It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the first version in the 1.6 branch of Azure AD Connect: v18.104.22.168
Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.
The headlines for this release are:
- This release will be made available for download only.
- The upgrade to this release will require a full synchronization due to synchronization rule changes.
- This release defaults Azure AD Connect to the new v2 endpoint.
The v2 endpoint is not supported in the German national cloud, the Chinese national cloud and the US government cloud. To deploy Azure AD Connect with these clouds, follow these instructions.
Microsoft made the following improvements:
Updated default sync rules to limit membership in written back groups to 50k members
Microsoft added new default synchronization rules for limiting membership count in the following synchronization rules:
- Out to AD – Group Writeback Member Limit
- Out to AAD – Group Writeup Member Limit
- Out to AD – Group SOAInAAD – Exchange
These rule changes limit members in groups synchronized to Azure AD and written back groups to 50,000 members. Microsoft has also made provisions to handle situations where admins have previously customized the Out to AD – Group SOAInAAD – Exchange synchronized rule.
Support for Selective Password hash Synchronization
Azure AD Connect now supports Selective Password Hash Synchronization.
Formerly, Azure AD Connect would apply Password Hash Synchronization to all objects in scope for synchronization. In Azure AD Connect version 1.6, and up, a subset of users can be specifically included or excluded to having their password hashes synchronized to Azure AD. This feature is known as selective password hash synchronization.
Azure AD Connect version 22.214.171.124 introduces the Invoke-ADSyncSingleObjectSync. Windows PowerShell cmdlet. Admins can use this single object sync Windows PowerShell cmdlet to troubleshoot Azure AD Connect sync configuration.
New version of the ADSyncTools PowerShell module
Azure AD Connect version 126.96.36.199 comes with a new version of the ADSyncTools PowerShell module. It offers several new and improved Windows PowerShell cmdlets:
Updated error logging for token acquisition failures
When Azure AD Connect is unable to acquire tokens, it will now provide more information in its logs on the errors encountered. This helps admins troubleshoot these situations.
Updated 'Learn more' links
The Learn more links on Azure AD Connect’s configuration page now provide more detail on the linked information.
Removed Explicit column from CS Search page in the Old Sync UI
When you use the Metaverse Search feature in Azure AD Connect’s Synchronization Manager user interface, the explicit column is now removed.
Improved Group Writeback flow
Additional UI has been added to the Group Writeback flow to prompt admins for credentials or to configure their own permissions using the ADSyncConfig Windows PowerShell module, if credentials have not already been provided in an earlier step.
Auto-create MSA for the Service Account on a DC
A Managed Service Account (MSA) is now automatically created for the Azure AD Connect Synchronization service when you install Azure AD Connect on an Active Directory Domain Controller.
Group Writeback v2 can now be managed using Windows PowerShell
Microsoft has added the ability to set and get information for the Azure AD Connect’s Group Writeback feature with the version 2 endpoint in these existing cmdlets:
Added PowerShell cmdlets to query Azure AD Connect’s API version
Microsoft added two Windows PowerShell cmdlets to read the API version of the API used by Azure AD Connect (AWS):
Change tracking for synchronization rules
Changes made to Azure AD Connect’s synchronization rules are now tracked to assist admins in troubleshooting changes. The Get-ADSyncRuleAudit Windows PowerShell cmdlet can be used to retrieve tracked changes.
Improved password rotation for the AD Connector account
Microsoft updated the Add-ADSyncADDSConnectorAccount Windows PowerShell cmdlet in the the ADSyncConfig PowerShell module to allow a user in the ADSyncAdmins group to make changes to Azure AD Connect’s AD Connector account.
Azure AD Connect Health Agent version 188.8.131.52
The Azure AD Connect Health Agent for Sync version that ships with Azure AD Connect is upgraded to version 184.108.40.206. Read the Azure AD Connect Health Version History to find out what’s new in this version of the Azure AD Connect Health Agent for Sync.
Microsoft announces the following bugfixes for this version of Azure AD Connect:
Microsoft made the following accessibility updates to Azure AD Connect:
- Microsoft updated the disabled foreground color to satisfy luminosity requirements on a white background.
- Microsoft added additional conditions for the navigation tree to set the foreground text color to white when a disabled page is selected to satisfy luminosity requirements.
- The screen reader now describes the graphical element that holds the list of Active Directory forests as Forests list instead of Forest List list.
- Microsoft updated the screen reader output for some items in the Azure AD Connect wizard:
- Updated button hover color to satisfy contrast requirements.
- Updated Synchronization Service Manager title color to satisfy contrast requirements.
- Microsoft increased the granularity for the Set-ADSyncPasswordHashSyncPermissions PHS permissions script by updating the Windows PowerShell cmdlet to include an optional ADobjectDN parameter.
- Microsoft fixed an issue with installing Azure AD Connect from an exported configuration when the exported configuration contains custom extension attributes. Microsoft added a condition to skip checking for extension attributes in the target schema while applying the synchronization rule.
- Appropriate permissions are added upon installation of Azure AD Connect if the Group Writeback feature is enabled.
- Microsoft fixed a duplicate default synchronization rule precedence on import.
- Microsoft fixed an issue that caused a staging error during delta imports with the v2 endpoints for a conflicting object that was repaired via the health portal.
- Microsoft fixed an issue in the synchronization engine that caused objects in Connector Spaces to have an inconsistent link state.
- Microsoft added import counters to the output of the Get-ADSyncConnectorStatistics Windows PowerShell cmdlet.
- Microsoft fixed an unreachable domain de-selection issue in some corner cases when admins ran Azure AD Connect after initial configuration.
- Microsoft modified the policy import and export to fail if custom synchronization rules have duplicate precedence
- Microsoft fixed a bug in the domain selection logic.
- Microsoft fixed an issue with build 220.127.116.11. This issue occurred if you use the mS-DS-ConsistencyGuid attribute as the source anchor attribute and have cloned the In from AD – Group Join rule.
- Fresh Azure AD Connect installations will now use the Export Deletion Threshold stored in the cloud, if there is one available and there is not a different one passed in.
- Microsoft fixed an issue where Azure AD Connect would not read displayName changes of hybrid-joined devices in Active Directory.
This is version 18.104.22.168 of Azure AD Connect.
The first release in the 1.6 branch for Azure AD Connect was made available for download on March 19, 2021.