Last Thursday, Microsoft released version 1.1.647.0 of Azure AD Connect, its free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments to Azure Active Directory.
At Microsoft Ignite, Microsoft declared Seamless Single Sign-On and Pass-through Authentication features as Generally Available, so the team doubled down on fixing some common issues with these user sign-in methods. Other fixes were also included.
The Synchronization Service has a WMI interface that lets you develop your own custom scheduler. This interface is now deprecated and will be removed from future versions of Azure AD Connect shipped after June 30, 2018. Customers who want to customize synchronization schedule should use the built-in scheduler.
Azure AD Connect
The team added logic to simplify the steps required to set up Azure AD Connect with Microsoft Germany Cloud. Previously, you are required to update specific registry keys on the Azure AD Connect server for it to work correctly with Microsoft Germany Cloud, as described in this article. Now, Azure AD Connect can automatically detect if your tenant is in Microsoft Germany Cloud based on the global administrator credentials provided during setup.
Azure AD Connect Sync
When troubleshooting Password Synchronization using the Azure AD Connect wizard troubleshooting page, the troubleshooting page now returns domain-specific status.
Previously, if you tried to enable Password Hash Synchronization, Azure AD Connect did not verify whether the AD Connector account had the required permissions to synchronize password hashes from on-premises Active Directory. Now, Azure AD Connect wizard will verify and warn you if the account does not have sufficient permissions.
Azure AD Connect
The team fixed an issue in the Change user sign-in task in Azure AD Connect wizard. The issue occurs when you have an existing Azure AD Connect deployment with Password Synchronization enabled, and you are trying to set the user sign-in method as Pass-through Authentication and when you disable or enable Seamless Single Sign-on.
The team also fixed another issue in the Change user sign-in task in Azure AD Connect wizard. The issue occurs when you have an existing Azure AD Connect deployment with Password Synchronization disabled, and you are trying to set the user sign-in method as Pass-through Authentication. When the change is applied, the wizard enables both Pass-through Authentication and Password Synchronization. With this fix, the wizard no longer enables Password Synchronization., because, since Azure AD Connect version 1.1.557.0, Password Synchronization is no longer a prerequisite for enabling Pass-through Authentication.
The team fixed an issue that caused Azure AD Connect upgrades to fail with error "Unable to upgrade the Synchronization Service". Further, the Synchronization Service could no longer start with event error "The service was unable to start because the version of the database is newer than the version of the binaries installed". The issue occured when the administrator performing the upgrade did not have sysadmin privilege to the SQL server that is being used by Azure AD Connect. With this fix, Azure AD Connect only requires the administrator to have db_owner privilege to the ADSync database during upgrade.
The team fixed an Azure AD Connect Upgrade issue that affected customers who have enabled Seamless Single Sign-On. After Azure AD Connect is upgraded, Seamless Single Sign-On incorrectly appears as disabled in Azure AD Connect wizard, even though the feature remains enabled and fully functional. With this fix, the feature now appears correctly as enabled in the wizard.
The team fixed an issue that caused Azure AD Connect wizard to always show the Configure Source Anchor prompt on the Ready to Configure page, even if no changes related to Source Anchor were made.
When performing manual in-place upgrade of Azure AD Connect, the customer is required to provide the Global Administrator credentials of the corresponding Azure AD tenant. Previously, upgrade could proceed even though the Global Administrator credentials provided belonged to a different Azure AD tenant. While upgrade appears to complete successfully, certain configurations were not correctly persisted with the upgrade. With this change, the wizard will not allow a manual upgrade to proceed if the credentials provided do not match the Azure AD tenant.
Azure AD Connect health
The team removed redundant logic that unnecessarily restarted Azure AD Connect Health service at the beginning of a manual upgrade.
Azure AD Connect Sync
When Azure AD Connect wizard creates the AD Connector account required to synchronize changes from on-premises Active Directory, it does not correctly assign the account the permission required to read PublicFolder objects. This issue affects both Express installation and Custom installation. This change fixes the issue.
The team fixed an issue that caused the Azure AD Connect Wizard troubleshooting page to not render correctly for administrators running Azure AD Connect on Windows Server 2016.
AD FS Management
The team fixed an issue related to the use of the msDS-ConsistencyGuid as Source Anchor feature. This issue affects customers who have configured Federation with AD FS as the user sign-in method. When you execute the Configure Source Anchor task in the wizard, Azure AD Connect switches to using ms-DS-ConsistencyGuid as source attribute for immutableId. As part of this change, Azure AD Connect attempts to update the claim rules in AD FS. However, this step failed because Azure AD Connect did not have the administrator credentials required to configure AD FS. With this fix, Azure AD Connect now prompts you to enter the administrator credentials for AD FS when you execute the Configure Source Anchor task.
This is version 1.1.647.0 of Azure AD Connect.
It was signed off on on October 19, 2017.
You can download Azure AD Connect here.
The download weighs 78,6 MB.
This release marks the General Availability of two user sign-in options, that were previously in public preview. It includes many fixes and code cleanup. It should be on the top of your ToDo list to upgrade to (if Azure AD Connect wasn’t upgraded automatically, already), when you use these user sign-in methods.
Also, if you’ve built your own scheduler for Azure AD Connect, based on the WMI calls, you should start planning on using the built-in scheduler.