Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Azure AD Connect’ Category

(2019-11-10) Azure AD Connect v1.4.32.0 Has Been Released

Posted by Jorge on 2019-11-10


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.3.21.0. I noticed that it triggered a Full Import on both the AD and AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.18.0. I noticed that it triggered a Delta Import on both the AD and AAD MA/Connector, but it triggered a Full Sync on the AD MA/Connector and a Delta Sync on the AAD MA/Connector. Since the full sync may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

IMPORTANT: Due to an internal schema change in this release of Azure AD Connect, if you manage ADFS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher.

Azure AD Connect: Version Release History

1.4.32.0

Released: 11/08/2019

Released for download. Not available for auto-upgrade

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New Features And Improvements

  • N.A.

Fixed issues

  • This version fixes an issue with existing Hybrid Azure AD joined devices. This release contains a new device sync rule that corrects this issue (Updated sync rule: “In from AD – Computer Join”). Note that this rule change may cause deletion of obsolete devices from Azure AD. This is not a cause for concern, as these device objects are not used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised to allow the deletions to go through. How to allow deletes to flow when they exceed the deletion threshold

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-10-08) Synched Computers/Devices Being Cleaned Up From Azure AD

Posted by Jorge on 2019-10-08


Starting with version 1.4.18.0 and higher of Azure AD Connect, you may see some or all of their Windows devices disappear from Azure AD after upgrade to that version and executing a sync cycle. This is not a cause for concern, as these device identities are not used by Azure AD during conditional access authorization. This change won’t delete any Windows devices that were correctly registered with Azure AD for Hybrid Azure AD Join.

If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow the deletions to go through. How To: allow deletes to flow when they exceed the deletion threshold

Nevertheless you may want to analyze the deletion first. You can read the following blog post to see how you could do that: (2019-10-06) Examining Pending Export Deletions In Azure AD Connect

More information about this can be found through Understanding Azure AD Connect 1.4.xx.x and device disappearance

To verify which devices in your AD are candidates to be deleted in Azure AD, you can use the following PowerShell script: Export Hybrid Azure AD join computer certificates report

This script generates a report about certificates stored in Active Directory Computer objects, specifically, certificates issued by the Hybrid Azure AD join feature. It checks the certificates present in the UserCertificate property of a Computer object in AD and, for each non-expired certificate present, validates if the certificate was issued for the Hybrid Azure AD join feature (i.e. Subject Name matches CN={ObjectGUID}). Before, Azure AD Connect would synchronize to Azure AD any Computer that contained at least one valid certificate but starting on Azure AD Connect version 1.4, the synchronization engine can identify Hybrid Azure AD join certificates and will ‘cloudfilter’ the computer object from synchronizing to Azure AD unless there’s a valid Hybrid Azure AD join certificate. Azure AD Devices that were already synchronized to AD but do not have a valid Hybrid Azure AD join certificate will be deleted by the sync engine as these will be filtered from being synched to Azure AD (CloudFiltered=TRUE).

Now this script works great! But….unfortunately it does not work correctly with an AD forest where you may have multiple AD domains. Besides that, there is a cosmetic issue. So, let’s start with the easy part!

The script allows you to specify the distinguished name of a single object or the distinguished name of an OU. However, if you want to query the complete AD domain instead of just a single OU, you may think that’s not possible. Nope, that’s still possible. The original writer of the script chose to name the variable “DN” for just a single object (computer) and “OU” when query for computers in an OU. This last one may mislead due to its chosen name. Nevertheless, instead of the DN of an OU, you can also specify the DN of a container or the DN of a domain.

In a single AD domain environment, this will work flawlessly. However, in a multiple AD domain environment it may not. Due to historic reasons many companies may still have AD forests with multiple AD domains for which it is not cost effective to consolidate. For example, if you have the AD forest COMPANY.COM, with the following AD domains: COMPANY.COM, CHILD1.COMPANY.COM and CHILD2.COMPANY.COM. If you are COMPANY.COM and you need to query for objects in CHILD1.COMPANY.COM through PowerShell while not specifying the server variable (as in this script), it will throw an error due to a so called redirection. To query for an object from another AD domain you need to also target a DC from that same AD domain. If you need to query multiple AD domains you will be dancing all over the place! Sometimes, there is no other way, but in this case there is! And what if you want to query the complete AD forest while having multiple AD domains? You can always query every individual AD domain, but wouldn’t it be nice to just perform a single AD query that targets the complete AD forest? That is also possible!

When querying AD, especially when having an AD forest with multiple AD domains you always need to think about: (1) is all the data in my LDAP filter in the global catalog or not?, and (2) is the data that I’m looking for in the global catalog?

Then you need to ask yourself: “where to start searching?”. The closer to the objects you want, the better!

Rest assured! All domains objects are in the global catalog! The question is: “which attribute values of those objects are also replicated to the global catalog?”

Any attribute that has the property “isMemberOfPartialAttributeSet” set to “TRUE” also replicates its value(s) to all global catalogs in the AD forest. To find all the attributes in the AD schema for which its value(s) replicate to the global catalog, you can have a look at the following blog post (2015-01-05) Finding Attributes Marked As Members Of Partial Attribute Set (PAS). It has examples with ADFIND, PowerShell and ADSI.

Now looking at this script, the attribute of interest is “userCertificate”.

To see if an attribute value replicates to the global catalog, you can use:

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(lDAPDisplayName=<LDAP DisplayName>))" –Property lDAPDisplayName,isMemberOfPartialAttributeSet

To see if the “userCertificate” attribute value replicates to the global catalog, you can use:

Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(lDAPDisplayName=userCertificate))" –Property lDAPDisplayName,isMemberOfPartialAttributeSet

image

Figure 1: Partial Schema Info Of The “userCertificate” Attribute

Or you could visit https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/f9e923d6-c512-4beb-b963-afd695cea8ac, which will show you

image

Figure 2: AD Schema Definition Of The “userCertificate” Attribute

Guess what?! It does replicate to the global catalog! So, in this case the answer to both questions above is “YES”, therefore we can use the global catalog to perform this query

When you need to query the AD forest, you could start searching in the forest root AD domain and hopefully the client you are using supports Referral Chasing. If it does not, it may throw an error telling you it does not support it, or it just does not do anything. Wouldn’t it be nice to have something represent the AD forest? well, there is something like that, which is called a Phantom Root and it is specified by just 2 quotes and you can only use it when querying against the Global Catalog!

Now for all this to work, some adjustments are needed in the original script! I’ll guide you through that to get a new working script.

First things first. Download the PowerShell script: Export Hybrid Azure AD join computer certificates report 

Replace…

.EXAMPLE
   .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com’
.EXAMPLE
   .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -OU ‘OU=SYNC,DC=Fabrikam,DC=com’ -Filename "MyHybridAzureADjoinReport.csv" -Verbose

…with

.EXAMPLE
    Looking at a specific computer

   .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com’
.EXAMPLE
    Looking at computer objects within a specific OU
   
   .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘OU=SYNC,DC=Fabrikam,DC=com’ -Filename "MyHybridAzureADjoinReport.csv" -Verbose
.EXAMPLE
    Looking at computer objects within a specific AD domain
   
   .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘DC=child,DC=Fabrikam,DC=com’ -Filename "MyHybridAzureADjoinReport.csv" -Verbose
.EXAMPLE
    Looking at computer objects within a specific AD forest
   
   .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN PhantomRoot -Filename "MyHybridAzureADjoinReport.csv" -Verbose

Replace…

Param
(
    # Computer DistinguishedName
    [Parameter(ParameterSetName=’SingleObject’,
               Mandatory=$true,
                ValueFromPipelineByPropertyName=$true,
               Position=0)]
    [String]
    $DN,

    # AD OrganizationalUnit
    [Parameter(ParameterSetName=’MultipleObjects’,
               Mandatory=$true,
               ValueFromPipelineByPropertyName=$true,
               Position=0)]
    [String]
    $OU,

    # Output CSV filename (optional)
    [Parameter(Mandatory=$false,
                ValueFromPipelineByPropertyName=$false,
               Position=1)]
    [String]
    $Filename

)

…with

Param
(
    # DistinguishedName of computer, OU, or domain
    [Parameter(Mandatory=$true,
               ValueFromPipelineByPropertyName=$true,
               Position=0)]
    [String]
    $DN,

    # Output CSV filename (optional)
    [Parameter(Mandatory=$false,
                ValueFromPipelineByPropertyName=$false,
               Position=1)]
    [String]
    $Filename
)

Replace…

# Read AD object(s)
If ($PSCmdlet.ParameterSetName -eq ‘SingleObject’)
{
    $directoryObjs = @(Get-ADObject $DN -Properties UserCertificate)
     Write-Verbose "Starting report for a single object ‘$DN’"
}
Else
{
    $directoryObjs = Get-ADObject -Filter { ObjectClass -like ‘computer’ } -SearchBase $OU -Properties UserCertificate
    Write-Verbose "Starting report for $($directoryObjs.Count) computer objects in OU ‘$OU’"
}

…with

# Retrieve Object Type Of DN
If ($DN -ne "PhantomRoot")
{
    $objectType = (Get-ADObject -LDAPFilter "(distinguishedname=$DN)").objectClass # Do not use Get-ADObject $DN as it will throw an error if the object does not exist (even with ErrorAction defined)!
}
Else
{
    $objectType = "forestDNS" # Madeup, not for real!
    $DN = ""
}

   
# Read AD object(s)
If ($objectType -eq "computer")
{
    $domainFQDN = $($DN.SubString($DN.IndexOf(",DC=") + 1)).Replace(",DC=",".").Replace("DC=","")
    $directoryObjs = @(Get-ADObject $DN -Properties userCertificate -Server $domainFQDN)
}
ElseIf ($objectType -eq "domainDNS" -Or $objectType -eq "organizationalUnit" -Or $objectType -eq "container" -Or $objectType -eq "forestDNS")
{
    $gcFQDN = $(Get-ADDomainController -Discover -Service GlobalCatalog).HostName[0]
    $directoryObjs = Get-ADObject -Filter { ObjectClass -like ‘computer’ } -SearchBase $DN -Properties userCertificate -Server $gcFQDN`:3268
}
Else{
    Write-Host "Specified DN ‘$DN’" -Foregroundcolor Red
    Write-Host "Incorrect object type of specified DN or DN does not exist!" -Foregroundcolor Red
    Write-Host "Aborting Script…" -Foregroundcolor Red
   
    EXIT
}

UPDATE 2019-10-12: or get the updated version of the script from here

Hopefully this works for you in your AD environment!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Users And Computers, AD Queries, Azure AD Connect, Azure AD Join, Conditional Access, Windows Azure Active Directory, Windows Client, Windows Server | Leave a Comment »

(2019-10-08) Azure AD Connect v1.4.18.0 Has Been Pulled Back

Posted by Jorge on 2019-10-08


Microsoft has pulled back Azure AD Connect version 1.4.18.0 due to issues encountered at some customers.

