Microsoft’s Azure AD Connect version 1.3.20 was quickly superseded by version 220.127.116.11 to fix an elevation of privilege vulnerability, but it appears to exhibit unexpected behavior for some organization running it.
You have an Active Directory Domain Services (AD DS) environment, and you synchronize objects to an Azure AD tenant, leveraging Azure AD Connect, Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory. You have licensed Azure AD Premium and leverage Azure AD Connect Health to manage the Hybrid Identity implementation.
You have recently upgraded Azure AD Connect to version 18.104.22.168
You determine the version of Azure AD Connect in the Office 365 Portal:
- You navigate a browser to the Office 365 Portal.
- You sign in with an account that has administrative privileges. You perform multi-factor authentication, when prompted.
- In the top left menu, you click on the waffle menu and select Admin from the menu.
- In the left navigation menu of the Microsoft 365 admin center, you click on Azure Active Directory in the Admin centers section.
The Azure Active Directory admin center opens in a new tab or window.
- In the left navigation menu, click on Azure Active Directory.
- In Azure Active Directory’s secondary navigation menu, click Azure AD Connect.
- In Azure AD Connect’s main window follow the link to Azure AD Connect Health.
- In Azure AD Connect’s secondary navigation menu, click Sync services.
- In the main window, click the Azure AD tenant name to drill into its properties.
- In the tenant’s Azure AD Connect Health pane, click Azure Active Directory Connect Servers.
- In the Server List pane, click the name of the Windows Server on which you recently upgraded Azure AD Connect.
- In the server’s blade, click the Properties tile.
The Office 365 portal does not reflect the updated version, even though Azure AD Connect upgraded successfully.
This behavior is unexpected.
To resolve this you need to import the AdSync module and then run the
Set-ADSyncDirSyncConfiguration Windows PowerShell cmdlet on the Windows Server running Azure AD Connect.
Perform these steps to resolve the issue on each of the Azure AD Connect installations in use:
- Sign into the Windows Server running Azure AD Connect.
- Open an elevated Windows PowerShell window.
- Run the following line of Windows PowerShell:
- Next, run the following line of Windows PowerShell:
Set-ADSyncDirSyncConfiguration -AnchorAttribute “”
- Close the Windows PowerShell window.
- Sign out.
Perform the above steps on each Windows Server running Azure AD Connect in your environment, when one or more Staging Mode Azure AD Connect installations are present.
While the above issue is a cosmetic issue for most organizations, it might be an important issue for organizations that monitor the health of their Azure AD Connect installations through the Office 365 and Azure AD portal. In the latter case, it’s nice to know how to fix it.
Azure AD Connect 22.214.171.124 fixes an elevation of privilege vulnerability (CVE-2019-1000)
Azure AD Connect 126.96.36.199 offers the next level of identity synchronization
Azure AD Connect 188.8.131.52 updates the non-standard connectors
Azure AD Connect 184.108.40.206 fixes an issue with Device Write-Back
Azure AD Connect 220.127.116.11 fixes an issue with the MSOnline PowerShell Module
Azure AD Connect 18.104.22.168 fixes an issue with Password Writeback
Azure AD Connect moves to TLS 1.2-only with version 22.214.171.124