Organizations, leveraging Azure AD Connect Staging Mode for release management, might find themselves with automatically upgrading Azure AD Connect installations after the initial upgrade to Azure AD Connect version 220.127.116.11, and up.
Azure AD Connect Release Management
As described in the blogpost Leveraging Azure AD Connect Staging Mode for Release Management, Staging Mode can be leveraged to control updates for Windows Servers running Azure AD Connect in the following areas:
- Hardware, drivers, firmware and integration components
- Operating System version and patch level
- Azure AD Connect version
- Azure AD Connect rules
- Azure AD Connect configuration
The process includes making changes to a Staging Mode Azure AD Connect installation and switching the actively synchronizing Azure AD Connect installation with the Staging Mode.
You have an Active Directory Domain Services (AD DS) environment, and you synchronize objects to an Azure AD tenant, leveraging Azure AD Connect, Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.
You have deployed at least two Azure AD Connect installations. Both Azure AD Connect installations use a local SQL Server Express database. (You do not use a centralized SQL Server to store the databases for these Azure AD Connect installations).
You leverage Azure AD Connect Staging Mode for release management. You follow the process to upgrade the Staging Mode Azure AD Connect installation to Azure AD Connect version 18.104.22.168, or up.
The Staging Mode Azure AD Connect installation has the Automatic Upgrades feature enabled. This breaks the process for Azure AD Connect Release Management.
This behavior is expected.
In the release notes for Azure AD Connect version 22.214.171.124 , the following line of information provides more information:
Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
Admins who upgrade Azure AD Connect manually to version 126.96.36.199 and up, are notified on the Ready to configure screen of the Microsoft Azure Active Directory Connect wizard:
The Automatic Upgrades feature has been expanded throughout versions of Azure AD Connect to include more deployment scenarios. Currently, the only deployment scenario that blocks automatic upgrades is the scenario where Azure AD Connect is deployed using a SQL Server as the database.
To continue to leverage Azure AD Connect Staging Mode for release management, you need to disable the Automatic Upgrades feature, when upgrading to Azure AD Connect version 188.8.131.52, and up.
Perform the following two lines of Windows PowerShell on the Windows Server running Azure AD Connect after the initial upgrade beyond version 184.108.40.206:
Changes in Azure AD Connect functionality to allow for increased security levels (in this case by offering automatic upgrades to older and perhaps vulnerable versions of Azure AD Connect) may have an impact on processes setup in the past to maintain control over its release management.
On the plus side, we no longer have to update the issuance transformation rules in Active Directory Federation Services (AD FS) for the Microsoft Office 365 Identity Platform RPT, manually. It’s something.
Azure AD Connect: Automatic upgrade
Azure AD Connect: Upgrade from a previous version to the latest
Understanding Auto-Upgrade Options in Azure AD Connect
Enabling/Disabling AAD Connect’s Automatic Upgrade Feature
How to Control Azure AD Connect Auto Upgrade
Azure AD Connect is not working correctly after an automatic upgrade