Leveraging Azure AD Connect Staging Mode for Release Management

Azure AD Connect Release Management

Azure AD Connect offers the Staging Mode functionality. This feature is often touted as a way to bring disaster recovery to Azure AD Connect, but I don’t feel this is the actual strength of this feature. I believe offering release management capabilities is the best use of the Staging Mode feature.

 

Release Management

Release management is defined as:

Release management is the process of managing, planning, scheduling and controlling a software build through different stages and environments; including testing and deploying software releases.

Controlling Azure AD Connect

Applying the control approach to Azure AD Connect, the following layers can be defined for Windows Servers running Azure AD Connect:

  1. Hardware, drivers, firmware and integration components
  2. Operating System version and patch level
  3. Azure AD Connect version
  4. Azure AD Connect rules
  5. Azure AD Connect configuration

Now, any change in any of the layers may cause a disruption of the Azure AD Connect functionality and thus in Hybrid Identity. To avoid these disruptions, the principles of control in release management can be applied:

  • The Azure AD Connect functionality is maintained (at least) twice.
  • Changes to configuration are applied to one system at a time, only, with a preference for an offline system.
  • Changes are verified before going to production.
  • Changes are monitored after releases to detect rogue changes early.

 

Steps for Azure AD Connect release management

For Azure AD Connect, this means the following steps can be followed to implement a change to any of the layers in the stack:

Note:
These steps do not exclude any testing or acceptance process steps that you may want to walk through in your organization, first.

  1. Changes are made on the Staging Mode server, only.
  2. A manual synchronization cycle is started on the actively synchronizing Azure AD Connect installation, for the last time.
  3. The actively synchronizing Azure AD Connect installation is configured in Staging Mode.
  4. A manual synchronization cycle is started on the Staging Mode Azure AD Connect installation, that is intended as the newly actively synchronizing Azure AD Connect installation.
  5. Before the initial synchronization out of Staging Mode, the metaverse is compared between the previously actively synchronizing Azure AD Connect and the Azure AD Connect installation, intended as the newly actively synchronizing Azure AD Connect installation.
  6. The updated Staging Mode Azure AD Connect installation is configured as no longer being in Staging Mode , becoming the actively synchronizing Azure AD Connect installation.
  7. Update the issuance transformation rules for the Microsoft Office 365 Identity Platform Relying Party Trust (RPT) in AD FS.

Let’s follow these steps to upgrade the version of Azure AD Connect:

 

Initial stage

When setting up release management with Azure AD Connect, initially, both installations will have the same versions and will need to have the exact same configuration:

Azure AD Connect Release Management - Stage 1

 

Step 1. Make changes to the Staging Mode server

Now, let’s upgrade Azure AD Connect on the Staging Mode server. Follow these steps:

  1. Sign in interactively to the Staging Mode Azure AD Connect installation with an account that has local administrator privileges.
  2. Download the latest version of Azure AD Connect.
  3. Double-click AzureADConnect.msi to start the upgrade.
    After some initial actions, the Microsoft Azure Active Directory Connect window appears.
  4. On the Upgrade Azure Active Directory Connect screen, click Upgrade:

    Microsoft Azure Active Directory Connect - Upgrade Azure Active Directory Connect

  5. On the Connect to Azure AD screen, enter the credentials of an account in Azure AD that has Global administrator privileges. Perform multi-factor authentication and privileged identity management, when needed.
  6. On the Ready to configure screen, click Upgrade.
  7. On the Configuration complete screen, click Exit.

Now that we’ve upgraded Azure AD Connect on the Staging Mode server, we’re likely to see the following changed configuration items (in green):

Azure AD Connect Release Management - Stage 2

 

Step 2: Perform a manual synchronization cycle

To synchronize the latest changes from Active Directory to Azure AD, and vice versa, perform a manual synchronization cycle on the actively synchronizing Azure AD Connect installation, for the last time.

On the actively synchronizing Azure AD Connect installation, In an elevated Windows PowerShell window, issue the following line of PowerShell:

Start-ADSyncSyncCycle

 

Step 3: Configure the Actively syncing server in Staging Mode

Now, let’s stop actively synchronizing information between Active Directory and Azure AD. This will freeze the information and allow us to compare the metaverses of the actively synchronizing Azure AD Connect installation and the Azure AD Connect installation that is to become the active installation.

On the same system as Step 2, perform the following steps while signed in interactively:

  1. Start Azure AD Connect from the desktop.
  2. Acknowledge User Account Control by pressing Yes.
    The Microsoft Azure Active Directory Connect window appears.
  3. On the Welcome to Azure AD Connect screen, click Configure.
  4. From the list of Additional Tasks, choose Configure staging mode.
  5. Click Next.
  6. On the Connect to Azure AD screen, sign into Azure AD with an account that has Global Administrator / Company administrator privileges in the connected Azure AD tenant.
    Perform multi-factor authentication and/or privileged identity management (PIM) steps, when needed.
  7. On the Configure Staging Mode screen, select the Enable staging mode option:

    Microsoft Azure Active Directory Connect - Configure staging mode

  8. Click Next.
  9. On the Ready to configure screen, click Configure:

    Microsoft Azure Active Directory Connect - Ready to configure

  10. On the Configuration complete screen, click Exit.

 

Step 4: Perform a manual synchronization cycle

To synchronize the latest changes from Active Directory to Azure AD, and vice versa, perform a manual synchronization cycle on the Staging Mode Azure AD Connect installation.

On the Staging Mode Azure AD Connect installation, In an elevated Windows PowerShell window, issue the following line of PowerShell:

Start-ADSyncSyncCycle

 

Step 5. Compare the configuration and Metaverses

Before the initial synchronization out of Staging Mode, the metaverse is compared between the previously actively synchronizing Azure AD Connect and the Azure AD Connect installation, intended as the newly actively synchronizing Azure AD Connect installation. Perform these steps:

  1. Download the Azure AD Connect Configuration Documenter from GitHub.
  2. Extract the contents of the download to C:\AADConnectConfig on both Staging Mode Azure AD Connect installations.
  3. Perform the following lines of Windows PowerShell on Azure AD Connect Server 1:

    Import-Module ADSync
    Get-ADSyncServerConfiguration -Path C:\AADConnectConfig\Data\1

  4. Perform the above command on the other Azure AD Connect installation, too, and copy the contents of the folder to a folder labeled 2 on the first Azure AD Connect installation.
  5. Make a copy of AzureADConnectSyncDocumenter-Contoso.cmd with a name appropriate for your environment and edit your copy for the values of “Pilot” and “Production” directories. to match the 1 and 2  folder.
  6. Run the updated batch file.
    Upon successful execution, the generated report will be found in the Documenter C:\AADConnectConfig\Report folder.
  7. Open the file with Internet Explorer opens. Enable ActiveX content.
  8. Check the option box to the right of Only
    Show Changes
    .
  9. Review the changes.
  10. Close Internet Explorer, when done.
  11. From the Start Menu, open Synchronization Service on both Azure AD Connect installations. Compare the number of objects in the metaverses between both Azure AD Connect installations and sample a couple of objects for their attributes.
  12. Sign off from the originally actively synchronizing Azure AD Connect installation.

