As an amendent to the Azure AD Connect version release history documentation this week, Microsoft communicated that the v2 endpoint for Azure AD Connect is no longer supported for Azure AD Connect versions running version 1.5x and 1.6x.

About Azure AD Connect’s v2 endpoint

Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. Azure AD Connect v2 defaults to the v2 endpoint, but earlier Azure AD Connect versions can use it, too, if configured to do so.

When organizations use the new v2 endpoint, they'll experience noticeable performance gains on exports and imports to Azure AD. This new endpoint supports the following scenarios:

• Syncing groups with up to 250,000 members
• Performance gains on export and import to Azure AD

Availability of the v2 endpoint

The new v2 endpoint was announced generally available for Azure AD Connect installations connecting for tenants in the global Azure AD service on January 14th, 2021. On April 16th, 2021, The Azure AD Connect’s v2 endpoint was announced generally available for:

• Azure China cloud
• Azure US Government cloud

Azure AD Connect’s v2 endpoint is not available in the Azure Germany cloud.

The issue

There is an issue with Azure AD Connect version 1.6.4.2, where upgrading to this version or any newer version resets the group limit to 50,000 members. When an Azure AD Connect installation is upgraded to version 1.6.4.2 or any newer 1.6 version, then you should reapply the rules changes you applied when initially increasing the group membership limit to 250,000 members before you enable synchronization in Azure AD Connect on the upgraded installation.

Call to action

If your organization runs Azure AD Connect versions 1.5x and/or 1.6x and you are using the v2 endpoint, either:

• Switch back to the v1 endpoint
• Upgrade to Azure AD Connect v2

How to tell if Azure AD Connect uses the v2 endpoint

run the following lines of Windows PowerShell in an elevated Windows PowerShell window on the Windows Server with Azure AD Connect to tell what endpoint version it is using:

Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\ADSync\Parameters' | Select-Object AadConnector*ApiVersion

How to Switch back to the v1 endpoint

To switch back to the v1 endpoint, run the following lines of Windows PowerShell in an elevated Windows PowerShell window on the Windows Server with Azure AD Connect, that you’d want to use with the v1 Endpoint:

Set-ADSyncScheduler -SyncCycleEnabled $false

Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'

Set-ADSyncAADConnectorExportApiVersion 1

Set-ADSyncAADConnectorImportApiVersion 1

Additionally, reinstate the default Out to AAD – Group Join sync rule again, so that the limitation for group memberships is set to 50000 again. The, run the following line of Windows PowerShell:

Set-ADSyncScheduler -SyncCycleEnabled $true

When to upgrade to Azure AD Connect v2

When your organization runs Azure AD Connect versions 1.5x and/or 1.6x and uses the v2 endpoint to synchronize large groups, upgrade to Azure AD Connect v2.

Note that Azure AD Connect requires Windows Server 2016 and TLS 1.2, introduces a new SQL Server Express version and uses MSAL instead of ADAL. It might be incompatible with the rest of your networking infrastructure.

Concluding

Now might be a good time to upgrade Azure AD Connect to version 2.

Further reading

Availability of Azure AD Connect’s v2 endpoint
Azure AD Connect version 1.6.2.4 defaults to the v2 endpoint and adds support for Selective Password Hash Synchronization
Azure AD Connect’s v2 endpoint is now Generally Available (GA)
HOWTO: Tell if Azure AD Connect is using the v2 Endpoint
HOWTO: Use Azure AD Connect’s v2 Endpoint
Five Things You should know about Azure AD Connect version 2