KnowledgeBase: Azure AD Connect v1.4 deletes incorrectly synchronized objects for non-Windows 10 devices

KnowledgeBase

On September 10, 2019, Microsoft signed off on the first build of Azure AD Connect in the 1.4 version branch. Currently, this version is only available for organizations that have the Automatic Upgrade feature enabled. In the What’s Fixed section of the release notes for this version, Microsoft stated that:

Fixed a bug where non-Windows 10 computers were syncing unexpectedly.

         

The situation

Previously, Windows down-level computers joined to on-premises Active Directory Domain Services environments were incorrectly synchronized to Azure AD under some circumstances.

As an example of these circumstances, the userCertificate attribute value for Windows down-level devices in Active Directory is populated. But such devices in Azure AD always remained in the pending state because these Windows versions were not designed to be registered with Azure AD via Azure AD Connect.

                    

The issue

Starting with version 1.4.x.0 of Azure AD Connect:

  • Azure AD Connect stops synchronizing Windows down-level computers to Azure AD
  • Azure AD Connect removes the previously incorrectly synchronized Windows down-level devices from Azure AD.
  • Azure AD Connect might run into the Export Deletion Threshold.

Note:
If admins see the deletes of down-level Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through.

Some Azure AD admins may see some or all of their Windows down-level devices disappear from Azure AD.

However, Azure AD Connect will not delete any Windows down-level devices that were correctly registered with Azure AD by using the Workplace Join for non-Windows 10 computers package. Those devices will continue to work as expected for the purposes of device-based Conditional Access.

                     

The cause

Microsoft is cleaning up device objects in Azure AD tenants, that add no value.

This is not a cause for concern, as these device identities were never actually used by Azure AD during Conditional Access authorization.

            

The solution

To get their Windows down-level devices registered correctly and ensure that such devices can fully participate in device-based conditional access, the devices need to Hybrid Azure AD Join, correctly.

            

Concluding

Changes in Azure AD Connect functionality to allow for increased security levels (in this case by removing stale and non-functional objects) may have an impact on the way Azure AD Connect behaves in your organization.

Further reading

KnowledgeBase: Azure AD Connect 1.3.20.0 enables Auto Upgrades in AD FS Scenarios 
KnowledgeBase: Azure AD Connect upgrade is not reflected in the Office 365 Portal  
Azure AD Connect 1.4 introduces refined AD FS Management Capabilities 
Azure AD Connect 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000)
HOWTO: Enforce Azure AD Connect to use TLS 1.2 only

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.