Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2021-07-21) Azure AD Connect v2.0.3.0 Has Been Released

Posted by Jorge on 2021-07-21

Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

IMPORTANT: Major release. Lots of changes/updates!

Azure AD Connect: Version Release History

Released: 7/20/2021 – Released for download only, not available for auto upgrade

Note: This is a major release of Azure AD Connect. Please refer to the Azure Active Directory V2.0 article for more details.

Prerequisites for Azure AD Connect

Functional changes

  • We have upgraded the LocalDB components of SQL Server to SQL 2019.
  • This release requires Windows Server 2016 or newer, due to the requirements of SQL Server 2019.
  • In this release we enforce the use of TLS 1.2. If you have enabled your Windows Server for TLS 1.2, AADConnect will use this protocol. If TLS 1.2 is not enabled on the server you will see an error message when attempting to install AADConnect and the installation will not continue until you have enabled TLS 1.2. Note that you can use the new “Set-ADSyncToolsTls12” cmdlets to enable TLS 1.2 on your server.
  • With this release, you can use a user with the user role “Hybrid Identity Administrator” to authenticate when you install Azure AD Connect. You no longer need the Global Administrator role for this.
  • We have upgraded the Visual C++ runtime library to version 14 as a prerequisite for SQL Server 2019
  • This release uses the MSAL library for authentication, and we have removed the older ADAL library, which will be retired in 2022.
  • We no longer apply permissions on the AdminSDHolders, following Windows security guidance. We changed the parameter "SkipAdminSdHolders" to "IncludeAdminSdHolders" in the ADSyncConfig.psm1 module.
  • Passwords will now be reevaluated when the password last set value is changed, regardless of whether the password itself is changed. If for a user the password is set to “Must change password” then this status is synced to Azure AD, and when the user attempts to sign in in Azure AD they will be prompted to reset their password.
  • We have added two new cmdlets to the ADSyncTools module to enable or retrieve TLS 1.2 settings from the Windows Server.
    (You can use these cmdlets to retrieve the TLS 1.2 enablement status, or set it as needed. Note that TLS 1.2 must be enabled on the server for the installation or AADConnect to succeed.)
    • Get-ADSyncToolsTls12
    • Set-ADSyncToolsTls12
  • We have revamped ADSyncTools with several new and improved cmdlets. The ADSyncTools article has more details about these cmdlets. The following cmdlets have been added or updated:
    • Clear-ADSyncToolsMsDsConsistencyGuid
    • ConvertFrom-ADSyncToolsAadDistinguishedName
    • ConvertFrom-ADSyncToolsImmutableID
    • ConvertTo-ADSyncToolsAadDistinguishedName
    • ConvertTo-ADSyncToolsCloudAnchor
    • ConvertTo-ADSyncToolsImmutableID
    • Export-ADSyncToolsAadDisconnectors
    • Export-ADSyncToolsObjects
    • Export-ADSyncToolsRunHistory
    • Get-ADSyncToolsAadObject
    • Get-ADSyncToolsMsDsConsistencyGuid
    • Import-ADSyncToolsObjects
    • Import-ADSyncToolsRunHistory
    • Remove-ADSyncToolsAadObject
    • Search-ADSyncToolsADobject
    • Set-ADSyncToolsMsDsConsistencyGuid
    • Trace-ADSyncToolsADImport
    • Trace-ADSyncToolsLdapQuery
  • We now use the V2 endpoint for import and export and we fixed issue in the Get-ADSyncAADConnectorExportApiVersion cmdlet. You can read more about the V2 endpoint in the Azure AD Connect sync V2 endpoint article.
    We have added the following new user properties to sync from on-prem AD to Azure AD
    • employeeType
    • employeeHireDate
  • This release requires PowerShell version 5.0 or newer to be installed on the Windows Server. Note that this version is part of Windows Server 2016 and newer.
  • We increased the Group sync membership limits to 250k with the new V2 endpoint.
  • We have updated the Generic LDAP connector and the Generic SQL Connector to the latest versions. Read more about these connectors here:
  • In the M365 Admin Center, we now report the AADConnect client version whenever there is export activity to Azure AD. This ensures that the M365 Admin Center always has the most up to date AADConnect client version, and that it can detect when you’re using and outdated version
  • Provides a batch import execution script which can be called from Windows scheduled job so that the customers can automate the batch import operations with scheduling.
    • Credentials are provided as an encrypted file using Windows Data Protection API (DPAPI).
    • Credential files can be use only at the same machine and user account where it’s created.
  • The Azure AD Kerberos Feature supported for the MSAL library. To use the AAD Kerberos Feature, the customer needs to register an on-premises service principal name into the Azure AD. Provides importing of an on-premises service principal object into the Azure AD.

