Microsoft’s Azure AD Connect version 1.3.20 was quickly superseded by version 1.3.21.0 to fix an elevation of privilege vulnerability, but it appears to exhibit unexpected behavior for some organization running it.
The situation
You have an Active Directory Domain Services (AD DS) environment, and you synchronize objects to an Azure AD tenant, leveraging Azure AD Connect, Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory. You have licensed Azure AD Premium and leverage Azure AD Connect Health to manage the Hybrid Identity implementation.
You have recently upgraded Azure AD Connect to version 1.3.21.0
You determine the version of Azure AD Connect in the Office 365 Portal:
- You navigate a browser to the Office 365 Portal.
- You sign in with an account that has administrative privileges. You perform multi-factor authentication, when prompted.
- In the top left menu, you click on the waffle menu and select Admin from the menu.
- In the left navigation menu of the Microsoft 365 admin center, you click on Azure Active Directory in the Admin centers section.
The Azure Active Directory admin center opens in a new tab or window. - In the left navigation menu, click on Azure Active Directory.
- In Azure Active Directory’s secondary navigation menu, click Azure AD Connect.
- In Azure AD Connect’s main window follow the link to Azure AD Connect Health.
- In Azure AD Connect’s secondary navigation menu, click Sync services.
- In the main window, click the Azure AD tenant name to drill into its properties.
- In the tenant’s Azure AD Connect Health pane, click Azure Active Directory Connect Servers.
- In the Server List pane, click the name of the Windows Server on which you recently upgraded Azure AD Connect.
- In the server’s blade, click the Properties tile.
The issue
The Office 365 portal does not reflect the updated version, even though Azure AD Connect upgraded successfully.
The solution
This behavior is unexpected.
To resolve this you need to import the AdSync module and then run the
Set-ADSyncDirSyncConfiguration Windows PowerShell cmdlet on the Windows Server running Azure AD Connect.
Perform these steps to resolve the issue on each of the Azure AD Connect installations in use:
- Sign into the Windows Server running Azure AD Connect.
- Open an elevated Windows PowerShell window.
- Run the following line of Windows PowerShell:
Import-Module ADSync
- Next, run the following line of Windows PowerShell:
Set-ADSyncDirSyncConfiguration -AnchorAttribute ""
- Close the Windows PowerShell window.
- Sign out.
Perform the above steps on each Windows Server running Azure AD Connect in your environment, when one or more Staging Mode Azure AD Connect installations are present.
Concluding
While the above issue is a cosmetic issue for most organizations, it might be an important issue for organizations that monitor the health of their Azure AD Connect installations through the Office 365 and Azure AD portal. In the latter case, it’s nice to know how to fix it.
Further reading
Azure AD Connect 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000)
Azure AD Connect 1.3.20.0 offers the next level of identity synchronization
Azure AD Connect 1.2.70.0 updates the non-standard connectors
Azure AD Connect 1.2.69.0 fixes an issue with Device Write-Back
Azure AD Connect 1.2.68.0 fixes an issue with the MSOnline PowerShell Module
Azure AD Connect 1.2.67.0 fixes an issue with Password Writeback
Azure AD Connect moves to TLS 1.2-only with version 1.2.65.0
I opened a ticket with Premier after seeing this behavior when upgrading to 1.3.20.0. Is this "bug" applicable in that scenario as well? If so, is the fix the same?
Hi Rob,
I've seen this behavior in Azure AD Connect a couple of times throughout recent years.
In the last case, the solution was this one.