Admins that have upgraded to Azure AD Connect v2 are at risk of running out of date and insecure installations

Azure AD Connect

Admins that have bit the bullet on Azure AD Connect v2 are now eating the sour grapes of that decision, as Microsoft doesn't offer Automatic Upgrades on any of the v2 builds released to date.

About Azure AD Connect v2

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

Azure AD Connect v2 was introduced on July 20th, 2021. Version 2 brings a lot of enhancements when compared to Azure AD Connect v1: it comes with the latest version of SQL Server Express Edition, it uses TLS 1.2, if offfers connectivity to the v2 endpoint at the side of Azure AD and it allows for synchronizing group memberships up to 250,000 members.

Five Azure AD Connect v2 builds have been releases to date:

  • Azure AD Connect v2.0.3.0 on July 20th, 2021
  • Azure AD Connect v2.0.8.0 on August 10th, 2021
  • Azure AD Connect v2.0.9.0 on August 17th, 2021
  • Azure AD Connect v2.0.10.0 on August 19th, 2021
  • Azure AD Connect v2.0.25.1 on September 14th, 2021

About upgrading to Azure AD Connect v2

On August 31st, 2022, Microsoft plans to halt support for all Azure AD Connect v1 installations. This means that all admins should upgrade their Azure AD Connect v1 installations to v2 before that date.

That's because SQL Server 2012 SP4 reaches end of support on July 12th, 2022 and the Active Directory Authentication Library (ADAL) reaches end of support on June 30th, 2022.

Automatic Upgrades

None of the five released builds of Azure AD Connect v2 to date have been released for the Automatic Upgrades feature. Two of these builds (v2.0.8.0 and v2.0.25.1) fixed security vulnerabilities, but unless admins paid attention, they might not have become aware of these new builds and certainly have not updated their Azure AD Connect v2 installations manually.

This leaves admins who have bit the bullet on upgrading Azure AD Connect to version 2 with the sour grapes of their decisions: Unless Microsoft offers an Azure AD Connect v2 release that supports the Automatic Upgrades feature, they are at the risk of running out of date and insecure installations and need to manually upgrade Azure AD Connect installations manually.

Concluding

One of the common weaknesses found with admins and IT departments is the lack of processes. Without an update process for Azure AD Connect and proper staffing of admin roles, organizations are at risk of runningout of date and insecure Azure AD Connect installations.

I sure hope Microsoft releases an Azure AD Connect v2 build soon that supports the Automatic Upgrades feature for all previous Azure AD Connect v2 builds.

Further reading

Azure AD Connect v2.0.25.1 addresses a security issue and other bugs  
Azure AD Connect v1.x reaches end of support in 1 year  
Azure AD Connect v1.6.13.0 and v2.0.10.0 solve a PHS issue in renamed AD forests 
Azure AD Connect v2.0.9.0 fixes a Password Hash Synchronization bug 
Two new Azure AD Connect versions were released to prevent MitM attacks towards Domain Controllers (CVE-2021-36949)  
Azure AD Connect version 2.0.3.0 is here 

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.