Yesterday, Microsoft released version 1.1.614.0 of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory.
Azure AD Connect Sync
Azure AD Connect now features a Troubleshoot task in the Azure AD Connect wizard under Additional Tasks. You can leverage this task to troubleshoot issues related to password synchronization and collect general diagnostics. In the future, the Troubleshoot task will be extended to include other directory synchronization-related issues.
Azure AD Connect now supports a new installation mode called Use Existing Database. This installation mode allows you to install Azure AD Connect that specifies an existing ADSync database. For more information about this feature, refer to the Install Azure AD Connect using an existing ADSync database article.
For improved security, Azure AD Connect now defaults to using TLS 1.2 to connect to Azure AD for directory synchronization. Previously, the default was TLS 1.0 and a lot of designs for Azure AD Connect already featured registry keys to make Azure AD Connect default to TLS 1.2.
When Azure AD Connect Password Synchronization Agent starts up, it tries to connect to the Azure AD well-known endpoint for password synchronization. Upon successful connection, it is redirected to a region-specific endpoint. Previously, the Password Synchronization Agent cached the region-specific endpoint until it was restarted. Now, the agent clears the cache and retries with the well-known endpoint if it encounters connection issue with the region-specific endpoint. This change ensures that password synchronization can failover to a different region-specific endpoint when the cached region-specific endpoint is no longer available.
To synchronize changes from an on-premises Active Directory forest, an account in the on-premises Active Directory Domain Services (AD DS) environment is required.
You can either:
- create the Active Directory account yourself and provide its credential to Azure AD Connect, or
- provide an Enterprise Admin credentials and let Azure AD Connect create the Active Directory account for you.
Previously, creating the account yourself was the default option in the Azure AD Connect wizard. Now, Azure AD Connect creates the account for you as the default option.
Azure AD Connect Health
On top of last week’s improvements to Azure AD Connect Health Sync Error Reporting, Azure AD Connect Health is now also supported for Microsoft Azure Government Cloud and Microsoft Cloud Germany.
Active Directory Federation Services (AD FS) Management
The Verify ADFS Login task in the list of Azure AD Connect’s additional tasks was updated so that it verifies logins against Microsoft Online and not just performs token retrieval from AD FS.
When setting up a new AD FS farm using Azure AD Connect, the page asking for the AD FS credentials was moved so that it now occurs before the user is asked to provide AD FS and WAP servers. This allows Azure AD Connect to check that the account specified has the correct permissions.
During Azure AD Connect upgrade, situations where the ‘Office 365 Identity Platform’ Relying Party Trust (RPT) fails to update, no longer result in a failed upgrade. In this scenario, you will be shown an appropriate warning message and should proceed to reset the trust via Azure AD Connect’s Repair AAD and ADFS Trust additional task:
The team fixed an issue that caused Azure AD Connect to fail installation if the on-premises Active Directory forest has NTLM disabled. The issue is due to Azure AD Connect wizard not providing fully qualified credentials when creating the security contexts required for Kerberos authentication. This causes Kerberos authentication to fail and the Azure AD Connect wizard to fall back to using NTLM.
Azure AD Connect Sync
The team fixed an issue that prevented the creation of new synchronization rules if the Tag attribute isn’t populated.
The team fixed an issue that caused Azure AD Connect to connect to on-premises Active Directory for Password Synchronization using NTLM, even though Kerberos is available. This issue occurs if the on-premises Active Directory topology has one or more Domain Controllers that was restored from a backup.
The team fixed an issue that caused full synchronization steps to occur unnecessarily after upgrade. In general, running the full synchronization steps is required after upgrade if there are changes to out-of-box synchronization rules. The issue was due to an error in the change detection logic that incorrectly detected a change when encountering synchronization rule expressions with newline characters. Newline characters are inserted into sync rule expressions to improve readability.
The team fixed an issue that can cause the Azure AD Connect server to not work correctly after an Automatic Upgrade. This issue affects Azure AD Connect servers with version 1.1.443.0 (or earlier). For details about the issue, refer to article Azure AD Connect is not working correctly after an automatic upgrade.
The team fixed an issue that can cause Automatic Upgrade to be retried every 5 minutes when errors are encountered. With the fix, Automatic Upgrade retries with exponential back-off when errors are encountered.
The team fixed an issue where password synchronization event 611 is incorrectly shown in the Windows Application Event log as informational instead of error. Event 611 is generated whenever password synchronization encounters an issue.
The team fixed an issue in the Azure AD Connect wizard that allows Group write-back feature to be enabled without selecting an Organizational Unit (OU) required for Group write-back.
Active Directory Federation Services (AD FS) Management
The Initialize-ADSyncNGCKeysWriteBack Windows PowerShell Cmdlet in the ADPrep PowerShell module was incorrectly applying access control entries to the device registration container and would therefore only inherit existing permissions. The behavior was updated so that the sync service account gains the correct permissions.
Seamless Single Sign-On (S3O)
The team fixed an issue that caused the Azure AD Connect wizard to return an error if you try to enable Seamless Single Sign-On:
Configuration of Microsoft Azure AD Connect Authentication Agent failed.
This issue affects existing Azure AD Connect installations where the preview version of the Authentication Agents for Pass-through Authentication were manually upgraded, based on the steps described in the Azure Active Directory Pass-through Authentication: Upgrade preview Authentication Agents article.
There is a known issue with Azure AD Connect Upgrade that is affecting customers who have enabled Seamless Single Sign-On. After Azure AD Connect is upgraded, the feature appears as disabled in the wizard, even though the feature remains enabled. A fix for this issue will be provided in future release. Customers who are concerned about this display issue can manually fix it by enabling Seamless Single Sign-On in the wizard.
This is version 1.1.614.0 of Azure AD Connect.
It was signed off on on September 5, 2017.
You can download Azure AD Connect here.
The download weighs 81,1 MB.
Much of the above behavior was introduced in version 1.1.613.0, but internal testing led to several more fixes to make sure the choice for Azure AD Connect is the right choice for organizations on their Hybrid Identity journeys.
With its many features, this is a good version to test your Azure AD Connect lifecycle management processes on.
Azure AD Connect 1.1.561.0 finalizes Automatic Upgrade scenario changes
Azure AD Connect 1.1.557.0 is good news for highly-regulated organizations
Azure AD Connect v1.1.553.0 addresses a critical security vulnerability
Azure AD Connect 1.1.524.0 brings a ton of new functionality to Hybrid Identity
Azure AD Connect versions 1.1.484.0 and 1.1.486.0 offer great enhancements
Azure AD Connect v1.1.443.0 is here