Fixed issues/Bug Fixes:

  • We fixed an accessibility bug where the screen reader is announcing incorrect role of the ‘Learn More’ link.
  • We fixed a bug where sync rules with large precedence values (i.e. 387163089) cause upgrade to fail. We updated sproc ‘mms_UpdateSyncRulePrecedence’ to cast the precedence number as an integer prior to incrementing the value.
  • Fixed a bug where group writeback permissions are not set on the sync account if a group writeback configuration is imported. We now set the group writeback permissions if group writeback is enabled on the imported configuration.
  • We updated the Azure AD Connect Health agent version to to fix an installation failure.
  • We are seeing an issue with non-default attributes from exported configurations where directory extension attributes are configured. When importing these configurations to a new server/installation, the attribute inclusion list is overridden by the directory extension configuration step, so after import only default and directory extension attributes are selected in the sync service manager (non-default attributes are not included in the installation, so the user must manually reenable them from the sync service manager if they want their imported sync rules to work). We now refresh the AAD Connector before configuring directory extension to keep existing attributes from the attribute inclusion list.
  • We fixed an accessibility issues where the page header’s font weight is set as "Light". Font weight is now set to "Bold" for the page title, which applies to the header of all pages.
  • The function Get-AdObject in ADSyncSingleObjectSync.ps1 has been renamed to Get-AdDirectoryObject to prevent ambiguity with the AD cmdlet.
  • The SQL function ‘mms_CheckSynchronizationRuleHasUniquePrecedence’ allow duplicates precedence on outbound sync rules on different connectors. We removed the condition that allows duplicate rule precedence.
  • We fixed a bug where the Single Object Sync cmdlet fails if the attribute flow data is null i.e. on exporting delete operation
  • We fixed a bug where the installation fails because the ADSync bootstrap service cannot be started. We now add Sync Service Account to the Local Builtin User Group before starting the bootstrap service.
  • We fixed an accessibility issue where the active tab on AAD Connect wizard is not showing correct color on High Contrast theme. The selected color code was being overwritten due to missing condition in normal color code configuration.
  • We addressed an issue where users were allowed to deselect objects and attributes used in sync rules using the UI and PowerShell. We now show friendly error message if you try to deselect any attribute or object that is used in any sync rules.
  • We made some updates to the “migrate settings code” to check and fix backward compatibility issue when the script is ran on an older version of Azure AD Connect.
  • Fixed a bug where, when PHS tries to look up an incomplete object, it does not use the same algorithm to resolve the DC as it used originally to fetch the passwords. In particular, it is ignoring affinitized DC information. The Incomplete object lookup should use the same logic to locate the DC in both instances.
  • We fixed a bug where AADConnect cannot read Application Proxy items using Microsoft Graph due to a permissions issue with calling Microsoft Graph directly based on AAD Connect client id. To fix this, we removed the dependency on Microsoft Graph and instead use AAD PowerShell to work with the App Proxy Application objects.
  • We removed the writeback member limit from ‘Out to AD – Group SOAInAAD Exchange’ sync rule
  • We fixed a bug where, when changing connector account permissions, if an object comes in scope that has not changed since the last delta import, a delta import will not import it. We now display warning alerting user of the issue.
  • We fixed an accessibility issue where the screen reader is not reading radio button position, i.e. 1 of 2. We added added positional text to the radio button accessibility text field.
  • We updated the Pass-Thru Authentication Agent bundle. The older bundle did not have correct reply URL for HIP’s first party application in US Gov.
  • We fixed a bug where there is a ‘stopped-extension-dll-exception’ on AAD connector export after clean installing AADConnect version 1.6.X.X, which defaults to using DirSyncWebServices API V2, using an existing database. Previously the setting export version to v2 was only being done for upgrade, we changed so that it is set on clean install as well.
  • The “ADSyncPrep.psm1” module is no longer used and is removed from the installation.

  • From v1.5.29.0: This hotfix build fixes an issue introduced in build where a tenant administrator with MFA was not able to enable DSSO
  • From v1.5.22.0: This hotfix build fixes an issue in build if you have cloned the In from AD – Group Join rule and have not cloned the In from AD – Group Common rule.

Known issues:

  • The AADConnect wizard shows the “Import Synchronization Settings” option as “Preview”, while this feature is generally Available.
  • Some Active Directory connectors may be installed in a different order when using the output of the migrate settings script to install the product.
  • The User Sign In options page in the Azure AD Connect wizard mentions “Company Administrator”. This term is no longer used and needs to be replace by “Global Administrator”.
  • The “Export settings” option is broken when the Sign In option has been configured to use PingFederate.
  • While Azure AD Connect can now be deployed using the Hybrid Identity Administrator role, configuring Self Service Password Reset will still require user with the Global Administrator role.
  • When importing the AADConnect configuration while deploying to connect with a different tenant than the original AADConnect configuration, directory extension attributes are not configured correctly.

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.


This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
########################### Jorge’s Quest For Knowledge ##########################
#################### ###################

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: