Five Things You should know about Azure AD Connect version 2

Azure AD Connect

Last week, Microsoft released the first version in the 2,0 branch of Azure AD Connect: v2.0.3.0. There are a couple of things that you should be aware of with this version. I’m sharing them with you in this blogpost.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

You should know the following five things about Azure AD Connect v2:

1. Available for download, not for automatic upgrade

When you currently run Azure AD Connect version 1.x, you won;t automatically upgrade to version 2.x, even if you meet all the requirements.

In my experience, this means that many organizations will remain on version 1.x of Azure AD Connect, unless the organization is actively keeping up with changes to Azure AD Connect.

I still come across version 1.4.x installations of Azure AD Connect a lot. These installations are going to have issues going forward, but not anytime soon. Please don’t let versions 1.x of Azure AD Connect linger within your networking environment.

2. Only Available for Windows Server 2016, and up

While the latest builds of Azure AD Connect were officially only supported on Windows Server 2012 and Windows Server 2012 R2, you could install and run Azure AD Connect v1.6.x on Windows Server 2008 and Windows Server 2008 R2.

Installing Azure AD Connect on Windows Server 2008, 2008 R2 and 2012 was never as straightforward as installing it on newer Windows Server versions, and there are strong reasons why you don’t want Azure AD Connect on Windows Server 2008, anyway.

Azure AD Connect v2.x installs on Windows Server 2016, and up. Today, it means you can install it on Windows Server 2016, Windows Server 2019 and Windows Server 2022 (Preview).

When Azure AD Connect is installed and runs on a Windows Server installation prior to Windows Server 2016, it means that when you want to upgrade Azure AD Connect to version 2.x, you’ll need to install a new Windows Server installation and perform a swing migration.

For some organizations, it might mean they needs to purchase new Windows Server (Datacenter) licenses to be able to introduce the new Operating System (on their hypervisor platform), while they thought they could use Windows Server 2012 and Windows Server 2012 without issues for all their workloads until (at least) October 10th, 2023.

When not performing a swing migration, but merely an in-place upgrade of Azure AD Connect, be sure to remove previous versions of the Visual Studio C++ runtime, because Azure AD Connect v2.x uses only the newer version.

3. Version 2 endpoint only

Version 2 of Azure AD Connect’s endpoint on the side of Azure AD offers many benefits. It GA’d in January of 2021 and has been optionally available for Azure AD Connect versions released since.

However, Azure AD Connect’s v2 endpoint will not be made available in the Azure Germany cloud. Officially, the Azure Germany cloud will be closing on October 29th, 2021, but when you want to use the latest Azure AD Connect versions with the German Cloud, codenamed ‘Schwartzwald’, you’re going to have to go to great lengths to get to a supported state.

4. MSAL instead of ADAL

In June 2020, Microsoft has announced the deprecation of the Azure Active Directory Authentication Library (ADAL). Going forward, the Microsoft Authentication Library (MSAL) is the supported way to provide authentication with Active Directory and Azure AD in applications. Microsoft (currently) plans to no longer ADAL per June 30th, 2022.

However, Azure AD Connect was still using the Azure Active Directory Authentication Library (ADAL)… Now, in v2.x, Azure AD Connect uses the Microsoft Authentication Library (MSA).

Organizations using Active Directory Federation Services (AD FS) on Windows Server 2012 and Windows Server 2012 R2, may experience issues, as AD FS on these Operating Systems doesn’t work with MSAL. For the Microsoft Authentication Library to work, you’ll need to upgrade AD FS to Windows Server 2016, or a newer version of Windows Server.

For some organizations, it might mean they needs to purchase new Windows Server (Datacenter) licenses to be able to introduce the new Operating System (on their hypervisor platform), while they thought they could use Windows Server 2012 and Windows Server 2012 without issues for all their workloads until (at least) October 10th, 2023.

5. Hybrid Identity Administrator is all you need

I’ve met with organizations with Azure AD Connect installations in several localities. All but one of these Azure AD Connect installations would run in Staging Mode. But for all of these Azure AD Connect installations to be manually upgraded and manually adjusted (to have the same consistent settings across all Azure AD Connect installations), they needed a person with Global Administrator role in that locality, or have a person travel between the localities. The first scenario isn’t quite secure. The second scenario isn’t cost-effective.

Now, for everything you need to do in Azure AD Connect, people only need the Hybrid Identity Administrator role on the Azure AD side of things. (They may still need Enterprise Admin privileges in Active Directory…)

This change offers an opportunity to reduce the number of people with the Global Administrator role in the organization. Take it.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.