The current statement from Microsoft regarding this is:

We are investigating an incident where some customers are experiencing an issue with existing Hybrid Azure AD joined devices after upgrading to this version of Azure AD Connect. We advise customers who have deployed Hybrid Azure AD join to postpone upgrading to this version (v1.4.18.0) until the root cause of these issues are fully understood and mitigated. More information will be provided as soon as possible.

v1.4.25.0 is still available for auto upgrade only

v1.3.21.0 is the again the most recent version for manual download.

More information: Azure AD Connect: Version release history

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-10-06) Examining Pending Export Deletions In Azure AD Connect

Posted by Jorge on 2019-10-06


If you know FIM/MIM, you also know that Azure AD Connect is based upon that under the hood. As described in Azure AD Connect sync: Prevent accidental deletes, Azure AD Connect allows you to configure a specific threshold that represents a normal/accepted amount of deletions towards Azure AD. Now, if you have a low amount of objects that you need to investigate you can easily click through the Sync Service Manager. But what happens if you need to investigate hundreds or thousands of pending deletions? Try to do that in the Sync Service Manager and you’ll through a loooooot of pain! Are there easier ways to do that? Fortunately, YES! Therefore keep reading.

Now please aware that if the number of deletions is equal to or higher than the deletion threshold it will stop the complete export operation to Azure AD, meaning no adds, updates and deletes to Azure AD! This prevents unintended deletion due to mistakes, bad configurations, etc.

To analyze those deletions, use the next steps.

  1. Logon to the ACTIVE (NON-Staging!) AAD Connect server (To determine the ACTIVE AAD Connect Server, see below!)
  2. Open a PowerShell Command Prompt Window and export the pending exports from the connector space that needs further analysis (see below)
  3. Parse the CS Export file to make it readable (see below) (PowerShell GridView Is Opened AND A CSV File Generated!)
  4. Either use the PowerShell GridView or the CSV to analyze the data being exported!
  5. For objects being deleted check if those still exist in AD and what the state is (see below)

[ad.1] Determine The Active AAD Connect Server

Open a PowerShell Command Prompt Window, and execute:

Import-Module ADSYNC

Get-ADSyncGlobalSettingsParameter | ?{$_.Name -eq "Microsoft.Synchronize.StagingMode"} | Select Name,Value

REMARK: If the VALUE mentions TRUE, then it is the Passive (staging) Server, if the VALUE mentions FALSE or is empty, then it is the Active (Non-Staging) Server

[ad.2] Export The Pending Exports From The Connector Space That Needs Analysis

On The Active AAD Connect Server, open a PowerShell Command Prompt Window, and execute:

CD "C:\Program Files\Microsoft Azure AD Sync\Bin"
$connectorHT = New-Object system.collections.hashtable
Write-Host ""
Write-Host "+++ Available Connectors +++" -ForegroundColor Cyan
$connectorNr = 0
Get-ADSyncConnector | %{
    $connectorNr++
    $connectorName = $null
    $connectorName = $_.Name
    $connectorHT[$connectorNr.ToString()] = $connectorName
    Write-Host "[$connectorNr] – $connectorName" -ForegroundColor Magenta
    Write-Host ""
}
$chosenConnectorNr = $null
$chosenConnectorNr = Read-host "Please Choose The Connector By Typing Its Number"

$chosenConnectorName = $null
$chosenConnectorName = $connectorHT[$chosenConnectorNr]
$datetime = Get-Date -Format "yyyy-MM-dd_HH.mm.ss"
$csExportXMLFilepath = Join-Path "C:\TEMP" $($datetime + "_CS-" + $chosenConnectorName + "_PendingExports.xml")
$csExportCMD = ".\CSEXPORT.EXE `"$chosenConnectorname`" `"$csExportXMLFilepath`" /f:x"
Invoke-Expression $csExportCMD
Write-Host ""
Write-Host "Export File…….: $csExportXMLFilepath" -ForegroundColor Cyan
Write-Host ""

[ad.3] Parse The CS Export XML File

On The Active AAD Connect Server, open a PowerShell Command Prompt Window, and execute:

CD "<Folder With Script>"

$csExportCSVFilepath = $csExportXMLFilepath.TrimEnd(".xml")

.\Parse-CS-Export-XML-To-CSV.ps1 -outToAll -sourceXMLfilePaths $csExportXMLFilepath -targetFilePath $csExportCSVFilepath

REMARK: the GridView will be opened automatically!

image

Figure 1: Results After Parsing The XML File(s) To A CSV

In the GridView or Excel, any value added or deleted, will be specified as such. Unchanged values are not listed

image

Figure 2: GridView Sample Output

image

Figure 3: GridView Sample Output

image

Figure 4: GridView Sample Output

 image

Figure 5: GridView Sample Output

REMARK: To reopen the GridView using the CSV file use the following command:

