It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Yesterday, Microsoft released the first version in the 2.x branch of Azure AD Connect: v18.104.22.168
Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.
Version 22.214.171.124 is the first release in the 2.x branch of Azure AD Connect. It is available for download, but not for automatic upgrade.
SQL Server 2019 components
Microsoft has upgraded the LocalDB components of SQL Server to SQL 2019. Therefore, this release requires Windows Server 2016 or newer, due to the requirements of SQL Server 2019.
Additionally, the Visual C++ runtime library has been upgraded to version 14 as a prerequisite for SQL Server 2019 .
Windows PowerShell 5.0
This release of Azure AD Connect requires PowerShell version 5.0 or newer to be installed on the Windows Server. Note that this version is part of Windows Server 2016 and newer.
In this release, Microsoft enforces the use of TLS 1.2. If admins have enabled their Windows Server installations for TLS 1.2, Azure AD Connect will use this protocol. If TLS 1.2 is not enabled on the server admins will see an error message when attempting to install Azure AD Connect and the installation will not continue until you have enabled TLS 1.2.
Admins can use the new Set-ADSyncToolsTls12 Windows PowerShell Cmdlet to enable TLS 1.2 on the Windows Server installation.
Microsoft has added two new Cmdlets to the ADSyncTools Windows PowerShell module to enable or retrieve TLS 1.2 settings from the Windows Server.
Admins can use these cmdlets to retrieve the TLS 1.2 enablement status, or set it as needed.
TLS 1.2 must be enabled on the server for the installation or Azure AD Connect to succeed.
Hybrid Identity Administrator
With this release, you can use a user with the user role “Hybrid Identity Administrator” to authenticate when you install Azure AD Connect. You no longer need the Global Administrator role for this.
Microsoft Authentication Library
This release uses the MSAL library for authentication. Microsoft has removed the older ADAL library, which will be retired in 2022.
The Azure AD Kerberos Feature is now supported for the MSAL library. To use the Azure AD Kerberos Feature, admins need to register an on-premises service principal name into Azure AD. Azure AD Connect provides importing of the on-premises service principal object into Azure AD.
Microsoft no longer applies permissions on the AdminSDHolder object in Active Directory, following Windows security guidance. The parameter SkipAdminSdHolders is changed to IncludeAdminSdHolders for the Cmdlets in the ADSyncConfig.psm1 Windows PowerShell module.
Passwords will now be reevaluated when the password last set value is changed, regardless of whether the password itself is changed. If for a user the password is set to User must change password at next logon then this status is synchronized to Azure AD, and when the user attempts to sign in in Azure AD they will be prompted to reset their password.
New and improved Windows PowerShell Cmdlets
Microsoft has revamped the ADSyncTools Windows PowerShell module with several new and improved cmdlets. These eighteen cmdlets have been added or updated:
Version 2 endpoint
Azure AD Connect now uses the V2 endpoint for import and export. Issues have been fixed in the Get-ADSyncAADConnectorExportApiVersion Windows PowerShell cmdlet.
New attributes in scope for synchronization
Microsoft has added the following new user properties to synchronize from on-premises Active Directory to Azure AD:
Group Sync membership limit of 250,000
Microsoft increased the Group sync membership limits to 250k with the new V2 endpoint.
Generic connector updates
We have updated the Generic LDAP connector and the Generic SQL Connector to the latest versions. Read more about these connectors here:
Version reported in the Microsoft 365 Admin Center
In the Microsoft 365 Admin Center, Microsoft now reports the Azure AD Connect client version whenever there is export activity to Azure AD. This ensures that the M365 Admin Center always has the most up-to-date Azure AD Connect client version, and that it can detect when you’re using and outdated version.
Batch import scheduling
Provides a batch import execution script which can be called from Windows scheduled job so that the customers can automate the batch import operations with scheduling.
Credentials are provided as an encrypted file using Windows Data Protection API (DPAPI).
Credential files can be use only at the same machine and user account where it's created.
Microsoft fixed the following bugs in Azure AD Connect:
- Microsoft fixed an accessibility bug where the screen reader is announcing incorrect role of the 'Learn More' link.
- Microsoft fixed a bug where sync rules with large precedence values (i.e. 387163089) cause upgrade to fail. Microsoft updated sproc mms_UpdateSyncRulePrecedence to cast the precedence number as an integer prior to incrementing the value.
- Microsoft fixed a bug where group writeback permissions are not set on the sync account if a group writeback configuration is imported. Microsoft now sets the group writeback permissions if group writeback is enabled on the imported configuration.
- Microsoft updated the Azure AD Connect Health agent version to 126.96.36.199 to fix an installation failure.
- Microsoft are seeing an issue with non-default attributes from exported configurations where directory extension attributes are configured. When importing these configurations to a new server/installation, the attribute inclusion list is overridden by the directory extension configuration step, so after import only default and directory extension attributes are selected in the sync service manager (non-default attributes are not included in the installation, so the user must manually reenable them from the sync service manager if they want their imported sync rules to work). Microsoft now refreshes the Azure AD Connector before configuring directory extensions to keep existing attributes from the attribute inclusion list.
- Microsoft fixed an accessibility issues where the page header's font weight is set as "Light". Font weight is now set to "Bold" for the page title, which applies to the header of all pages.
- The function Get-AdObject in ADSyncSingleObjectSync.ps1 has been renamed to Get-AdDirectoryObject to prevent ambiguity with the AD cmdlet.
- The SQL function mms_CheckSynchronizationRuleHasUniquePrecedence allows duplicate precedences on outbound sync rules on different connectors. Microsoft removed the condition that allows duplicate rule precedence.
- Microsoft fixed a bug where the Single Object Sync cmdlet fails if the attribute flow data is null i.e. on exporting delete operation
- Microsoft fixed a bug where the installation fails because the ADSync bootstrap service cannot be started. Microsoft now adds the Sync Service Account to the Local Builtin User Group before starting the bootstrap service.
- Microsoft fixed an accessibility issue where the active page in the Azure AD Connect wizard is not showing correct color on High Contrast theme. The selected color code was being overwritten due to missing condition in normal color code configuration.
- Microsoft addressed an issue where users were allowed to deselect objects and attributes used in sync rules using the UI and PowerShell. Microsoft now shows a friendly error message if admins try to deselect any attribute or object that is used in any sync rules.
- Microsoft made some updates to the “migrate settings code” to check and fix backward compatibility issue when the script is ran on an older version of Azure AD Connect.
- Microsoft fixed a bug where, when PHS tries to look up an incomplete object, it does not use the same algorithm to resolve the domain controller as it used originally to fetch the passwords. In particular, it is ignoring affinitized DC information. The incomplete object lookup should use the same logic to locate the DC in both instances.
- Microsoft fixed a bug where Azure AD Connect cannot read Application Proxy items using Microsoft Graph due to a permissions issue with calling Microsoft Graph directly based on AAD Connect client id. To fix this, Microsoft removed the dependency on Microsoft Graph and instead use Azure AD PowerShell to work with the App Proxy Application objects.
- Microsoft removed the writeback member limit from the Out to AD – Group SOAInAAD Exchange sync rule
- Microsoft fixed a bug where, when changing connector account permissions, if an object comes in scope that has not changed since the last delta import, a delta import will not import it. We now display warning alerting admins of the issue.
- Microsoft fixed an accessibility issue where the screen reader is not reading radio button position, i.e. 1 of 2. We added added positional text to the radio button accessibility text field.
- Microsoft updated the Pass-Thru Authentication Agent bundle. The older bundle did not have correct reply URL for HIP's first party application in US Gov.
- Microsoft fixed a bug where there is a stopped-extension-dll-exception on AAD connector export after clean installing Azure AD Connect version 1.6.x.x, which defaults to using DirSyncWebServices API v2, using an existing database. Previously the setting export version to v2 was only being done for upgrade. Microsoft changed it so that it is set on clean install as well.
- The ADSyncPrep.psm1 module is no longer used and is removed from the installation.
The Azure AD Connect wizard shows the Import Synchronization Settings option as Preview, while this feature is generally available (GA).
Some Active Directory connectors may be installed in a different order when using the output of the migrate settings script to install the product.
Mentions of company administrator
The User Sign In options page in the Azure AD Connect wizard mentions “Company Administrator”. This term is no longer used and needs to be replace by “Global Administrator”.
Export settings broken when using PingFederate
The “Export settings” option is broken when the Sign In option has been configured to use PingFederate.
Configuring SSPR still requires Global Administrator
While Azure AD Connect can now be deployed using the Hybrid Identity Administrator role, configuring Self Service Password Reset will still require user with the Global Administrator role.
Directory Extensions when importing to a different tenant
When importing the AADConnect configuration while deploying to connect with a different tenant than the original Azure AD Connect configuration, directory extension attributes are not configured correctly.
This is version 188.8.131.52 of Azure AD Connect.
The first release in the 2.x branch for Azure AD Connect was made available for download as a 153 MB weighing AzureADConnect.msi on July 20, 2021.