Earlier this week, Microsoft released version 1.1.281.0 of the Azure AD Connect Provisioning Agent. Azure AD Connect provides provisioning from Active Directory to Azure AD. The Azure AD Connect Provisioning agent can be used alongside Azure AD Connect to:
- Synchronize disconnected Active Directory forests in a multi-forest environment
- Simplify the deployment with light-weight provisioning agents, because Azure AD Connect Provisioning Agent pick up their configuration from Azure AD
- Provide a high available deployment for Password Hash Synchronization (PHS)
What’s New in version 1.1.281.0
The following features and improvements are reported for version 1.1.281.0 of the Azure AD Connect Provisioning Agent, released on November 23rd, 2020:
Support for gMSA
The Azure AD Connect Provisioning Agent now supports the use of group Managed Service Accounts (gMSAs) for running the agent.
Version 1.1.281.0 of the Azure AD Connect Provisioning Agent now prompts by default to create a group Managed Service Account, when upgrading from previous versions of the Azure AD Connect Provisioning Agent.
Support for groups up to size less than 1500 members
The Azure AD Connect Provisioning Agent now supports groups up to size less than 1500 members during incremental or delta sync cycle. This is applicable when using the group scoping filter.
Support for large groups with member size up to 15K
The Azure AD Connect Provisioning Agent now supports groups with over 15,000 members.
Initial sync improvements
The initial synchronization for Azure AD Connect Provisioning Agent has been improved.
Advanced verbose logging
The Azure AD Connect Provisioning Agent now offers advanced verbose logging to assist in troubleshooting and diagnosing performance and connection problems.
After enabling verbose logging through PowerShell or in the AADConnectProvisioningAgent.exe.config file, you can find the logs in the following folder:
C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace
Introduction of AADCloudSyncTools PowerShell module
Version 1.1.281.0 of the Azure AD Connect Provisioning Agent introduced the AADCloudSyncTools PowerShell module. This Windows PowerShell module offers the following eighteen cmdlets:
- Connect-AADCloudSyncTools
- Export-AADCloudSyncToolsLogs
- Get-AADCloudSyncToolsInfo
- Get-AADCloudSyncToolsJob
- Get-AADCloudSyncToolsJobSchedule
- Get-AADCloudSyncToolsJobSchema
- Get-AADCloudSyncToolsJobScope
- Get-AADCloudSyncToolsJobSettings
- Get-AADCloudSyncToolsJobStatus
- Get-AADCloudSyncToolsServicePrincipal
- Install-AADCloudSyncToolsPrerequisites
- Invoke-AADCloudSyncToolsGraphQuery
- Repair-AADCloudSyncToolsAccount
- Restart-AADCloudSyncToolsJob
- Resume-AADCloudSyncToolsJob
- Start-AADCloudSyncToolsVerboseLogs
- Stop-AADCloudSyncToolsVerboseLogs
- Suspend-AADCloudSyncToolsJob
You can use Install-AADCloudSyncToolsPrerequisites to install the latest version of MSAL.PS, which is a required Windows PowerShell module.
Fixed limitations to allow agent to be installed in non-English server
Previous versions of the Azure AD Connect Provisioning Agent could not be installed on Windows Server installations with other locales set then United States-English (en-us). Now, the Azure AD Connect Provisioning Agent can be installed on these Windows Server installations, too.
Support for PHS filtering
Version 1.1.281.0 of the Azure AD Connect Provisioning Agent introduces Password Hash Synchronization (PHS) filtering, so PHS is only enabled for objects in scope of provisioning. Previously, the agent synchronized password hashes for all objects.
Improved provisioning logs
Version 1.1.281.0 of the Azure AD Connect Provisioning Agent provides improved provisioning logs.
Support for configuring LDAP connection timeout
When performing LDAP operations on configured Active Directory domain controllers, by default, the Azure AD Connect Provisioning Agent uses the default connection timeout value of 30 seconds. If your domain controller takes more time to respond, then you may want to reconfigure the connection time-out.
Version 1.1.281.0 of the Azure AD Connect Provisioning Agent now offers the ability to configure this time-out (in milliseconds) through the LdapConnectionTimeoutInMilliseconds string registry value in the following registry location:
HKLM\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent\
Support for configuring referral chasing
By default, the Azure AD Connect provisioning agent does not chase referrals. Version 1.1.281.0 of the Azure AD Connect Provisioning Agent now offers the ability to enable chasing referrals through the ReferralChasingOptions string registry value in the following registry location:
HKLM\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent\
To do so, specify 96 as the value data.
Concluding
While still not offering all the functionality that are needed to run the Azure AD Connect Provisioning Agent without Azure AD Connect, version 1.1.281.0 does provide a significantly better experience for its current scenarios.
Further reading
What is Azure AD Connect cloud provisioning?
Azure AD Connect Provisioning Agent: Version release history
Download Microsoft Azure Active Directory Connect Provisioning Agent (Preview)
Login