KnowledgeBase: Azure AD Connect version 1.3.20.0 and up enables Auto Upgrades in AD FS Scenarios

Reading Time: 3 minutes

KnowledgeBase

Organizations, leveraging Azure AD Connect Staging Mode for release management, might find themselves with automatically upgrading Azure AD Connect installations after the initial upgrade to Azure AD Connect version 1.3.20.0, and up.

 

Azure AD Connect Release Management

As described in the blogpost Leveraging Azure AD Connect Staging Mode for Release Management, Staging Mode can be leveraged to control updates for Windows Servers running Azure AD Connect in the following areas:

  1. Hardware, drivers, firmware and integration components
  2. Operating System version and patch level
  3. Azure AD Connect version
  4. Azure AD Connect rules
  5. Azure AD Connect configuration

The process includes making changes to a Staging Mode Azure AD Connect installation and switching the actively synchronizing Azure AD Connect installation with the Staging Mode.

 

The situation

You have an Active Directory Domain Services (AD DS) environment, and you synchronize objects to an Azure AD tenant, leveraging Azure AD Connect, Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

You have deployed at least two Azure AD Connect installations. Both Azure AD Connect installations use a local SQL Server Express database. (You do not use a centralized SQL Server to store the databases for these Azure AD Connect installations).

You leverage Azure AD Connect Staging Mode for release management. You follow the process to upgrade the Staging Mode Azure AD Connect installation to Azure AD Connect version 1.3.20.0, or up.

 

The issue

The Staging Mode Azure AD Connect installation has the Automatic Upgrades feature enabled. This breaks the process for Azure AD Connect Release Management.

 

The cause

This behavior is expected.

In the release notes for Azure AD Connect version 1.3.20.0 , the following line of information provides more information:

Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.

Admins who upgrade Azure AD Connect manually to version 1.3.20.0 and up, are notified on the Ready to configure screen of the Microsoft Azure Active Directory Connect wizard:

AADCUpgrade2

The Automatic Upgrades feature has been expanded throughout versions of Azure AD Connect to include more deployment scenarios. Currently, the only deployment scenario that blocks automatic upgrades is the scenario where Azure AD Connect is deployed using a SQL Server as the database.

 

The solution

To continue to leverage Azure AD Connect Staging Mode for release management, you need to disable the Automatic Upgrades feature, when upgrading to Azure AD Connect version 1.3.20.0, and up.

Perform the following two lines of Windows PowerShell on the Windows Server running Azure AD Connect after the initial upgrade beyond version 1.2.70.0:

Import-Module ADSync

Set-ADSyncAutoUpgrade Disabled

 

Concluding

Changes in Azure AD Connect functionality to allow for increased security levels (in this case by offering automatic upgrades to older and perhaps vulnerable versions of Azure AD Connect) may have an impact on processes setup in the past to maintain control over its release management.

On the plus side, we no longer have to update the issuance transformation rules in Active Directory Federation Services (AD FS) for the Microsoft Office 365 Identity Platform RPT, manually. It’s something.

Further reading

Azure AD Connect: Automatic upgrade
Azure AD Connect: Upgrade from a previous version to the latest
Understanding Auto-Upgrade Options in Azure AD Connect
Enabling/Disabling AAD Connect’s Automatic Upgrade Feature
How to Control Azure AD Connect Auto Upgrade
Azure AD Connect is not working correctly after an automatic upgrade

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.