 

Step 6. Disable Staging Mode on the original Staging Mode Installation

Perform these steps on the Azure AD Connect installation, while still signed on after step 5:

  1. Start Azure AD Connect from the desktop.
  2. Acknowledge User Account Control by pressing Yes.
    The
    Microsoft Azure Active Directory Connect window appears.
  3. On the Welcome to Azure AD Connect screen, click
    Configure.
  4. From the list of Additional Tasks, choose Configure staging mode.
  5. Click Next.
  6. On the Connect to Azure AD screen, sign into Azure AD with
    an account that has Global Administrator / Company administrator privileges in
    the connected Azure AD tenant. Perform multi-factor authentication and/or
    privileged identity management (PIM) steps, when needed.
  7. On the Configure Staging Mode screen, unselect the
    Enable staging mode
    option:

    Microsoft Azure Active Directory Connect - Configure staging mode

  8. Click Next.
  9. On the Ready to configure screen, click
    Configure.
  10. On the Configuration complete screen, click
    Exit.

After this step, we’ve put the changes in the Azure AD Connect version and the accompanying synchronization rules in production: (orange), while any possibly new AD FS Claims Rules for the Microsoft Office 365 Identity Platform Relying Party Trust, have not yet been brought to production (still green):

Azure AD Connect Release Management - Stage 3

 

Update the AD FS Claims Rules

All that is left now, is to update the issuance transformation rules for the Microsoft Office365 Identity Platform Relying Party Trust (RPT) in Active Directory Federation Services (AD FS).

When Azure AD Connect manages AD FS

In environments where Active Directory Federation Services (AD FS) is setup and/or managed with Azure AD Connect, the issuance transformation rules will be updated when you use the Reset Azure AD Trust action in Azure AD Connect.

Perform these steps:

  1. Open the Azure AD Connect Configuration Wizard from the Start Menu or desktop.
  2. In the Welcome to Azure AD Connect screen, click Configure.
  3. In the Additional tasks screen, select the Manage federation ribbon.
  4. Click Next.
  5. Select the Reset Azure AD trust ribbon.
  6. Click Next.
  7. On the Connect to Azure AD screen, enter the credentials of an account in Azure AD that has been assigned the global administrator role.
  8. On the Connect to AD FS screen, enter the credentials for an account that is a member of the Enterprise Admins group.
  9. On the Certificates screen, click Next.

    Microsoft Azure Active Directory Connect - Ready to configure

  10. On the Ready to Configure screen, click Configure.
  11. On the Configuration complete screen, click Exit to close the Microsoft Azure Active Directory Connect window, and to restart synchronization to Azure AD.

 

When Azure AD Connect doesn’t manage AD FS

When Azure AD Connect is not used to manage AD FS, perform these steps to update the transformation rules for the Microsoft Office365 Identity Platform Relying Party Trust (RPT) in Active Directory Federation Services (AD FS).:

  1. Open Internet Explorer.
  2. Navigate to adfshelp.microsoft.com.
  3. Click on the Online Tools tile.
  4. Click on the Azure AD RPT Claim Rules tile.
  5. Follow the wizard.
  6. After clicking the Generate Claims button, copy the contents of the PowerShell script. Paste the contents in an elevated PowerShell ISE window.
  7. Save the script to a folder on the hard disk.
  8. Run the PowerShell script on the primary AD FS server to set the correct claims.

The script will make a backup of the current issuance transformation rules. This information can be rolled back, if needed.

Azure AD Connect Release Management - Stage 4

 

Further steps

Of course, Azure AD Connect server 1, now runs a version of Azure AD Connect that is (at least) one version behind on Azure AD Connect server 2. That is intended, as it allows for a rollback to the previous version when the new version inhibits undesired behavior. The same is true for AD FS, as the issuance transformation rules are backed up by Azure AD Connect and the PowerShell script from adfshelp.microsoft.com, before the new rules are applied.

When another new version of Azure AD Connect becomes available, Azure AD Connect server 1 can be upgraded to this version, and the entire lifecycle management process starts anew.

 

Concluding

Azure AD Connect’s Staging Mode offers release management capabilities, that can be used to manage the functionality and releases of Azure AD Connect in a controlled fashion.

Further reading

Azure AD Connect: Staging server and disaster recovery
Azure AD Connect Staging Mode
Real world Azure AD Connect: the case for TWO Azure AD Connect servers

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.