Azure AD Connect Provisioning Agent v1.1.281.0 now supports gMSA, PHS Filtering and many other improvements

Earlier this week, Microsoft released version 1.1.281.0 of the Azure AD Connect Provisioning Agent. Azure AD Connect provides provisioning from Active Directory to Azure AD. The Azure AD Connect Provisioning agent can be used alongside Azure AD Connect to:

  • Synchronize disconnected Active Directory forests in a multi-forest environment
  • Simplify the deployment with light-weight provisioning agents, because Azure AD Connect Provisioning Agent pick up their configuration from Azure AD
  • Provide a high available deployment for Password Hash Synchronization (PHS)

 

What’s New in version 1.1.281.0

The following features and improvements are reported for version 1.1.281.0 of the Azure AD Connect Provisioning Agent, released on November 23rd, 2020:

Support for gMSA

The Azure AD Connect Provisioning Agent now supports the use of group Managed Service Accounts (gMSAs) for running the agent.

Version 1.1.281.0 of the Azure AD Connect Provisioning Agent now prompts by default to create a group Managed Service Account, when upgrading from previous versions of the Azure AD Connect Provisioning Agent.

Support for groups up to size less than 1500 members

The Azure AD Connect Provisioning Agent now supports groups up to size less than 1500 members during incremental or delta sync cycle. This is applicable when using the group scoping filter.

Support for large groups with member size up to 15K

The Azure AD Connect Provisioning Agent now supports groups with over 15,000 members.

Initial sync improvements

The initial synchronization for Azure AD Connect Provisioning Agent has been improved.

Advanced verbose logging

The Azure AD Connect Provisioning Agent now offers advanced verbose logging to assist in troubleshooting and diagnosing performance and connection problems.

After enabling verbose logging through PowerShell or in the AADConnectProvisioningAgent.exe.config file, you can find the logs in the following folder:

C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace

Introduction of AADCloudSyncTools PowerShell module

Version 1.1.281.0 of the Azure AD Connect Provisioning Agent introduced the AADCloudSyncTools PowerShell module. This Windows PowerShell module offers the following eighteen cmdlets:

  • Connect-AADCloudSyncTools
  • Export-AADCloudSyncToolsLogs
  • Get-AADCloudSyncToolsInfo
  • Get-AADCloudSyncToolsJob
  • Get-AADCloudSyncToolsJobSchedule
  • Get-AADCloudSyncToolsJobSchema
  • Get-AADCloudSyncToolsJobScope
  • Get-AADCloudSyncToolsJobSettings
  • Get-AADCloudSyncToolsJobStatus
  • Get-AADCloudSyncToolsServicePrincipal
  • Install-AADCloudSyncToolsPrerequisites
  • Invoke-AADCloudSyncToolsGraphQuery
  • Repair-AADCloudSyncToolsAccount
  • Restart-AADCloudSyncToolsJob
  • Resume-AADCloudSyncToolsJob
  • Start-AADCloudSyncToolsVerboseLogs
  • Stop-AADCloudSyncToolsVerboseLogs
  • Suspend-AADCloudSyncToolsJob

You can use Install-AADCloudSyncToolsPrerequisites to install the latest version of MSAL.PS, which is a required Windows PowerShell module.

Fixed limitations to allow agent to be installed in non-English server

Previous versions of the Azure AD Connect Provisioning Agent could not be installed on Windows Server installations with other locales set then United States-English (en-us). Now, the Azure AD Connect Provisioning Agent can be installed on these Windows Server installations, too.

Support for PHS filtering

Version 1.1.281.0 of the Azure AD Connect Provisioning Agent introduces Password Hash Synchronization (PHS) filtering, so PHS is only enabled for objects in scope of provisioning. Previously, the agent synchronized password hashes for all objects.

Improved provisioning logs

Version 1.1.281.0 of the Azure AD Connect Provisioning Agent provides improved provisioning logs.

Support for configuring LDAP connection timeout

When performing LDAP operations on configured Active Directory domain controllers, by default, the Azure AD Connect Provisioning Agent uses the default connection timeout value of 30 seconds. If your domain controller takes more time to respond, then you may want to reconfigure the connection time-out.

Version 1.1.281.0 of the Azure AD Connect Provisioning Agent now offers the ability to configure this time-out (in milliseconds) through the LdapConnectionTimeoutInMilliseconds string registry value in the following registry location:

HKLM\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent\

Support for configuring referral chasing

By default, the Azure AD Connect provisioning agent does not chase referrals. Version 1.1.281.0 of the Azure AD Connect Provisioning Agent now offers the ability to enable chasing referrals through the ReferralChasingOptions string registry value in the following registry location:

HKLM\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent\

To do so, specify 96 as the value data.

 

Concluding

While still not offering all the functionality that are needed to run the Azure AD Connect Provisioning Agent without Azure AD Connect, version 1.1.281.0 does provide a significantly better experience for its current scenarios.

Further reading

What is Azure AD Connect cloud provisioning?
Azure AD Connect Provisioning Agent: Version release history
Download Microsoft Azure Active Directory Connect Provisioning Agent (Preview)

Posted on November 26, 2020 by Sander Berkouwer in Azure Active Directory, Azure AD Connect

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.