Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Azure AD Connect’ Category

(2020-04-04) Azure AD Connect v1.5.18.0 Has Been Released

Posted by Jorge on 2020-04-04


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.38.0. I noticed that it triggered a Full Import on the AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

Azure AD Connect: Version Release History

1.5.18.0

Released: 4/2/2020

Released for download. Not available for auto-upgrade

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Functional changes ADSyncAutoUpgrade

    • Added support for the mS-DS-ConsistencyGuid feature for group objects. This allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed, e.g. when an AD server is rebuilt after a calamity. For more information see Moving groups between forests.
    • The mS-DS-ConsistencyGuid attribute is automatically set on al synced groups and you do not have to do anything to enable this feature.
    • Removed the Get-ADSyncRunProfile because it is no longer in use.
    • Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the AD DS connector account to provide more context.
    • Added a new cmdlet to remove objects from the connector space the old CSDelete.exe tool is removed, and it is replaced with the new Remove-ADSyncCSObject cmdlet. The Remove-ADSyncCSObject cmdlet takes a CsObject as input. This object can be retrieved by using the Get-ADSyncCSObject cmdlet.

    Fixed issues

    • Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after disabling the feature.
    • Introduced a new error page that will be displayed if the required DCOM registry values are missing with a new help link. Information is also written to log files.
    • Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account has not propagated across all service replicas before attempted use.
    • Fixed a bug in the sync errors compression utility that was not handling surrogate characters correctly.
    • Fixed a bug in the auto upgrade which left the server in the scheduler suspended state.

    I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

    Cheers,
    Jorge

    ————————————————————————————————————————————————————-
    This posting is provided "AS IS" with no warranties and confers no rights!
    Always evaluate/test everything yourself first before using/implementing this in production!
    This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
    DISCLAIMER:
    https://jorgequestforknowledge.wordpress.com/disclaimer/
    ————————————————————————————————————————————————————-
    ########################### Jorge’s Quest For Knowledge ##########################
    ####################
    http://JorgeQuestForKnowledge.wordpress.com/ ###################
    ————————————————————————————————————————————————————-

    Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

    (2020-01-30) Deprecation Of Azure AD Connect Versions

    Posted by Jorge on 2020-01-30


    Starting on November 1st, 2020, Microsoft will begin implementing a deprecation process whereby versions of Azure AD Connect that were released more than 18 months ago will be deprecated. At that time Microsoft will begin this process by deprecating all releases of Azure AD Connect with version 1.1.751.0 (which was released on 4/12/2018) and older, and Microsoft will proceed to evaluate the deprecation of older versions of Azure AD Connect every time a new version releases.

    You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience. If you run a deprecated version of Azure AD Connect you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements, and if you require support Microsoft may not be able to provide you with the level of service your organization needs.

    If you have enabled Azure AD Connect for sync you will soon automatically begin receiving Health notifications that warn you about upcoming deprecations when you are running one of the older versions.

    Please refer to this article to learn more about how to upgrade Azure AD Connect to the latest version

    In other words: if you are still running the old stuff, start planning to get rid of it! There is NO excuse! Smile

    Azure AD Connect: Version release history

    ————————————————————————————————————————————————————-
    This posting is provided "AS IS" with no warranties and confers no rights!
    Always evaluate/test everything yourself first before using/implementing this in production!
    This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
    DISCLAIMER:
    https://jorgequestforknowledge.wordpress.com/disclaimer/
    ————————————————————————————————————————————————————-
    ########################### Jorge’s Quest For Knowledge ##########################
    ####################
    http://JorgeQuestForKnowledge.wordpress.com/ ###################
    ————————————————————————————————————————————————————-

    Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

    (2019-12-12) Delivered Session About “Moving Towards Passwordless Concept”

    Posted by Jorge on 2019-12-12


    Delivered session @DetronICT, invited by @ThierryVos about "Moving Towards Passwordless Concept" (preso and demos). About 30 tech enthusiasts listened until bitter end. Thanks for the invitation, and until a next time! Reward afterwards? Enjoying some beers together!

    image

    Figure 1: Initial Slide – Title/SubTitle

    image

    Figure 2: Introducing Me

    image

    Figure 3: The Agenda

    image

    Figure 4: The Agenda With Demos

    Cheers,

    Jorge

    ————————————————————————————————————————————————————-
    This posting is provided "AS IS" with no warranties and confers no rights!
    Always evaluate/test everything yourself first before using/implementing this in production!
    This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
    DISCLAIMER:
    https://jorgequestforknowledge.wordpress.com/disclaimer/
    ————————————————————————————————————————————————————-
    ########################### Jorge’s Quest For Knowledge ##########################
    ####################
    http://JorgeQuestForKnowledge.wordpress.com/ ###################
    ————————————————————————————————————————————————————-

    Posted in Active Directory Domain Services (ADDS), Active Directory Federation Services (ADFS), Azure AD / Office 365, Azure AD Connect, Azure AD Identity Protection, Azure AD MFA Adapter, Azure AD Password Protection, Conferences, Field Experiences, Group Policy Objects, Last Logon Information, Microsoft Authenticator App, Multi-Factor AuthN, MVP, Password Expiration Notification, Password-Less, Passwords, Passwords, Self-Service Password Reset, SSO, SYSVOL, Tooling/Scripting, Windows Azure Active Directory | 1 Comment »

    (2019-12-10) Azure AD Connect v1.4.38.0 Has Been Released

    Posted by Jorge on 2019-12-10


    Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

    • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
    • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
    • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
    • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

    Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

    Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

    IMPORTANT: N.A.

    Azure AD Connect: Version Release History

    1.4.38.0

    Released: 12/6/2019

    Released for download. Not available for auto-upgrade

    Prerequisites for Azure AD Connect

    More information about Azure AD Connect

    New Features And Improvements

      • We updated Password Hash Sync for Azure AD Domain Services to properly account for padding in Kerberos hashes. This will provide a performance improvement during password synchronization from AAD to Azure AD Domain  Services.
      • We added support for reliable sessions between the authentication agent and service bus.
      • This release enforces TLS 1.2 for communication between authentication agent and cloud services.
      • We added a DNS cache for websocket connections between authentication agent and cloud services.
      • We added the ability to target specific agent from cloud to test for agent connectivity.

      Fixed issues

      • Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login windows credentials instead of the admin credentialss provided while running ps. As a result of which it was not possible to enable DSSO in multiple forest through the AADConnect user interface.
      • A fix was made to enable DSSO simultaneously in all forest through the AADConnect user interface

      I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

      Cheers,
      Jorge

      ————————————————————————————————————————————————————-
      This posting is provided "AS IS" with no warranties and confers no rights!
      Always evaluate/test everything yourself first before using/implementing this in production!
      This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
      DISCLAIMER:
      https://jorgequestforknowledge.wordpress.com/disclaimer/
      ————————————————————————————————————————————————————-
      ########################### Jorge’s Quest For Knowledge ##########################
      ####################
      http://JorgeQuestForKnowledge.wordpress.com/ ###################
      ————————————————————————————————————————————————————-

      Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

      (2019-11-10) Azure AD Connect v1.4.32.0 Has Been Released

      Posted by Jorge on 2019-11-10


      Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

      • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
      • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
      • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
      • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

      Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

      Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

      IMPORTANT: In one environment I upgraded from Azure AD Connect 1.3.21.0. I noticed that it triggered a Full Import on both the AD and AAD MA/Connector, and it also triggered a Full Sync on both the AD and AAD MA/Connector. Since the full imports/syncs may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

      IMPORTANT: In one environment I upgraded from Azure AD Connect 1.4.18.0. I noticed that it triggered a Delta Import on both the AD and AAD MA/Connector, but it triggered a Full Sync on the AD MA/Connector and a Delta Sync on the AAD MA/Connector. Since the full sync may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

      IMPORTANT: Due to an internal schema change in this release of Azure AD Connect, if you manage ADFS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher.

      Azure AD Connect: Version Release History

      1.4.32.0

      Released: 11/08/2019

      Released for download. Not available for auto-upgrade

      Prerequisites for Azure AD Connect

      More information about Azure AD Connect

      New Features And Improvements

      • N.A.

      Fixed issues

      • This version fixes an issue with existing Hybrid Azure AD joined devices. This release contains a new device sync rule that corrects this issue (Updated sync rule: “In from AD – Computer Join”). Note that this rule change may cause deletion of obsolete devices from Azure AD. This is not a cause for concern, as these device objects are not used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised to allow the deletions to go through. How to allow deletes to flow when they exceed the deletion threshold

      I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

      Cheers,
      Jorge

      ————————————————————————————————————————————————————-
      This posting is provided "AS IS" with no warranties and confers no rights!
      Always evaluate/test everything yourself first before using/implementing this in production!
      This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
      DISCLAIMER:
      https://jorgequestforknowledge.wordpress.com/disclaimer/
      ————————————————————————————————————————————————————-
      ########################### Jorge’s Quest For Knowledge ##########################
      ####################
      http://JorgeQuestForKnowledge.wordpress.com/ ###################
      ————————————————————————————————————————————————————-

      Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

      (2019-10-08) Synched Computers/Devices Being Cleaned Up From Azure AD

      Posted by Jorge on 2019-10-08


      Starting with version 1.4.18.0 and higher of Azure AD Connect, you may see some or all of their Windows devices disappear from Azure AD after upgrade to that version and executing a sync cycle. This is not a cause for concern, as these device identities are not used by Azure AD during conditional access authorization. This change won’t delete any Windows devices that were correctly registered with Azure AD for Hybrid Azure AD Join.

      If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow the deletions to go through. How To: allow deletes to flow when they exceed the deletion threshold

      Nevertheless you may want to analyze the deletion first. You can read the following blog post to see how you could do that: (2019-10-06) Examining Pending Export Deletions In Azure AD Connect

      More information about this can be found through Understanding Azure AD Connect 1.4.xx.x and device disappearance

      To verify which devices in your AD are candidates to be deleted in Azure AD, you can use the following PowerShell script: Export Hybrid Azure AD join computer certificates report

      This script generates a report about certificates stored in Active Directory Computer objects, specifically, certificates issued by the Hybrid Azure AD join feature. It checks the certificates present in the UserCertificate property of a Computer object in AD and, for each non-expired certificate present, validates if the certificate was issued for the Hybrid Azure AD join feature (i.e. Subject Name matches CN={ObjectGUID}). Before, Azure AD Connect would synchronize to Azure AD any Computer that contained at least one valid certificate but starting on Azure AD Connect version 1.4, the synchronization engine can identify Hybrid Azure AD join certificates and will ‘cloudfilter’ the computer object from synchronizing to Azure AD unless there’s a valid Hybrid Azure AD join certificate. Azure AD Devices that were already synchronized to AD but do not have a valid Hybrid Azure AD join certificate will be deleted by the sync engine as these will be filtered from being synched to Azure AD (CloudFiltered=TRUE).

      Now this script works great! But….unfortunately it does not work correctly with an AD forest where you may have multiple AD domains. Besides that, there is a cosmetic issue. So, let’s start with the easy part!

      The script allows you to specify the distinguished name of a single object or the distinguished name of an OU. However, if you want to query the complete AD domain instead of just a single OU, you may think that’s not possible. Nope, that’s still possible. The original writer of the script chose to name the variable “DN” for just a single object (computer) and “OU” when query for computers in an OU. This last one may mislead due to its chosen name. Nevertheless, instead of the DN of an OU, you can also specify the DN of a container or the DN of a domain.

      In a single AD domain environment, this will work flawlessly. However, in a multiple AD domain environment it may not. Due to historic reasons many companies may still have AD forests with multiple AD domains for which it is not cost effective to consolidate. For example, if you have the AD forest COMPANY.COM, with the following AD domains: COMPANY.COM, CHILD1.COMPANY.COM and CHILD2.COMPANY.COM. If you are COMPANY.COM and you need to query for objects in CHILD1.COMPANY.COM through PowerShell while not specifying the server variable (as in this script), it will throw an error due to a so called redirection. To query for an object from another AD domain you need to also target a DC from that same AD domain. If you need to query multiple AD domains you will be dancing all over the place! Sometimes, there is no other way, but in this case there is! And what if you want to query the complete AD forest while having multiple AD domains? You can always query every individual AD domain, but wouldn’t it be nice to just perform a single AD query that targets the complete AD forest? That is also possible!

      When querying AD, especially when having an AD forest with multiple AD domains you always need to think about: (1) is all the data in my LDAP filter in the global catalog or not?, and (2) is the data that I’m looking for in the global catalog?

      Then you need to ask yourself: “where to start searching?”. The closer to the objects you want, the better!

      Rest assured! All domains objects are in the global catalog! The question is: “which attribute values of those objects are also replicated to the global catalog?”

      Any attribute that has the property “isMemberOfPartialAttributeSet” set to “TRUE” also replicates its value(s) to all global catalogs in the AD forest. To find all the attributes in the AD schema for which its value(s) replicate to the global catalog, you can have a look at the following blog post (2015-01-05) Finding Attributes Marked As Members Of Partial Attribute Set (PAS). It has examples with ADFIND, PowerShell and ADSI.

      Now looking at this script, the attribute of interest is “userCertificate”.

      To see if an attribute value replicates to the global catalog, you can use:

      Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(lDAPDisplayName=<LDAP DisplayName>))" –Property lDAPDisplayName,isMemberOfPartialAttributeSet

      To see if the “userCertificate” attribute value replicates to the global catalog, you can use:

      Get-ADObject -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(lDAPDisplayName=userCertificate))" –Property lDAPDisplayName,isMemberOfPartialAttributeSet

      image

      Figure 1: Partial Schema Info Of The “userCertificate” Attribute

      Or you could visit https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/f9e923d6-c512-4beb-b963-afd695cea8ac, which will show you

      image

      Figure 2: AD Schema Definition Of The “userCertificate” Attribute

      Guess what?! It does replicate to the global catalog! So, in this case the answer to both questions above is “YES”, therefore we can use the global catalog to perform this query

      When you need to query the AD forest, you could start searching in the forest root AD domain and hopefully the client you are using supports Referral Chasing. If it does not, it may throw an error telling you it does not support it, or it just does not do anything. Wouldn’t it be nice to have something represent the AD forest? well, there is something like that, which is called a Phantom Root and it is specified by just 2 quotes and you can only use it when querying against the Global Catalog!

      Now for all this to work, some adjustments are needed in the original script! I’ll guide you through that to get a new working script.

      First things first. Download the PowerShell script: Export Hybrid Azure AD join computer certificates report 

      Replace…

      .EXAMPLE
         .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com’
      .EXAMPLE
         .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -OU ‘OU=SYNC,DC=Fabrikam,DC=com’ -Filename "MyHybridAzureADjoinReport.csv" -Verbose

      …with

      .EXAMPLE
          Looking at a specific computer

         .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘CN=Computer1,OU=SYNC,DC=Fabrikam,DC=com’
      .EXAMPLE
          Looking at computer objects within a specific OU
         
         .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘OU=SYNC,DC=Fabrikam,DC=com’ -Filename "MyHybridAzureADjoinReport.csv" -Verbose
      .EXAMPLE
          Looking at computer objects within a specific AD domain
         
         .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN ‘DC=child,DC=Fabrikam,DC=com’ -Filename "MyHybridAzureADjoinReport.csv" -Verbose
      .EXAMPLE
          Looking at computer objects within a specific AD forest
         
         .\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 -DN PhantomRoot -Filename "MyHybridAzureADjoinReport.csv" -Verbose

      Replace…

      Param
      (
          # Computer DistinguishedName
          [Parameter(ParameterSetName=’SingleObject’,
                     Mandatory=$true,
                      ValueFromPipelineByPropertyName=$true,
                     Position=0)]
          [String]
          $DN,

          # AD OrganizationalUnit
          [Parameter(ParameterSetName=’MultipleObjects’,
                     Mandatory=$true,
                     ValueFromPipelineByPropertyName=$true,
                     Position=0)]
          [String]
          $OU,

          # Output CSV filename (optional)
          [Parameter(Mandatory=$false,
                      ValueFromPipelineByPropertyName=$false,
                     Position=1)]
          [String]
          $Filename

      )

      …with

      Param
      (
          # DistinguishedName of computer, OU, or domain
          [Parameter(Mandatory=$true,
                     ValueFromPipelineByPropertyName=$true,
                     Position=0)]
          [String]
          $DN,

          # Output CSV filename (optional)
          [Parameter(Mandatory=$false,
                      ValueFromPipelineByPropertyName=$false,
                     Position=1)]
          [String]
          $Filename
      )

      Replace…

      # Read AD object(s)
      If ($PSCmdlet.ParameterSetName -eq ‘SingleObject’)
      {
          $directoryObjs = @(Get-ADObject $DN -Properties UserCertificate)
           Write-Verbose "Starting report for a single object ‘$DN’"
      }
      Else
      {
          $directoryObjs = Get-ADObject -Filter { ObjectClass -like ‘computer’ } -SearchBase $OU -Properties UserCertificate
          Write-Verbose "Starting report for $($directoryObjs.Count) computer objects in OU ‘$OU’"
      }

      …with

      # Retrieve Object Type Of DN
      If ($DN -ne "PhantomRoot")
      {
          $objectType = (Get-ADObject -LDAPFilter "(distinguishedname=$DN)").objectClass # Do not use Get-ADObject $DN as it will throw an error if the object does not exist (even with ErrorAction defined)!
      }
      Else
      {
          $objectType = "forestDNS" # Madeup, not for real!
          $DN = ""
      }

         
      # Read AD object(s)
      If ($objectType -eq "computer")
      {
          $domainFQDN = $($DN.SubString($DN.IndexOf(",DC=") + 1)).Replace(",DC=",".").Replace("DC=","")
          $directoryObjs = @(Get-ADObject $DN -Properties userCertificate -Server $domainFQDN)
      }
      ElseIf ($objectType -eq "domainDNS" -Or $objectType -eq "organizationalUnit" -Or $objectType -eq "container" -Or $objectType -eq "forestDNS")
      {
          $gcFQDN = $(Get-ADDomainController -Discover -Service GlobalCatalog).HostName[0]
          $directoryObjs = Get-ADObject -Filter { ObjectClass -like ‘computer’ } -SearchBase $DN -Properties userCertificate -Server $gcFQDN`:3268
      }
      Else{
          Write-Host "Specified DN ‘$DN’" -Foregroundcolor Red
          Write-Host "Incorrect object type of specified DN or DN does not exist!" -Foregroundcolor Red
          Write-Host "Aborting Script…" -Foregroundcolor Red
         
          EXIT
      }

      UPDATE 2019-10-12: or get the updated version of the script from here

      Hopefully this works for you in your AD environment!

      Cheers,

      Jorge

      ————————————————————————————————————————————————————-
      This posting is provided "AS IS" with no warranties and confers no rights!
      Always evaluate/test everything yourself first before using/implementing this in production!
      This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
      DISCLAIMER:
      https://jorgequestforknowledge.wordpress.com/disclaimer/
      ————————————————————————————————————————————————————-
      ########################### Jorge’s Quest For Knowledge ##########################
      ####################
      http://JorgeQuestForKnowledge.wordpress.com/ ###################
      ————————————————————————————————————————————————————-

      Posted in Active Directory Users And Computers, AD Queries, Azure AD Connect, Azure AD Join, Conditional Access, Windows Azure Active Directory, Windows Client, Windows Server | Leave a Comment »

      (2019-10-08) Azure AD Connect v1.4.18.0 Has Been Pulled Back

      Posted by Jorge on 2019-10-08


      Microsoft has pulled back Azure AD Connect version 1.4.18.0 due to issues encountered at some customers.

      The current statement from Microsoft regarding this is:

      We are investigating an incident where some customers are experiencing an issue with existing Hybrid Azure AD joined devices after upgrading to this version of Azure AD Connect. We advise customers who have deployed Hybrid Azure AD join to postpone upgrading to this version (v1.4.18.0) until the root cause of these issues are fully understood and mitigated. More information will be provided as soon as possible.

      v1.4.25.0 is still available for auto upgrade only

      v1.3.21.0 is the again the most recent version for manual download.

