Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Azure AD Connect’ Category

(2019-09-16) Azure AD Connect v1.4.X.0 Has Been Released

Posted by Jorge on 2019-09-16


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

Azure AD Connect: Version Release History

1.4.X.0 (The “X”-files version Smile)

Released: 09/10/2019

Released for auto-upgrade only

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New Features And Improvements

  • New troubleshooting tooling helps troubleshoot "user not syncing", "group not syncing" or "group member not syncing" scenarios.
  • Add support for national clouds in AAD Connect troubleshooting script
  • Customers should be informed that the deprecated WMI endpoints for MIIS_Service have now been removed. Any WMI operations should now be done via PS cmdlets.
  • Security improvement by resetting constrained delegation on AZUREADSSOACC object
  • When adding/editing a sync rule, if there are any attributes used in the rule that are in the connector schema but not added to the connector, the attributes automatically added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next sync cycle.
  • Using an Enterprise or Domain admin as the connector account is no longer supported.
  • In the Synchronization Manager a full sync is run on rule creation/edit/deletion. A popup will appear on any rule change notifying the user if full import or full sync is going to be run.
  • Added mitigation steps for password errors to ‘connectors > properties > connectivity’ page
  • Added a deprecation warning for the sync service manager on the connector properties page. This warning notifies the user that changes should be made through the AADC wizard.
  • Added new error for issues with a user’s password policy.
  • Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain/OU of the entered group is already filtered out and keep the user from moving forward until the issue is resolved.
  • Users can no longer create a connector for Active Directory Domain Services or Windows Azure Active Directory in the old UI.
  • Fixed accessibility of custom UI controls in the Sync Service Manager
  • Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the “Update AD FS SSL certificate” task was available for all sign-ins.)
  • Added a warning when changing the sign-in method from federation to PHS or PTA that all Azure AD domains and users will be converted to managed authentication.
  • Removed token-signing certificates from the “Reset Azure AD and AD FS trust” task and added a separate sub-task to update these certificates.
  • Added a new federation management task called “Manage certificates” which has sub-tasks to update the SSL or token-signing certificates for the AD FS farm.
  • Added a new federation management sub-task called “Specify primary server” which allows administrators to specify a new primary server for the AD FS farm.
  • Added a new federation management task called “Manage servers” which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server.
  • Added a new federation management task called “View federation configuration” that displays the current AD FS settings. (Because of this addition, AD FS settings have been removed from the “Review your solution” page.)

Fixed issues

  • Resolved sync error issue for the scenario where a user object taking over its corresponding contact object has a self-reference (e.g. user is their own manager).
  • Help popups now show on keyboard focus.
  • For Auto upgrade, if any conflicting app is running from 6 hours, kill it and continue with upgrade.
  • Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. This will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object.
  • Fixed a bug to make the AD Connectivity script more robust
  • Fixed a bug to make AADConnect install on a machine using an existing Named Pipes WCF service more robust.
  • Improved diagnostics and troubleshooting around group policies that do not allow the ADSync service to start when initially installed.
  • Fixed a bug where display name for a Windows computer was written incorrectly.
  • Fix a bug where OS type for a Windows computer was written incorrectly.
  • Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.
  • Fix a bug where display name for a Windows computer was written incorrectly.
  • Fix a bug where OS type for a Windows computer was written incorrectly.
  • Added several new (internal) cmdlets to the ADSync PowerShell module.

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-08-04) Required Permissions For Azure AD Connect

Posted by Jorge on 2019-08-04


The document Azure AD Connect: Accounts and permissions provides information on which accounts require which permissions. One thing that is certain is that I would NEVER install Azure AD Connect using the Express Installation option. Why? The AD Connector account ends up with domain/enterprise admin permissions, which is TOO MUCH to give away.