Import-CSV $($csExportCSVFilepath + ".csv") | Out-Gridview

or

Import-CSV "<CSV File Path>" | Out-Gridview

[ad.5a] Check Deleted USERS Against AD

$csExportCSV = Import-CSV $($csExportCSVFilepath + ".csv")
$objectListUsers = @()
$csExportCSV | ?{$_."Object-Type" -eq "user" -And $_."Ops-Type" -eq "delete"} | %{
    $immutableID = $null
    $immutableID = $_."Source-ID"
     $userPrincipalName = $null
    $userPrincipalName = $_."AD-ID"

    $ldapFilter = $null
    $ldapFilter = "(|(raboADImmutableID=$immutableID)(userPrincipalName=$userPrincipalName))"

    $adObject = $null
    $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server :3268 -Properties *

    $displayName = $null
    $status = $null
    $canonicalName = $null

    If ($adObject) {
        $displayName = $adObject.DisplayName
        $status = If (($adObject.userAccountControl -band 2) -eq "2") {"Disabled"} Else {"Enabled"}
        $canonicalName = $adObject.CanonicalName
    } Else {
        $displayName = "Unavailable"
        $status = "Unavailable"
        $canonicalName = "Unavailable"
    }

    $object = New-Object -TypeName System.Object
    $object | Add-Member -MemberType NoteProperty -Name "immutableID" -Value $immutableID
    $object | Add-Member -MemberType NoteProperty -Name "userPrincipalName" -Value $userPrincipalName
    $object | Add-Member -MemberType NoteProperty -Name "displayName" -Value $displayName
    $object | Add-Member -MemberType NoteProperty -Name "status" -Value $status
    $object | Add-Member -MemberType NoteProperty -Name "canonicalName" -Value $canonicalName
    $objectListUsers += $object
}
$objectListUsers | Out-GridView

REMARK: A Gridview will be opened automatically telling you the status of the object and if it exists in AD

[ad.5b] Check Deleted GROUPS Against AD

$objectListGroups = @()
$csExportCSV | ?{$_."Object-Type" -eq "group" -And $_."Ops-Type" -eq "delete"} | %{
    $immutableID = $null
    $immutableID = $_."Source-ID"
    $domain = $null
     $domain = $($_."AD-ID").SubString(0, $($_."AD-ID").IndexOf("\"))
    $sAMAccountName = $null
    $sAMAccountName = $($_."AD-ID").SubString($($_."AD-ID").IndexOf("\") + 1)
    $ldapFilter = $null
    $ldapFilter = "(|(raboADImmutableID=$immutableID)(sAMAccountName=$sAMAccountName))"
    $adObject = $null
    $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server $domain`:389 -Properties *
    $displayName = $null
    $canonicalName = $null
    If ($adObject) {
        $displayName = $adObject.DisplayName
        $canonicalName = $adObject.CanonicalName
    } Else {
        $displayName = "Unavailable"
        $canonicalName = "Unavailable"
    }
    $object = New-Object -TypeName System.Object
    $object | Add-Member -MemberType NoteProperty -Name "immutableID" -Value $immutableID
    $object | Add-Member -MemberType NoteProperty -Name "sAMAccountName" -Value $sAMAccountName
    $object | Add-Member -MemberType NoteProperty -Name "displayName" -Value $displayName
    $object | Add-Member -MemberType NoteProperty -Name "canonicalName" -Value $canonicalName
    $objectListGroups += $object
}
$objectListGroups | Out-GridView

REMARK: A Gridview will be opened automatically telling you the status of the object and if it exists in AD

[ad.5c] Check Deleted CONTACTS Against AD

Function GuidToEscapedByte($guid) {
    $guidParts = $guid.Split("-")
     $reverse = $guidParts[0].ToCharArray()[($guidParts[0].Length – 1)..0] + $guidParts[1].ToCharArray()[($guidParts[1].Length – 1)..0] + $guidParts[2].ToCharArray()[($guidParts[2].Length – 1)..0]
    $rest = $guidParts[3].ToCharArray() + $guidParts[4].ToCharArray()
    for ($inc =0; $inc -lt $reverse.Length; $inc+=2) {
        $escapedGUID = $escapedGUID + "\" + $reverse[$inc+1] + $reverse[$inc]
    }
    for ($inc =0; $inc -lt $rest.Length; $inc+=2) {
        $escapedGUID = $escapedGUID + "\" + $rest[$inc] + $rest[$inc+1]
    }
    return $escapedGUID
}
$csExportCSV = Import-CSV $($csExportCSVFilepath + ".csv")
$objectListContacts = @()
$csExportCSV | ?{$_."Object-Type" -eq "contact" -And $_."Ops-Type" -eq "delete"} | %{
    $immutableID = $null
    $immutableID = $_."Source-ID"
    $objectGUID = $null
    $objectGUID = (New-Object -TypeName System.Guid -ArgumentList(,(([System.Convert]::FromBase64String($immutableID))))).Guid
    $objectGUIDEscaped = $null
    $objectGUIDEscaped = GuidToEscapedByte $objectGUID
    $mail = $null
    $mail = $_."AD-ID"
     $ldapFilter = $null
    $ldapFilter = "(|(objectGUID=$objectGUIDEscaped)(mail=$mail))"
    $adObject = $null
    $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server :3268 -Properties *
    $displayName = $null
    $canonicalName = $null
    If ($adObject) {
        $displayName = $adObject.DisplayName
         $canonicalName = $adObject.CanonicalName
    } Else {
         $displayName = "Unavailable"
        $canonicalName = "Unavailable"
    }
    $object = New-Object -TypeName System.Object
     $object | Add-Member -MemberType NoteProperty -Name "immutableID" -Value $immutableID
    $object | Add-Member -MemberType NoteProperty -Name "mail" -Value $mail
    $object | Add-Member -MemberType NoteProperty -Name "displayName" -Value $displayName
    $object | Add-Member -MemberType NoteProperty -Name "canonicalName" -Value $canonicalName
    $objectListContacts += $object
}
$objectListContacts | Out-GridView

REMARK: A Gridview will be opened automatically telling you the status of the object and if it exists in AD

Now assuming you have confirmed all deletions are expected, you can lift the threshold or increase its value (temporarily) to allow the sync cycle to succeed! You need an Azure AD Admin Account with the Global Administrator role

  • If needed elevate your account through https://portal.azure.com/ → Privileged Identity Management \ Azure AD Roles \ Global Administrator – Activate
  • On the active AAD Connect server, open a PowerShell Command prompt Window and execute:

$aadAdminCreds=Get-Credential

Get-ADSyncExportDeletionThreshold -AADCredential $aadAdminCreds

Disable-ADSyncExportDeletionThreshold -AADCredential $aadAdminCreds

REMARK: The sync engine maybe synching as you do that and you may receive an error. Just wait until the sync engine finishes.

  • As soon as the sync engine is not executing a sync cycle, execute:

Start-ADSyncCycle -PolicyType Delta

  • As soon as that sync cycle has finished enable the threshold again using the previous value

Enable-ADSyncExportDeletionThreshold -DeletionThreshold <value> -AADCredential $aadAdminCreds

PS: this script also works for Pending Export Deletes in FIM/MIM and the script supports multiple source XML files (each for a different CS) as input files!

Ohhh, and I almost forgot! You can download the script from here! Smile

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Connector/MA, CSExport, Forefront Identity Manager (FIM) Sync, Microsoft Identity Manager (MIM), PowerShell, Tooling/Scripting, Tools, Windows Azure Active Directory | 1 Comment »

(2019-10-04) Azure AD Connect v1.4.25.0 Has Been Released

Posted by Jorge on 2019-10-04


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

Azure AD Connect: Version Release History

1.4.25.0

Released: 09/28/2019

Released for auto-upgrade to select tenants. Not available for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New Features And Improvements

  • N.A.

Fixed issues

  • Under certain circumstances, servers that were auto upgraded to version 1.4.18.0 did not re-enable Self-service password reset and Password Writeback after the upgrade was completed. This auto upgrade release fixes that issue and re-enables Self-service password reset and Password Writeback

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

On a side note, I once did experience that Password Writeback was disabled out of nothing and not understanding how it happened. Asking colleagues about this, and although we did not expect anyone to deliberately disable this, we did susprect it occurred during the upgrade of AAD Connect. By the way, it is good to know that those features are disabled on the AAD Connect server being upgraded!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-09-30) Azure AD Connect Version 1.4.x.0 And Higher DO NOT Support EA/DA Accounts For The ADDS Connector

Posted by Jorge on 2019-09-30


With version 1.4.X.0 and higher, it is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account. YES!!! If you attempt to enter an account that is an enterprise admin or domain admin when specifying use existing account, you will receive an error. Current installations already using an EA/DA account are not impacted, but it is seriously highly recommended to move away from using an EA/DA account. In other words, stop screwing around and create a regular user account and delegated whatever is needed to that account. Guidance to delegate stuff to that regular account can be found through the following blog post: (2019-08-04) Required Permissions For Azure AD Connect

Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

image

Figure 1: Error When Specifying An EA/DA Account For The ADDS Connector

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-09-30) Azure AD Connect v1.4.18.0 Has Been Released

Posted by Jorge on 2019-09-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

Azure AD Connect: Version Release History

1.4.18.0

Released: 09/10/2019

Released for auto-upgrade and download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

IMPORTANT:

With this version of Azure AD Connect some customers may see some or all of their Windows devices disappear from Azure AD. This is not a cause for concern, as these device identities are not used by Azure AD during conditional access authorization. For more information see Understanding Azure AD Connect 1.4.xx.x device disappearance

New Features And Improvements

  • New troubleshooting tooling helps troubleshoot "user not syncing", "group not syncing" or "group member not syncing" scenarios.
  • Add support for national clouds in AAD Connect troubleshooting script
  • Customers should be informed that the deprecated WMI endpoints for MIIS_Service have now been removed. Any WMI operations should now be done via PS cmdlets.
  • Security improvement by resetting constrained delegation on AZUREADSSOACC object
  • When adding/editing a sync rule, if there are any attributes used in the rule that are in the connector schema but not added to the connector, the attributes automatically added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next sync cycle.
  • Using an Enterprise or Domain admin as the connector account is no longer supported in new AAD Connect Deployments. Current AAD Connect deployments using an Enterprise or Domain admin as the connector account will not be affected by this release.
  • In the Synchronization Manager a full sync is run on rule creation/edit/deletion. A popup will appear on any rule change notifying the user if full import or full sync is going to be run.
  • Added mitigation steps for password errors to ‘connectors > properties > connectivity’ page
  • Added a deprecation warning for the sync service manager on the connector properties page. This warning notifies the user that changes should be made through the AADC wizard.
  • Added new error for issues with a user’s password policy.
  • Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain/OU of the entered group is already filtered out and keep the user from moving forward until the issue is resolved.
  • Users can no longer create a connector for Active Directory Domain Services or Windows Azure Active Directory in the old UI.
  • Fixed accessibility of custom UI controls in the Sync Service Manager
  • Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the “Update AD FS SSL certificate” task was available for all sign-ins.)
  • Added a warning when changing the sign-in method from federation to PHS or PTA that all Azure AD domains and users will be converted to managed authentication.
  • Removed token-signing certificates from the “Reset Azure AD and AD FS trust” task and added a separate sub-task to update these certificates.
  • Added a new federation management task called “Manage certificates” which has sub-tasks to update the SSL or token-signing certificates for the AD FS farm.
  • Added a new federation management sub-task called “Specify primary server” which allows administrators to specify a new primary server for the AD FS farm.
  • Added a new federation management task called “Manage servers” which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server.
  • Added a new federation management task called “View federation configuration” that displays the current AD FS settings. (Because of this addition, AD FS settings have been removed from the “Review your solution” page.)

Fixed issues

  • Resolved sync error issue for the scenario where a user object taking over its corresponding contact object has a self-reference (e.g. user is their own manager).
  • Help popups now show on keyboard focus.
  • For Auto upgrade, if any conflicting app is running from 6 hours, kill it and continue with upgrade.
  • Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. This will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object.
  • Fixed a bug to make the AD Connectivity script more robust
  • Fixed a bug to make AADConnect install on a machine using an existing Named Pipes WCF service more robust.
  • Improved diagnostics and troubleshooting around group policies that do not allow the ADSync service to start when initially installed.
  • Fixed a bug where display name for a Windows computer was written incorrectly.
  • Fixed a bug where OS type for a Windows computer was written incorrectly.
  • Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.
  • Added several new (internal) cmdlets to the ADSync PowerShell module.

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-09-16) Azure AD Connect v1.4.X.0 Has Been Released

Posted by Jorge on 2019-09-16


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

Azure AD Connect: Version Release History

1.4.X.0 (The “X”-files version Smile)

Released: 09/10/2019

Released for auto-upgrade only

Prerequisites for Azure AD Connect

More information about Azure AD Connect

IMPORTANT:

Previously, Windows down-level computers joined to on-prem AD were incorrectly getting synced to the cloud under some circumstances. As an example, the userCertificate attribute value for Windows down-level devices in AD is populated. But such devices in Azure AD always stayed in the “pending” state because these OS versions were not designed to be registered with Azure AD via AAD Sync. In this version of Azure AD Connect, AAD Sync will stop syncing Windows down-level computers to Azure AD and will also remove the previously incorrectly synced Windows down-level devices from Azure AD. Please note that this change will not delete any Windows down-level devices that were correctly registered with Azure AD by using the MSI package. Those devices will continue to work as expected for the purposes of device-based conditional access. Some customers may see some or all of their Windows down-level devices disappear from Azure AD. This is not a cause for concern, as these device identities were never actually used by Azure AD during conditional access authorization. Such customers may need to revisit https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan and get their Windows down-level devices registered correctly to ensure that such devices can fully participate in device-based conditional access. Note that if you see these deletes of down-level Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through

New Features And Improvements

  • New troubleshooting tooling helps troubleshoot "user not syncing", "group not syncing" or "group member not syncing" scenarios.
  • Add support for national clouds in AAD Connect troubleshooting script
  • Customers should be informed that the deprecated WMI endpoints for MIIS_Service have now been removed. Any WMI operations should now be done via PS cmdlets.
  • Security improvement by resetting constrained delegation on AZUREADSSOACC object
  • When adding/editing a sync rule, if there are any attributes used in the rule that are in the connector schema but not added to the connector, the attributes automatically added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next sync cycle.
  • Using an Enterprise or Domain admin as the connector account is no longer supported.
  • In the Synchronization Manager a full sync is run on rule creation/edit/deletion. A popup will appear on any rule change notifying the user if full import or full sync is going to be run.
  • Added mitigation steps for password errors to ‘connectors > properties > connectivity’ page
  • Added a deprecation warning for the sync service manager on the connector properties page. This warning notifies the user that changes should be made through the AADC wizard.
  • Added new error for issues with a user’s password policy.
  • Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain/OU of the entered group is already filtered out and keep the user from moving forward until the issue is resolved.
  • Users can no longer create a connector for Active Directory Domain Services or Windows Azure Active Directory in the old UI.
  • Fixed accessibility of custom UI controls in the Sync Service Manager
  • Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the “Update AD FS SSL certificate” task was available for all sign-ins.)
  • Added a warning when changing the sign-in method from federation to PHS or PTA that all Azure AD domains and users will be converted to managed authentication.
  • Removed token-signing certificates from the “Reset Azure AD and AD FS trust” task and added a separate sub-task to update these certificates.
  • Added a new federation management task called “Manage certificates” which has sub-tasks to update the SSL or token-signing certificates for the AD FS farm.
  • Added a new federation management sub-task called “Specify primary server” which allows administrators to specify a new primary server for the AD FS farm.
  • Added a new federation management task called “Manage servers” which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server.
  • Added a new federation management task called “View federation configuration” that displays the current AD FS settings. (Because of this addition, AD FS settings have been removed from the “Review your solution” page.)

Fixed issues

  • Resolved sync error issue for the scenario where a user object taking over its corresponding contact object has a self-reference (e.g. user is their own manager).
  • Help popups now show on keyboard focus.
  • For Auto upgrade, if any conflicting app is running from 6 hours, kill it and continue with upgrade.
  • Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. This will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object.
  • Fixed a bug to make the AD Connectivity script more robust
  • Fixed a bug to make AADConnect install on a machine using an existing Named Pipes WCF service more robust.
  • Improved diagnostics and troubleshooting around group policies that do not allow the ADSync service to start when initially installed.
  • Fixed a bug where display name for a Windows computer was written incorrectly.
  • Fix a bug where OS type for a Windows computer was written incorrectly.
  • Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.
  • Fix a bug where display name for a Windows computer was written incorrectly.
  • Fix a bug where OS type for a Windows computer was written incorrectly.
  • Added several new (internal) cmdlets to the ADSync PowerShell module.

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-08-04) Required Permissions For Azure AD Connect

Posted by Jorge on 2019-08-04


The document Azure AD Connect: Accounts and permissions provides information on which accounts require which permissions. One thing that is certain is that I would NEVER install Azure AD Connect using the Express Installation option. Why? The AD Connector account ends up with domain/enterprise admin permissions, which is TOO MUCH to give away.

In addition, my recommendations are:

  • Do not use Express Install
  • Use a gMSA where possible for the Azure AD Connect Sync Service
  • Assign a custom made user account for the AD Connector Account (a.k.a. AD MA account) with a very long (strong) password and make you audit/monitoring changes in this account as it may be very powerful when configured to support PHS and/or configured on the adminSDholder object
  • Delegate permissions to the AD Connector Account instead of “give it all”. See below for a non-exhaustive list of delegations

Active Directory – Permissions:

Permissioned Object

Assigned/Required Permission

Security Principal Using Permission

Permission Assigned Through (Just A Suggestion!)

DC=<DOMAIN>,DC=<TLD>

* “Allow:Replicating Directory Changes” for “This Object Only”

* “Allow:Replicating Directory Changes ALL” for “This Object Only” (only needed for PHS!)

<DOMAIN>\<AD Connector Account>

<DOMAIN>\<AD Group For DS Repl Changes> (security group)

<DOMAIN>\<AD Group For DS Repl Changes All> (security group)

CN=RegisteredDevices,DC=<DOMAIN>,DC=<TLD>

* “Allow:Full Control” for “Descendant msDS-Device Objects” (only needed for device writeback!)

* “Allow:Create msDS-Device Objects” for “This Object Only” (only needed for device writeback!)

* “Allow:Delete msDS-Device Objects” for “This Object Only” (only needed for device writeback!)

<DOMAIN>\<AD Connector Account> Directly

<On The AdminSDHolder Object Of Any Domain>

CN=AdminSDHolder,CN=System,DC=<DOMAIN>,DC=<TLD>

* “Allow:Read/Write On <Immutable ID Attribute>” (only needed to manage “admin” objects)

* “Allow:Read/Write On msDS-ExternalDirectoryObjectId” (only needed to manage “admin” objects)

* “Allow:Read/Write On pwdLastSet” (only needed for Password Writeback/SSPR for “admin” accounts!)

* “Allow:Password Reset” (only needed for Password Writeback/SSPR for “admin” accounts!)

* “Allow:Read/Write On lockoutTime” (only needed for Password Writeback/SSPR for “admin” accounts!)

<DOMAIN>\<AD Connector Account> Directly
<On Any Domain At Domain Level>

* “Allow:Read/Write On <Immutable ID Attribute>” for “Descendant user Objects”

* “Allow:Read/Write On msDS-ExternalDirectoryObjectId” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchArchiveStatus” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchBlockedSendersHash” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchSafeRecipientsHash” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchSafeSendersHash” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchUCVoiceMailSettings” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchUserHoldPolicies” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On proxyAddresses” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On publicDelegates” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msDS-KeyCredentialLink” for “Descendant user Objects” (only needed for for WH4B)

<DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Attributes> (security group)
<On Any Domain At Domain Level>

*Allow:Read/Write On <Immutable ID Attribute>” for “Descendant group Objects”

* “Allow:Read/Write On proxyAddresses” for “Descendant group Objects” (only needed for Hybrid Exchange!)

<DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Attributes> (security group)
<On Any Domain At Domain Level> * “Allow:Read/Write On lockoutTime” for “Descendant user Objects” (only needed for Password Writeback/SSPR!) <DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Password Or Just Account Unlock> (security group)
<On Any Domain At Domain Level>

* “Allow:Read/Write On pwdLastSet” for “Descendant user Objects” (only needed for Password Writeback/SSPR!)

* “Allow:Password Reset” for “Descendant user Objects” (only needed for Password Writeback/SSPR!)

<DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Password Or Just Password Reset> (security group)
<On Any Domain At Domain Level> * “Allow:Read/Write On proxyAddresses” for “Descendant contact Objects” (only needed for Hybrid Exchange!) <DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Attributes> (security group)

REMARK: to configure the required permissions at domain level for any domain so that the AD MA/Connector can sync (write) into AD for user accounts or group objects, the following commands can be used (make sure to customize as needed for your environment!!!):

# CONSTANTS

$dcFQDN = "<FQDN Of The Nearest RWDC Of Domain>"

$domainDN = "<Domain Distinguished Name>"

$domainNBT = "<Domain NetBIOS Name>"

$aadConnectADConnectorAccount = "$domainNBT\<AD Connector Account>"

$dsReplChangesSecPrinc = "$domainNBT\<AD Group For DS Repl Changes>"

$dsReplChangesAllSecPrinc = "$domainNBT\<AD Group For DS Repl Changes All>"

$dnContainerUserObjects = "<DN of Container/OU With User Objects>"

$aadConnectWritebackAttributesUsersSecPrinc = "$domainNBT\<AD Group For Writeback Attributes Users>"

$aadConnectWritebackPasswordUsersSecPrinc = "$domainNBT\<AD Group For Writeback Password Users>"

$dnContainerGroupObjects = "<DN of Container/OU With Group Objects>"

$aadConnectWritebackAttributesGroupsSecPrinc = "$domainNBT\<AD Group For Writeback Attributes Groups>"

$dnContainerContactObjects = "<DN of Container/OU With Contact Objects>"

$aadConnectWritebackAttributesContactSecPrinc = "$domainNBT\<AD Group For Writeback Attributes Contacts>"

# GENERIC

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$domainDN’ /G ‘$dsReplChangesSecPrinc:CA;Replicating Directory Changes’"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$domainDN’ /G ‘$dsReplChangesAllSecPrinc:CA;Replicating Directory Changes’"

Invoke-Expression $dsaclsCMD | Out-Null

# DEVICE WRITEBACK

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\CN=RegisteredDevices,$domainDN’ /G ‘$aadConnectADConnectorAccount:GA;;msDS-Device Objects’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\CN=RegisteredDevices,$domainDN’ /G ‘$aadConnectADConnectorAccount:CCDC;msDS-Device Objects’ /I:T"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR ADMINSDHOLDER PROTECTED OBJECTS

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\CN=AdminSDHolder,CN=System,$domainDN’ /G ‘$aadConnectADConnectorAccount:RPWP;<Attribute To Write To>‘"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$domainDN’ /G ‘$aadConnectADConnectorAccount:CA;<CAR>‘"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS GENERIC

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;<Immutable ID Attribute>;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msDS-ExternalDirectoryObjectId;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS HYBRID EXCHANGE

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchArchiveStatus;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchBlockedSendersHash;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchSafeRecipientsHash;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchSafeSendersHash;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchUCVoiceMailSettings;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchUserHoldPolicies;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;proxyAddresses;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;publicDelegates;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS WINDOWS HELLO FOR BUSINESS

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msDS-KeyCredentialLink;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS PASSWORD WRITEBACK/SSPR

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackPasswordUsersSecPrinc:RPWP;lockoutTime;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackPasswordUsersSecPrinc:RPWP;pwdLastSet;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackPasswordUsersSecPrinc:CA;Reset Password;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR GROUP OBJECTS GENERIC

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerGroupObjects’ /G ‘$aadConnectWritebackAttributesGroupsSecPrinc:RPWP;<Immutable ID Attribute>;group’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR GROUP OBJECTS HYBRID EXCHANGE

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerGroupObjects’ /G ‘$aadConnectWritebackAttributesGroupsSecPrinc:RPWP;proxyAddresses;group’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null


# FOR CONTACT OBJECTS HYBRID EXCHANGE

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerContactObjects’ /G ‘$aadConnectWritebackAttributesContactsSecPrinc:RPWP;proxyAddresses;contact’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

Azure Active Directory Permissions:

An Azure AD Account with the “Global Administrator” role to be able to configure the AAD Sync Server during installation and any other subsequent configuration moment. This account may be enabled for MFA, but in that case cookies and javascript must be allowed on the server

Hope this helps you!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | 4 Comments »

(2019-05-16) Azure AD Connect v1.3.21.0 Has Been Released

Posted by Jorge on 2019-05-16


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

IMPORTANT

There is a known issue with upgrading Azure AD Connect from an earlier version to 1.3.21.0 where the O365 portal (https://admin.microsoft.com/AdminPortal/Home#/dirsyncmanagement) does not reflect the updated version even though Azure AD Connect upgraded successfully.

To resolve this you need to import the AdSync module and then run the Set-ADSyncDirSyncConfiguration powershell cmdlet on the Azure AD Connect server. You can use the following steps:

  1. Open Powershell in administator mode
  2. Run Import-Module "ADSync"
  3. Run Set-ADSyncDirSyncConfiguration -AnchorAttribute ""

REMARK: Below you can see the last directory sync and the last password sync occurred a few days ago and it is issuing a warning. The reason for that is that I turned my VMs off as I was not using them for a few days

image

Figure 1: Dir Sync Status In The Office Portal

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.3.21.0

Released: 05/14/2019

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New Features And Improvements

  • N.A.

Fixed issues

  • Fixed an elevation of privilege vulnerability that exists in Microsoft Azure Active Directory Connect build 1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two powershell cmdlets in the context of a privileged account, and perform privileged actions. This security update addresses the issue by disabling these cmdlets. For more information see security update.

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: