With Microsoft introducing the Lifecycle Workflows functionality Public Preview at its Microsoft Ignite event last month, some things are definitely changing… Azure AD is now poised to become the leading identity management plane and Active Directory to become a mere authentication store.However, to make that dream work, Azure AD Connect needs to offer additional functionality (at least temporarily) to accommodate both that future world and the current world. The current temporary situation seems to be managing groups in Azure AD and writing them back but managing users in Active Directory and synchronizing them up, unless its cloud-only users. These can now be provisioned and deprovisioned automatically using the new Lifecycle Workflows.

Azure AD Connect v2.1.19.0 and v2.1.20.0 now introduce functionality to make synchronized user objects and cloud-only objects to play nicely.

What’s New

Synchronizing employeeLeaveDateTime

Microsoft added the functionality to synchronize an attribute from the on-premises Active Directory to a new attribute in Azure AD. The value for the attribute you decide on in Active Directory is used as the value for the employeeLeaveDateTime attribute in Azure AD.

This allows for consistency going forward between cloud objects that are provisioned (and deprovisioned) through Lifecycle Workflows and on-premises objects that are synchronized using Azure AD Connect. Through Lifecycle Workflows, currently in Public Preview, the built-in offboarding process for a user object can be triggered based on the value of the employeeLeaveDateTime attribute in Azure AD. By synchronizing a date and time into this attribute, based on an on-premises attribute for the user object in Active Directory, admins now have a way to have on-premises account expiration work in Azure AD, too.

As EmployeeHireDate and EmployeeLeaveDateTime attributes do not exist in the Active Directory schema, an attribute in Active Directory of your choosing need to be used.

Note:
When using one of the built-in Human Resourcing (HR) applications with Lifecycle Workflows, this attribute must be a string and be in a specific time and date format, depending on the Human Resourcing (HR) application that acts as the source for cloud objects.

Note:
The feature to synchronize to the the employeeLeaveDateTime attribute was introduced with Azure AD Connect v2.1.19.0, but this version contains an issue that caused the new employeeLeaveDateTime attribute to not synchronize correctly. This issue was addressed in v2.1.20.0

Note:
If the incorrect attribute was already used in a synchronization rule, then the rule must be updated with the new attribute and any objects in the Azure AD Connector Space that have the incorrect attribute must be removed with the Remove-ADSyncCSObject PowerShell cmdlet, and then a full synchronization cycle must be run.

What’s Fixed

Issue that caused Password Writeback to stop functioning

Microsoft addressed an issue that caused Azure AD Connect’s Password Writeback feature to stop functioning. The error code is:

SSPR_0029 ERROR_ACCESS_DENIED

Version information

Version 2.1.20.0 of Azure AD Connect was made available for download as a 144 MB weighing AzureADConnect.msi on November 9th, 2022.

You can download the latest version of Azure AD Connect here.