Azure AD Connect version defaults to the v2 endpoint and adds support for Selective Password Hash Synchronization

Azure AD Connect

It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the first version in the 1.6 branch of Azure AD Connect: v1.6.2.4

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.



The headlines for this release are:

  • This release will be made available for download only.
  • The upgrade to this release will require a full synchronization due to synchronization rule changes.
  • This release defaults Azure AD Connect to the new v2 endpoint.

The v2 endpoint is not supported in the German national cloud, the Chinese national cloud and the US government cloud. To deploy Azure AD Connect with these clouds, follow these instructions.


What’s New

Microsoft made the following improvements:

Updated default sync rules to limit membership in written back groups to 50k members

Microsoft added new default synchronization rules for limiting membership count in the following synchronization rules:

  • Out to AD – Group Writeback Member Limit
  • Out to AAD – Group Writeup Member Limit
  • Out to AD – Group SOAInAAD – Exchange

These rule changes limit members in groups synchronized to Azure AD and written back groups to 50,000 members. Microsoft has also made provisions to handle situations where admins have previously customized the Out to AD – Group SOAInAAD – Exchange synchronized rule.

Support for Selective Password hash Synchronization

Azure AD Connect now supports Selective Password Hash Synchronization.
Formerly, Azure AD Connect would apply Password Hash Synchronization to all objects in scope for synchronization. In Azure AD Connect version 1.6, and up, a subset of users can be specifically included or excluded to having their password hashes synchronized to Azure AD. This feature is known as selective password hash synchronization.


Azure AD Connect version introduces the Invoke-ADSyncSingleObjectSync. Windows PowerShell cmdlet. Admins can use this single object sync Windows PowerShell cmdlet to troubleshoot Azure AD Connect sync configuration.

New version of the ADSyncTools PowerShell module

Azure AD Connect version comes with a new version of the ADSyncTools PowerShell module. It offers several new and improved Windows PowerShell cmdlets:

  • Clear-ADSyncToolsMsDsConsistencyGuid
  • ConvertFrom-ADSyncToolsAadDistinguishedName
  • ConvertFrom-ADSyncToolsImmutableID
  • ConvertTo-ADSyncToolsAadDistinguishedName
  • ConvertTo-ADSyncToolsCloudAnchor
  • ConvertTo-ADSyncToolsImmutableID
  • Export-ADSyncToolsAadDisconnectors
  • Export-ADSyncToolsObjects
  • Export-ADSyncToolsRunHistory
  • Get-ADSyncToolsAadObject
  • Get-ADSyncToolsMsDsConsistencyGuid
  • Import-ADSyncToolsObjects
  • Import-ADSyncToolsRunHistory
  • Remove-ADSyncToolsAadObject
  • Search-ADSyncToolsADobject
  • Set-ADSyncToolsMsDsConsistencyGuid
  • Trace-ADSyncToolsADImport
  • Trace-ADSyncToolsLdapQuery

Updated error logging for token acquisition failures

When Azure AD Connect is unable to acquire tokens, it will now provide more information in its logs on the errors encountered. This helps admins troubleshoot these situations.

Updated 'Learn more' links

The Learn more links on Azure AD Connect’s configuration page now provide more detail on the linked information.

Removed Explicit column from CS Search page in the Old Sync UI

When you use the Metaverse Search feature in Azure AD Connect’s Synchronization Manager user interface, the explicit column is now removed.

Improved Group Writeback flow

Additional UI has been added to the Group Writeback flow to prompt admins for credentials or to configure their own permissions using the ADSyncConfig Windows PowerShell module, if credentials have not already been provided in an earlier step.

Auto-create MSA for the Service Account on a DC

A Managed Service Account (MSA) is now automatically created for the Azure AD Connect Synchronization service when you install Azure AD Connect on an Active Directory Domain Controller.

Group Writeback v2 can now be managed using Windows PowerShell

Microsoft has added the ability to set and get information for the Azure AD Connect’s Group Writeback feature with the version 2 endpoint in these existing cmdlets:

  • Set-ADSyncAADCompanyFeature
  • Get-ADSyncAADCompanyFeature

Added PowerShell cmdlets to query Azure AD Connect’s API version

Microsoft added two Windows PowerShell cmdlets to read the API version of the API used by Azure AD Connect (AWS):

  • Get-ADSyncAADConnectorImportApiVersion
  • Get-ADSyncAADConnectorExportApiVersion

Change tracking for synchronization rules

Changes made to Azure AD Connect’s synchronization rules are now tracked to assist admins in troubleshooting changes. The Get-ADSyncRuleAudit Windows PowerShell cmdlet can be used to retrieve tracked changes.

Improved password rotation for the AD Connector account

Microsoft updated the Add-ADSyncADDSConnectorAccount Windows PowerShell cmdlet in the the ADSyncConfig PowerShell module to allow a user in the ADSyncAdmins group to make changes to Azure AD Connect’s AD Connector account.

Azure AD Connect Health Agent version

The Azure AD Connect Health Agent for Sync version that ships with Azure AD Connect is upgraded to version Read the Azure AD Connect Health Version History to find out what’s new in this version of the Azure AD Connect Health Agent for Sync.


What’s Fixed

Microsoft announces the following bugfixes for this version of Azure AD Connect:

Accessibility updates

Microsoft made the following accessibility updates to Azure AD Connect:

  • Microsoft updated the disabled foreground color to satisfy luminosity requirements on a white background.
  • Microsoft added additional conditions for the navigation tree to set the foreground text color to white when a disabled page is selected to satisfy luminosity requirements.
  • The screen reader now describes the graphical element that holds the list of Active Directory forests as Forests list instead of Forest List list.
  • Microsoft updated the screen reader output for some items in the Azure AD Connect wizard:
    • Updated button hover color to satisfy contrast requirements.
    • Updated Synchronization Service Manager title color to satisfy contrast requirements.

Miscellaneous bugfixes

  • Microsoft increased the granularity for the Set-ADSyncPasswordHashSyncPermissions PHS permissions script by updating the Windows PowerShell cmdlet to include an optional ADobjectDN parameter.
  • Microsoft fixed an issue with installing Azure AD Connect from an exported configuration when the exported configuration contains custom extension attributes. Microsoft added a condition to skip checking for extension attributes in the target schema while applying the synchronization rule.
  • Appropriate permissions are added upon installation of Azure AD Connect if the Group Writeback feature is enabled.
  • Microsoft fixed a duplicate default synchronization rule precedence on import.
  • Microsoft fixed an issue that caused a staging error during  delta imports with the v2 endpoints for a conflicting object that was repaired via the health portal.
  • Microsoft fixed an issue in the synchronization engine that caused objects in Connector Spaces to have an inconsistent link state.
  • Microsoft added import counters to the output of the Get-ADSyncConnectorStatistics Windows PowerShell cmdlet.
  • Microsoft fixed an unreachable domain de-selection issue in some corner cases when admins ran Azure AD Connect after initial configuration.
  • Microsoft modified the policy import and export to fail if custom synchronization rules have duplicate precedence


  • Microsoft fixed a bug in the domain selection logic.
  • Microsoft fixed an issue with build This issue occurred if you use the mS-DS-ConsistencyGuid attribute as the source anchor attribute and have cloned the In from AD – Group Join rule.
  • Fresh Azure AD Connect installations will now use the Export Deletion Threshold stored in the cloud, if there is one available and there is not a different one passed in.
  • Microsoft fixed an issue where Azure AD Connect would not read displayName changes of hybrid-joined devices in Active Directory.


Version information

This is version of Azure AD Connect.
The first release in the 1.6 branch for Azure AD Connect was made available for download on March 19, 2021.

2 Responses to Azure AD Connect version defaults to the v2 endpoint and adds support for Selective Password Hash Synchronization


    Did the Get-ADSyncAADConnectorImportApiVersion and Get-ADSyncAADConnectorExportApiVersion cmdlets get missed with the 1.6.4 public release. I receive messages that they cannot be found.

    • Hi,

      These Windows PowerShell cmdlets are still available.
      You just have to run the following line of Windows PowerShell first to import the Windows PowerShell Module they're located in:

      Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'


leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.