In addition, my recommendations are:

  • Do not use Express Install
  • Use a gMSA where possible for the Azure AD Connect Sync Service
  • Assign a custom made user account for the AD Connector Account (a.k.a. AD MA account) with a very long (strong) password and make you audit/monitoring changes in this account as it may be very powerful when configured to support PHS and/or configured on the adminSDholder object
  • Delegate permissions to the AD Connector Account instead of “give it all”. See below for a non-exhaustive list of delegations

Active Directory – Permissions:

Permissioned Object

Assigned/Required Permission

Security Principal Using Permission

Permission Assigned Through (Just A Suggestion!)

DC=<DOMAIN>,DC=<TLD>

* “Allow:Replicating Directory Changes” for “This Object Only”

* “Allow:Replicating Directory Changes ALL” for “This Object Only” (only needed for PHS!)

<DOMAIN>\<AD Connector Account>

<DOMAIN>\<AD Group For DS Repl Changes> (security group)

<DOMAIN>\<AD Group For DS Repl Changes All> (security group)

CN=RegisteredDevices,DC=<DOMAIN>,DC=<TLD>

* “Allow:Full Control” for “Descendant msDS-Device Objects” (only needed for device writeback!)

* “Allow:Create msDS-Device Objects” for “This Object Only” (only needed for device writeback!)

* “Allow:Delete msDS-Device Objects” for “This Object Only” (only needed for device writeback!)

<DOMAIN>\<AD Connector Account> Directly

<On The AdminSDHolder Object Of Any Domain>

CN=AdminSDHolder,CN=System,DC=<DOMAIN>,DC=<TLD>

* “Allow:Read/Write On <Immutable ID Attribute>” (only needed to manage “admin” objects)

* “Allow:Read/Write On msDS-ExternalDirectoryObjectId” (only needed to manage “admin” objects)

* “Allow:Read/Write On pwdLastSet” (only needed for Password Writeback/SSPR for “admin” accounts!)

* “Allow:Password Reset” (only needed for Password Writeback/SSPR for “admin” accounts!)

* “Allow:Read/Write On lockoutTime” (only needed for Password Writeback/SSPR for “admin” accounts!)

<DOMAIN>\<AD Connector Account> Directly
<On Any Domain At Domain Level>

* “Allow:Read/Write On <Immutable ID Attribute>” for “Descendant user Objects”

* “Allow:Read/Write On msDS-ExternalDirectoryObjectId” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchArchiveStatus” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchBlockedSendersHash” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchSafeRecipientsHash” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchSafeSendersHash” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchUCVoiceMailSettings” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msExchUserHoldPolicies” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On proxyAddresses” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On publicDelegates” for “Descendant user Objects” (only needed for Hybrid Exchange!)

* “Allow:Read/Write On msDS-KeyCredentialLink” for “Descendant user Objects” (only needed for for WH4B)

<DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Attributes> (security group)
<On Any Domain At Domain Level>

*Allow:Read/Write On <Immutable ID Attribute>” for “Descendant group Objects”

* “Allow:Read/Write On proxyAddresses” for “Descendant group Objects” (only needed for Hybrid Exchange!)

<DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Attributes> (security group)
<On Any Domain At Domain Level> * “Allow:Read/Write On lockoutTime” for “Descendant user Objects” (only needed for Password Writeback/SSPR!) <DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Password Or Just Account Unlock> (security group)
<On Any Domain At Domain Level>

* “Allow:Read/Write On pwdLastSet” for “Descendant user Objects” (only needed for Password Writeback/SSPR!)

* “Allow:Password Reset” for “Descendant user Objects” (only needed for Password Writeback/SSPR!)

<DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Password Or Just Password Reset> (security group)
<On Any Domain At Domain Level> * “Allow:Read/Write On proxyAddresses” for “Descendant contact Objects” (only needed for Hybrid Exchange!) <DOMAIN>\<AD Connector Account> <DOMAIN>\<AD Group For Writeback Attributes> (security group)

REMARK: to configure the required permissions at domain level for any domain so that the AD MA/Connector can sync (write) into AD for user accounts or group objects, the following commands can be used (make sure to customize as needed for your environment!!!):

# CONSTANTS

$dcFQDN = "<FQDN Of The Nearest RWDC Of Domain>"

$domainDN = "<Domain Distinguished Name>"

$domainNBT = "<Domain NetBIOS Name>"

$aadConnectADConnectorAccount = "$domainNBT\<AD Connector Account>"

$dsReplChangesSecPrinc = "$domainNBT\<AD Group For DS Repl Changes>"

$dsReplChangesAllSecPrinc = "$domainNBT\<AD Group For DS Repl Changes All>"

$dnContainerUserObjects = "<DN of Container/OU With User Objects>"

$aadConnectWritebackAttributesUsersSecPrinc = "$domainNBT\<AD Group For Writeback Attributes Users>"

$aadConnectWritebackPasswordUsersSecPrinc = "$domainNBT\<AD Group For Writeback Password Users>"

$dnContainerGroupObjects = "<DN of Container/OU With Group Objects>"

$aadConnectWritebackAttributesGroupsSecPrinc = "$domainNBT\<AD Group For Writeback Attributes Groups>"

$dnContainerContactObjects = "<DN of Container/OU With Contact Objects>"

$aadConnectWritebackAttributesContactSecPrinc = "$domainNBT\<AD Group For Writeback Attributes Contacts>"

# GENERIC

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$domainDN’ /G ‘$dsReplChangesSecPrinc:CA;Replicating Directory Changes’"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$domainDN’ /G ‘$dsReplChangesAllSecPrinc:CA;Replicating Directory Changes’"

Invoke-Expression $dsaclsCMD | Out-Null

# DEVICE WRITEBACK

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\CN=RegisteredDevices,$domainDN’ /G ‘$aadConnectADConnectorAccount:GA;;msDS-Device Objects’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\CN=RegisteredDevices,$domainDN’ /G ‘$aadConnectADConnectorAccount:CCDC;msDS-Device Objects’ /I:T"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR ADMINSDHOLDER PROTECTED OBJECTS

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\CN=AdminSDHolder,CN=System,$domainDN’ /G ‘$aadConnectADConnectorAccount:RPWP;<Attribute To Write To>‘"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$domainDN’ /G ‘$aadConnectADConnectorAccount:CA;<CAR>‘"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS GENERIC

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;<Immutable ID Attribute>;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msDS-ExternalDirectoryObjectId;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS HYBRID EXCHANGE

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchArchiveStatus;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchBlockedSendersHash;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchSafeRecipientsHash;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchSafeSendersHash;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchUCVoiceMailSettings;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msExchUserHoldPolicies;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;proxyAddresses;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;publicDelegates;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS WINDOWS HELLO FOR BUSINESS

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackAttributesUsersSecPrinc:RPWP;msDS-KeyCredentialLink;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR USER ACCOUNTS PASSWORD WRITEBACK/SSPR

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackPasswordUsersSecPrinc:RPWP;lockoutTime;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackPasswordUsersSecPrinc:RPWP;pwdLastSet;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerUserObjects’ /G ‘$aadConnectWritebackPasswordUsersSecPrinc:CA;Reset Password;user’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR GROUP OBJECTS GENERIC

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerGroupObjects’ /G ‘$aadConnectWritebackAttributesGroupsSecPrinc:RPWP;<Immutable ID Attribute>;group’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

# FOR GROUP OBJECTS HYBRID EXCHANGE

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerGroupObjects’ /G ‘$aadConnectWritebackAttributesGroupsSecPrinc:RPWP;proxyAddresses;group’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null


# FOR CONTACT OBJECTS HYBRID EXCHANGE

$dsaclsCMD = "DSACLS ‘\\$dcFQDN\$dnContainerContactObjects’ /G ‘$aadConnectWritebackAttributesContactsSecPrinc:RPWP;proxyAddresses;contact’ /I:S"

Invoke-Expression $dsaclsCMD | Out-Null

Azure Active Directory Permissions:

An Azure AD Account with the “Global Administrator” role to be able to configure the AAD Sync Server during installation and any other subsequent configuration moment. This account may be enabled for MFA, but in that case cookies and javascript must be allowed on the server

Hope this helps you!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | 3 Comments »

(2019-05-16) Azure AD Connect v1.3.21.0 Has Been Released

Posted by Jorge on 2019-05-16


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

IMPORTANT

There is a known issue with upgrading Azure AD Connect from an earlier version to 1.3.21.0 where the O365 portal (https://admin.microsoft.com/AdminPortal/Home#/dirsyncmanagement) does not reflect the updated version even though Azure AD Connect upgraded successfully.

To resolve this you need to import the AdSync module and then run the Set-ADSyncDirSyncConfiguration powershell cmdlet on the Azure AD Connect server. You can use the following steps:

  1. Open Powershell in administator mode
  2. Run Import-Module "ADSync"
  3. Run Set-ADSyncDirSyncConfiguration -AnchorAttribute ""

REMARK: Below you can see the last directory sync and the last password sync occurred a few days ago and it is issuing a warning. The reason for that is that I turned my VMs off as I was not using them for a few days

image

Figure 1: Dir Sync Status In The Office Portal

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.3.21.0

Released: 05/14/2019

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New Features And Improvements

  • N.A.

Fixed issues

  • Fixed an elevation of privilege vulnerability that exists in Microsoft Azure Active Directory Connect build 1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two powershell cmdlets in the context of a privileged account, and perform privileged actions. This security update addresses the issue by disabling these cmdlets. For more information see security update.

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2019-04-30) Azure AD Connect v1.3.20.0 Has Been Released

Posted by Jorge on 2019-04-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

IMPORTANT: I upgraded from Azure AD Connect 1.2.70.0. As mentioned below in the “New Features And Improvements” section it upgrades a group sync rule to include additional transformations (flows). To be more specific it updates the sync rule called “In from AD – Group Common”. If you have this rule enabled it will most likely perform a full sync for at least the AD connector the next time it syncs after the AAD Connect upgrade. If you have this rule enabled disabled, that means you have a cloned version of it that requires updating if you need those additional transformations (flows) to support group claims in AAD. If you do update that cloned version, then it will most likely perform a full sync for both the AD connector the next time it syncs after the AAD Connect upgrade. Since that may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

However, to my surprise it did not trigger the expected full sync for the AD connector. That was weird, because when sync rules are updated all data needs to be reevaluated, whether or not it has changed. In my case I triggered the full sync myself by running the Run Profiles manually for both the AD Connector and the AAD Connector. The order was: Disable Sync Scheduler, Delta Import for AD Connector, Full Sync for AD Connector, Export for AAD Connector, Delta Import for AAD Connector, Delta Sync for AAD Connector, Export for AD Connector and Re-enable Sync Scheduler.

Azure AD Connect: Version Release History

1.3.20.0

Released: 04/24/2019

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New Features And Improvements

  • Add support for Domain Refresh
  • Exchange Mail Public Folders feature goes GA
  • Improve wizard error handling for service failures
  • Added warning link for old UI on connector properties page.
  • The Unified Groups Writeback feature is now GA
  • Improved SSPR error message when the DC is missing an LDAP control
  • Added diagnostics for DCOM registry errors during install
  • Improved tracing of PHS RPC errors
  • Allow EA creds from a child domain
  • Allow database name to be entered during install (default name ADSync)
  • Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances
  • Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud – needed for claims
  • Modified Default Sync Rule Handling – read more here.
  • Added a new agent running as a windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent see What is the Azure AD Connect Admin Agent?.
  • Updated the End User License Agreement (EULA)
  • Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process.
  • Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust.
  • Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
  • Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate.
  • Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.

Fixed issues

  • Fix the SQL reconnect logic for ADSync serviceFix to allow clean Install using an empty SQL AOA DB
  • Fix PS Permissions script to refine GWB permissions
  • Fix VSS Errors with LocalDB
  • Fix misleading error message when object type is not in scope
  • Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect.
  • Fixed PHS bug on Staging Server when Connector Credentials are updated in the old UI.
  • Fixed some memory leaks
  • Miscellaneous Autoupgrade fixes
  • Miscellaneous fixes to Export and Unconfirmed Import Processing
  • Fixed a bug with handling a backslash in Domain and OU filtering
  • Fixed an issue where ADSync service takes more than 2 minutes to stop and causes a problem at upgrade time.

I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

…And just to get ahead of things when needed I also installed the Azure AD Connect Admin Agent in a disabled state. By the way, as mentioned in the documentation, you will be prompted multiple times (about 5x or so) for credentials. So, don’t freak out thinking it is not working.

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2018-12-30) Azure AD Connect v1.2.70.0 Has Been Released

Posted by Jorge on 2018-12-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.2.70.0

Released: 12/18/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed issues

  • This build updates the non-standard connectors (for example, Generic LDAP Connector and Generic SQL Connector) shipped with Azure AD Connect. For more information on applicable connectors, see version 1.1.911.0 in Connector Version Release History.

I (finally) ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2018-12-30) Azure AD Connect v1.2.69.0 Has Been Released

Posted by Jorge on 2018-12-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications
  • Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

IMPORTANT: I upgraded from Azure AD Connect v1.2.68.0, and the next time it synched after performing the steps below it triggered a full import and full sync for both the AD connector and the AAD connector. Since this may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

Azure AD Connect: Version Release History

1.2.69.0

Released: 12/11/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed issues

  • This hotfix build allows the user to select a target domain, within the specified forest, for the RegisteredDevices container when enabling device writeback. In the previous versions that contain the new Device Options functionality (1.1.819.0 – 1.2.68.0), the RegisteredDevices container location was limited to the forest root and did not allow child domains. This limitation only manifested itself on new deployments – in-place upgrades were unaffected.
  • If any build containing the updated Device Options functionality was deployed to a new server and device writeback was enabled, you will need to manually specify the location of the container if you do not want it in the forest root. To do this, you need to disable device writeback and re-enable it which will allow you to specify the container location on the “Writeback forest” page.

I (finally) ran the MSI and upgraded from the previous version without any issues (except for what I mentioned below!) and ran at least one scheduled sync cycle!

After the upgrade I noticed the following, which was weird! Device writeback was enabled and configured correctly. I have one single AD domain. No idea why this happened. This was not a new server as the second bullet mentions in the “fixed issues” section mentions above.

After the next sync I started seeing….

The upper 2 are devices synched from AAD to AD, the lower 2 are Windows 10 devices being synched from AD to AAD.

image

Figure 1: “Container-Not-In-Scope” Errors

After checking the device writeback config, it was empty!

Get-ADSyncGlobalSettingsParameter | ?{$_.name -like "Microsoft.DeviceWriteBack*"}

image

Figure 2: Device Writeback NOT Being Enabled And Configured After The Upgrade

Checking the Azure AD Connect Wizard it said it was enabled. Again, weird!

My solution for this were the following steps

  • Disable the sync scheduler

Set-ADSyncScheduler -SyncCycleEnabled $false # <— By The Way, Should ALWAYS Be Executed Before An Upgrade Of AAD Connect To Make Sure The Sync DOES NOT Start

  • Using The Azure AD Connect Wizard: Disable Device Writeback
    • Start AAD Connect Wizard –> Click [Configure] –> Select [Configure Device Options] –> Click [Next] (2x) –> Enter AAD Global Credentials –> Select “Disable Device Writeback” –> Click [Next] –> Click [Configure] –> Click [Exit])

  • Using The Azure AD Connect Wizard: Reenable Device Writeback
    • Start AAD Connect Wizard –> Click [Configure] –> Select [Configure Device Options] –> Click [Next] (2x) –> Enter AAD Global Credentials –> Select “Configure Device Writeback” –> Click [Next] –> Select the AD Forest And AD Domain To Host The Synched Devices From AAD –> Enter AD Enterprise Admin Credentials Or Select The Option To Download The PowerShell Script –> Click [Next] –> Click [Configure] –> Click [Exit])

