process continued to check for upgrade periodically, and relied on the downloaded installer to honor disablement. With this fix, the Automatic Upgrade process no longer checks for upgrade periodically.
AD FS Management
The following URLs are new WS-Federation endpoints introduced by Azure AD to improve resiliency against authentication outage and will be added to the on-premises AD FS Replying Party Trust (RPT) configuration:
The team fixed an issue that caused AD FS to generate incorrect claim value for IssuerID. This issue occurs if there are multiple verified domains in the Azure AD tenant and the domain suffix of the userPrincipalName attribute used to generate the IssuerID claim is at least 3-levels deep (for example, email@example.com). The issue is resolved by updating the regex used by the claim rules.
Important information on this release
There are schema and synchronization rule changes introduced in this build.
Azure AD Connect Synchronization Service will trigger Full Import and Full Sync steps after you upgrade to this version. In some environments these steps may take several hours. During this timeframe other information is not synchronized.
This is version 1.1.553.0 of Azure AD Connect.
It was signed off on on June 27, 2017.
You can download Azure AD Connect here.
The download weighs 79,6 MB.
If your Azure AD Connect implementation hasn’t automatically upgraded to version 1.1.553.0 yet, please update your Azure AD Connect implementation as soon as possible.
In larger organizations and larger networking infrastructures, make sure to schedule the upgrade through lifecycle management in a period of time where the impact of the Full Synchronization cycle would not impact business processes.