Azure AD Connect v2.0.25.1 addresses a security issue and other bugs

Azure AD Connect

The lost two months have been a bonanza for Azure AD Connect releases. What started out with the first v2 release on July 20th, led to a security release three weeks later and two bug fix releases another week later. Now, four weeks after that last release, Azure AD Connect v2.0.25.1 sees the light. It squashes another list of bugs, but also fixes a security issue.

Note:
None of the v2 releases mentioned above are released for automatic upgrade. Manual upgrades are required to gain the new functionality and security levels once you're on the Azure AD Connect v2 path.

What's New

Here's what's new in Azure AD Connect version v2.0.25.1:

Soft matching can be disabled (Recommended unless used)

Microsoft added a configuration option to disable the Soft Matching feature in Azure AD Connect. Microsoft advises organizations to disable soft matching unless they need it to take over cloud only accounts. To disable Soft Matching, use the following lines of Windows PowerShell:

Connect-MsolService

Set-MsolDirSyncFeature -Feature BlockSoftMatch -Enable $True

To re-enable Soft Matching, use the following lines of Windows PowerShell:

Connect-MsolService

Set-MsolDirSyncFeature -Feature BlockSoftMatch -Enable $False

Latest versions of the Connectors

Microsoft added the version 1.1.1610.0 of the MIM Connectors, that Azure AD Connect share with Microsoft Identity Manager and ForeFront Identity Manager.

The September 2021 release of these connectors includes an updated SQL Connector, that adds support for query-based export strategies for additional types of data sources.

When using Azure AD Connect with LDAPv3 compatible identity sources, instead of Active Directory Domain Services, these fixes were incorporated in the LDAP connector:

  • An issue is fixed with Kerberos authentication by enabling 3-part service principal name (SPN) authentication for LDAP connections
  • An issue is fixed with a drop-down menu that enables hashing of OpenLDAP passwords
  • LDAP schema classes processing is improved; inherited classes are now processed when parent class is in scope

What's Fixed

Here's what's fixed in Azure AD Connect version v2.0.25.1:

  • A security issue is addressed where an unquoted path was used to point to the Azure AD Connect service. This path is now a quoted path.
  • An import config issue is addressed with writeback enabled when using the existing AD connector account.
  • An issue is addressed in the Set-ADSyncExchangeHybridPermissions and other related cmdlets, which were broken from Azure AD Connect version 1.6 due to an invalid inheritance type.
  • The Set-ADSyncToolsTls12 Windows PowerShell cmdlet had an issue where it overwrites the registry keys, destroying any values that were in them. This issue is addressed by changing the functionality of the cmdlet. Now, the cmdlet only creates new registry keys if they do not already exist. A warning is also added to let admins know the TLS registry changes are not exclusive to Azure AD Connect and may impact other applications on the same Windows Server installation as well.
  • A check is added to enforce automatic upgrades for Azure AD Connect v2 releases to require Windows Server 2016 or newer versions of Windows Server.
  • Active Directory Replicating Directory Changes permissions are added to the permission set configured by the Set-ADSyncBasicReadPermissions Windows PowerShell cmdlet.
  • A change is made to prevent using both the UseExistingDatabase switch and Import configuration funcitonality together, since the combination could contain conflicting configuration settings.
  • A change is made to allow a user with the Application Administrator role in Azure AD to change the App Proxy service configuration.
  • The (Preview) label is removed from the labels of the Import/Export settings functionality. This functionality has been generally available for some time now…
  • Some labels that still refered to Company Administrator have been changed. This role was renamed to Global Administrator in February 2021, but still lingered within Azure AD Connect.
  • New Azure AD Kerberos PowerShell cmdlets *-AADKerberosServer were created to add a Claims Transform rule to the Azure AD Service Principal.

Version information

This is version 2.0.25.1 of Azure AD Connect.
This release in the 2.x branch for Azure AD Connect was made available for download as a 153 MB weighing AzureADConnect.msi on September 14, 2021.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.