  • Check The Device Writeback Configuration
    • Get-ADSyncGlobalSettingsParameter | ?{$_.name -like "Microsoft.DeviceWriteBack*"}

image

Figure 3: Device Writeback Being Enabled And Configured

  • Reenable the sync scheduler

Set-ADSyncScheduler -SyncCycleEnabled $true # <—Should ALWAYS Be Executed AFTER A Successful And Verified Upgrade Of AAD Connect To Make Sure The Sync DOES Start The Next Schedule

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2018-12-30) Azure AD Connect v1.2.68.0 Has Been Released

Posted by Jorge on 2018-12-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.2.68.0

Released: 11/30/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed issues

  • This hotfix build fixes a conflict where an authentication error might occur due to the independent presence of the MSOnline PowerShell Gallery module on the synchronization server

I (finally) ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2018-12-30) Azure AD Connect v1.2.67.0 Has Been Released

Posted by Jorge on 2018-12-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.2.67.0

Released: 11/19/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

IMPORTANT: I upgraded from Azure AD Connect v1.2.65.0, and the next time it synched it triggered a full sync for the AD connector. Since this may take some time, depending on the size of your AD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

Fixed issues
  • This hotfix build fixes a regression in the previous build where Password Writeback fails when using an ADDS Domain Controller on Windows Server 2008/R2

I (finally) ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2018-11-05) Azure AD Connect v1.2.65.0 Has Been Released

Posted by Jorge on 2018-11-05


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.2.65.0

Released: 10/25/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

IMPORTANT: I upgraded Azure AD Connect v1.1.882, and the next time it synched it triggered a full import and full sync for both the AD connector and the AAD connector. Since this may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

New features and improvements
  • Changed the functionality of attribute write-back to ensure hosted voice-mail is working as expected. Under certain scenarios, Azure AD was overwriting the msExchUcVoicemailSettings attribute during write-back with a null value. Azure AD will now no longer clear the on-premises value of this attribute if the cloud value is not set.
  • Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to Azure AD. These same diagnostics can also be run directly through Powershell using the Test- AdSyncAzureServiceConnectivity Cmdlet.
  • Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to AD. These same diagnostics can also be run directly through Powershell using the Start-ConnectivityValidation function in the ADConnectivityTools Powershell module. For more information see What is the ADConnectivityTool PowerShell Module?
  • Added an AD schema version pre-check for Hybrid Azure Active Directory Join and device write-back
  • Changed the Directory Extension page attribute search to be non-case sensitive.
  • Added full support for TLS 1.2. This release supports all other protocols being disabled and only TLS 1.2 being enabled on the machine where Azure AD Connect is installed. For more information see TLS 1.2 enforcement for Azure AD Connect

Fixed issues
  • Fixed a bug where Azure AD Connect Upgrade would fail if SQL Always On was being used.
  • Fixed a bug to correctly parse OU names that contain a forward slash.
  • Fixed an issue where Pass-Through Authentication would be disabled for a clean install in staging mode.
  • Fixed a bug that prevented the PowerShell module to be loaded when running the Troubleshooting tools
  • Fixed a bug that would block customers from using numeric values in the first character of a host name.
  • Fixed a bug where Azure AD Connect would allow invalid partitions and container selection
  • Fixed the “Invalid Password” error message when Desktop SSO is enabled.
  • Various Bug fixes for AD FS Trust Management
  • When configuring Device Writeback – fixed the schema check to look for the msDs-DeviceContainer object class (introduced on WS2012 R2)

I (finally) ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Tagged: , | Leave a Comment »

(2018-10-07) Azure AD Connect v1.1.882.0 Has Been Released

Posted by Jorge on 2018-10-07


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.1.882.0

Released: 9/7/2018

Released for download, will not be released for auto upgrade

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed Issues:

  • Azure AD Connect Upgrade fails if SQL Always On Availability is configured for the ADSync DB. This hotfix addresses this issue and allows Upgrade to succeed

I (finally) ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect | Leave a Comment »

 
%d bloggers like this: