Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-04-30) Azure AD Connect v1.3.20.0 Has Been Released

Posted by Jorge on 2019-04-30

Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

IMPORTANT: I upgraded from Azure AD Connect As mentioned below in the “New Features And Improvements” section it upgrades a group sync rule to include additional transformations (flows). To be more specific it updates the sync rule called “In from AD – Group Common”. If you have this rule enabled it will most likely perform a full sync for at least the AD connector the next time it syncs after the AAD Connect upgrade. If you have this rule enabled disabled, that means you have a cloned version of it that requires updating if you need those additional transformations (flows) to support group claims in AAD. If you do update that cloned version, then it will most likely perform a full sync for both the AD connector the next time it syncs after the AAD Connect upgrade. Since that may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

However, to my surprise it did not trigger the expected full sync for the AD connector. That was weird, because when sync rules are updated all data needs to be reevaluated, whether or not it has changed. In my case I triggered the full sync myself by running the Run Profiles manually for both the AD Connector and the AAD Connector. The order was: Disable Sync Scheduler, Delta Import for AD Connector, Full Sync for AD Connector, Export for AAD Connector, Delta Import for AAD Connector, Delta Sync for AAD Connector, Export for AD Connector and Re-enable Sync Scheduler.

Azure AD Connect: Version Release History

Released: 04/24/2019

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New Features And Improvements

  • Add support for Domain Refresh
  • Exchange Mail Public Folders feature goes GA
  • Improve wizard error handling for service failures
  • Added warning link for old UI on connector properties page.
  • The Unified Groups Writeback feature is now GA
  • Improved SSPR error message when the DC is missing an LDAP control
  • Added diagnostics for DCOM registry errors during install
  • Improved tracing of PHS RPC errors
  • Allow EA creds from a child domain
  • Allow database name to be entered during install (default name ADSync)
  • Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
  • Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud – needed for claims
  • Modified Default Sync Rule Handling – read more here.
  • Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent see What is the Azure AD Connect Admin Agent?.
  • Updated the End User License Agreement (EULA)
  • Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
  • Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
  • Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
  • Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
  • Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.

Fixed issues

  • Fix the SQL reconnect logic for ADSync serviceFix to allow clean Install using an empty SQL AOA DB
  • Fix PS Permissions script to refine GWB permissions
  • Fix VSS Errors with LocalDB
  • Fix misleading error message when object type is not in scope
  • Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect.
  • Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI.
  • Fixed some memory leaks
  • Miscellaneous Autoupgrade fixes
  • Miscellaneous fixes to Export and Unconfirmed Import Processing
  • Fixed a bug with handling a backslash in Domain and OU filtering
  • Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

…And just to get ahead of things when needed I also installed the Azure AD Connect Admin Agent in a disabled state. By the way, as mentioned in the documentation, you will be prompted multiple times (about 5x or so) for credentials. So, don’t freak out thinking it is not working.


This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
########################### Jorge’s Quest For Knowledge ##########################
#################### ###################


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: