Yesterday, Microsoft released a new version of Azure AD Connect, its free tool to synchronize objects from your on-premises Active Directory Domain Services environment to Azure Active Directory.
It addresses a critical security vulnerability, but also offers new functionality, like delegate write-back from Exchange Online to Exchange Server on-premises.,
Vulnerability could allow Elevation of Privilege
In this version of Azure AD Connect, an Elevation of Privilege vulnerability was fixed. This vulnerability is described in Microsoft Security Advisory 4033453 and CVE-2017-8613.
If the Password Writeback feature is enabled in Azure AD Connect, a malicious person who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary privileged user accounts, residing in the on-premises Active Directory Domain Services (AD DS) environment.
Version 1.1.553.0 of Azure AD Connect addresses this issue by blocking Password write-back request for on-premises privileged accounts (determined by querying the adminCount attribute) unless the requesting Azure AD Administrator is the owner of the account in the on-premises Active Directory Domain Services environment.
Call to action
Please update to Azure AD Connect version 1.1.553.0 as soon as possible,
If you are unable to immediately upgrade to the latest “Azure AD Connect” version, consider the following options:
- If the account in the on-premises Active Directory Domain Services environment is a member of one or more on-premises privileged groups, consider removing the account from the group(s).
- If an on-premises Active Directory administrator has previously created Control Access Rights on the adminSDHolder object for the account in the on-premises Active Directory Domain Services environment, which permits Reset Password operation, consider removing it.
- It may not always be possible to remove existing permissions granted to the account in the on-premises Active Directory Domain Services environment. For example, the account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback. In these cases, consider creating a DENY ACE on the adminSDHolder object to disallow the AD DS account with Reset Password permission.
Azure AD Connect Sync
Previously, the ‘msDS-ConsistencyGuid as Source Anchor’ feature was available to new deployments only. Now, it is available to existing deployments.
Specific to the userCertificate attribute on Device objects, Azure AD Connect now looks for certificates values required for connecting domain-joined devices to Azure AD and filters out the rest before synchronizing to Azure AD.
Azure AD Connect now supports writeback of Exchange Online cloudPublicDelegates attribute to on-premises AD publicDelegates attribute. This enables the scenario where an Exchange Online mailbox can be granted SendOnBehalfTo rights to users with on-premises Exchange mailboxes. To support this feature, a new out-of-box sync rule “Out to AD – User Exchange Hybrid PublicDelegates writeback” has been added. This sync rule is only added to Azure AD Connect when the ‘Exchange Hybrid’ feature is enabled.
Azure AD Connect now supports synchronizing the altRecipient attribute from Azure AD.
The cloudSOAExchMailbox attribute in the Metaverse indicates whether a given user has an Exchange Online mailbox or not. Its definition has been updated to include additional Exchange Online RecipientDisplayTypes as Equipment and Conference Room mailboxes.
Several X509Certificate2-compatible functions for creating synchronization rule expressions to handle certificate values in the userCertificate attribute were added.
Metaverse schema changes have been introduced to allow customers to create custom synchronization rules to flow sAMAccountName, domainNetBios, and domainFQDN for Group objects, as well as distinguishedName for User objects.
The ADSyncDomainJoinedComputerSync PowerShell Cmdlet script now has a new optional parameter named AzureEnvironment. This parameter can be used to specify which region the corresponding Azure Active Directory tenant is hosted in.
The Sync Rule Editor has been update to use Join (instead of Provision) as the default value of link type during sync rule creation.
AD FS Management
Previously, the ADFS Certificate Management feature provided by Azure AD Connect could only be used with ADFS farms managed through Azure AD Connect. Now, you can use the feature with ADFS farms that are not managed using Azure AD Connect.
Azure AD Connect Sync
Fixed an issue related to the ‘msDS-ConsistencyGuid as Source Anchor’ feature where Azure AD Connect does not write-back to on-premises AD msDS-ConsistencyGuid attribute. The issue occurs when there are multiple on-premises AD forests added to Azure AD Connect and the User identities exist across multiple directories option is selected.
Previously, even if the ‘msDS-ConsistencyGuid as Source Anchor’ feature wasn’t enabled, the “Out to AD – User ImmutableId” synchronization rule was still added to Azure AD Connect. The effect is benign and does not cause write-back of the
msDS-ConsistencyGuid attribute to occur. To avoid confusion, logic has been added to ensure that the sync rule is only added when the feature is enabled.
Fixed an issue that caused password hash synchronization to fail with error event 611. This issue occurs after one or more domain controllers have been removed from the on-premises Active Directory Domain Services environment.
Previously, even if Automatic Upgrade had been disabled using the
Set-ADSyncAutoUpgrade cmdlet, the Automatic Upgrade process continued to check for upgrade periodically, and relied on the downloaded installer to honor disablement. With this fix, the Automatic Upgrade process no longer checks for upgrade periodically.
AD FS Management
The following URLs are new WS-Federation endpoints introduced by Azure AD to improve resiliency against authentication outage and will be added to the on-premises AD FS Replying Party Trust (RPT) configuration:
The team fixed an issue that caused AD FS to generate incorrect claim value for IssuerID. This issue occurs if there are multiple verified domains in the Azure AD tenant and the domain suffix of the userPrincipalName attribute used to generate the IssuerID claim is at least 3-levels deep (for example, email@example.com). The issue is resolved by updating the regex used by the claim rules.
Important information on this release
There are schema and synchronization rule changes introduced in this build.
Azure AD Connect Synchronization Service will trigger Full Import and Full Sync steps after you upgrade to this version. In some environments these steps may take several hours. During this timeframe other information is not synchronized.
This is version 1.1.553.0 of Azure AD Connect.
It was signed off on on June 27, 2017.
You can download Azure AD Connect here.
The download weighs 79,6 MB.
If your Azure AD Connect implementation hasn’t automatically upgraded to version 1.1.553.0 yet, please update your Azure AD Connect implementation as soon as possible.
In larger organizations and larger networking infrastructures, make sure to schedule the upgrade through lifecycle management in a period of time where the impact of the Full Synchronization cycle would not impact business processes.
Does the vulneeability only affect accounts that are located in an OU that is included for synchronization with Azure / OFFICE365, for example my admin accounts are not synced to azure so therefore they are not inscope and do not exist in azure AD so how can password writeback work for them
See for now that our ad sync Installation (1.1.281.0) has the auto upgrade function to status suspended.
What do you advice? Auto upgrade on or off?
I recommend keeping Azure AD Connect installations up to date.
I feel organizations should approach updating Microsoft products like Azure AD Connect like they would approach Windows, Windows Server, Exchange Server and System Center products. There's a new version roughly every month, so it should easily fit into current processes if you want to perform Azure AD Connect upgrades manually. If you auto-update your Windows Server automatically, please use the Automatic Upgrades feature of Azure AD Connect, too.
Of course, Azure AD Connect has some differences to the above set of products: due to schema and/or rule changes, some upgrades require a full synchronization. For large organizations, this may take anywhere between 3 hours (typically for 5,000 users) to 40 hours (typically for 200,000 users). During full sync cycles, Azure AD Connect won’t perform delta sync cycles, meaning changes you make to objects your organization synchronizes won’t be update until the next synchronization cycle. You might want to plan the full syncs. There’s an option to defer the full sync after an upgrade, too.
Another thing to keep in mind is that you can’t download the previous version of Azure AD Connect once a new version is released. Staging Mode, surprisingly, is the best way to deal with this. I have helped organizations develop a lifecycle management process for Azure AD Connect, where their active Azure AD Connect installation would upgrade, but their stand-by Azure AD Connect installation(s) wouldn’t, until the next upgrade. This offers upgrade roll-back capabilities.
We are using the msDS-ConsistencyGuid as Source Anchor however I don't see the 'Out to AD - User ImmutableId' sync rule. Is there something that has to be done to enable this?
In some cases, this rule is deleted when updating to Azure AD Connect versions 1.1.553.0 or 1.1.557.0.
This behavior can be addressed by upgrading to version 1.1.561.0, available here.