      More information: Azure AD Connect: Version release history

      Cheers,

      Jorge

      ————————————————————————————————————————————————————-
      This posting is provided "AS IS" with no warranties and confers no rights!
      Always evaluate/test everything yourself first before using/implementing this in production!
      This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
      DISCLAIMER:
      https://jorgequestforknowledge.wordpress.com/disclaimer/
      ————————————————————————————————————————————————————-
      ########################### Jorge’s Quest For Knowledge ##########################
      ####################
      http://JorgeQuestForKnowledge.wordpress.com/ ###################
      ————————————————————————————————————————————————————-

      Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

      (2019-10-06) Examining Pending Export Deletions In Azure AD Connect

      Posted by Jorge on 2019-10-06


      If you know FIM/MIM, you also know that Azure AD Connect is based upon that under the hood. As described in Azure AD Connect sync: Prevent accidental deletes, Azure AD Connect allows you to configure a specific threshold that represents a normal/accepted amount of deletions towards Azure AD. Now, if you have a low amount of objects that you need to investigate you can easily click through the Sync Service Manager. But what happens if you need to investigate hundreds or thousands of pending deletions? Try to do that in the Sync Service Manager and you’ll through a loooooot of pain! Are there easier ways to do that? Fortunately, YES! Therefore keep reading.

      Now please aware that if the number of deletions is equal to or higher than the deletion threshold it will stop the complete export operation to Azure AD, meaning no adds, updates and deletes to Azure AD! This prevents unintended deletion due to mistakes, bad configurations, etc.

      To analyze those deletions, use the next steps.

      1. Logon to the ACTIVE (NON-Staging!) AAD Connect server (To determine the ACTIVE AAD Connect Server, see below!)
      2. Open a PowerShell Command Prompt Window and export the pending exports from the connector space that needs further analysis (see below)
      3. Parse the CS Export file to make it readable (see below) (PowerShell GridView Is Opened AND A CSV File Generated!)
      4. Either use the PowerShell GridView or the CSV to analyze the data being exported!
      5. For objects being deleted check if those still exist in AD and what the state is (see below)

      [ad.1] Determine The Active AAD Connect Server

      Open a PowerShell Command Prompt Window, and execute:

      Import-Module ADSYNC

      Get-ADSyncGlobalSettingsParameter | ?{$_.Name -eq "Microsoft.Synchronize.StagingMode"} | Select Name,Value

      REMARK: If the VALUE mentions TRUE, then it is the Passive (staging) Server, if the VALUE mentions FALSE or is empty, then it is the Active (Non-Staging) Server

      [ad.2] Export The Pending Exports From The Connector Space That Needs Analysis

      On The Active AAD Connect Server, open a PowerShell Command Prompt Window, and execute:

      CD "C:\Program Files\Microsoft Azure AD Sync\Bin"
      $connectorHT = New-Object system.collections.hashtable
      Write-Host ""
      Write-Host "+++ Available Connectors +++" -ForegroundColor Cyan
      $connectorNr = 0
      Get-ADSyncConnector | %{
          $connectorNr++
          $connectorName = $null
          $connectorName = $_.Name
          $connectorHT[$connectorNr.ToString()] = $connectorName
          Write-Host "[$connectorNr] – $connectorName" -ForegroundColor Magenta
          Write-Host ""
      }
      $chosenConnectorNr = $null
      $chosenConnectorNr = Read-host "Please Choose The Connector By Typing Its Number"

      $chosenConnectorName = $null
      $chosenConnectorName = $connectorHT[$chosenConnectorNr]
      $datetime = Get-Date -Format "yyyy-MM-dd_HH.mm.ss"
      $csExportXMLFilepath = Join-Path "C:\TEMP" $($datetime + "_CS-" + $chosenConnectorName + "_PendingExports.xml")
      $csExportCMD = ".\CSEXPORT.EXE `"$chosenConnectorname`" `"$csExportXMLFilepath`" /f:x"
      Invoke-Expression $csExportCMD
      Write-Host ""
      Write-Host "Export File…….: $csExportXMLFilepath" -ForegroundColor Cyan
      Write-Host ""

      [ad.3] Parse The CS Export XML File

      On The Active AAD Connect Server, open a PowerShell Command Prompt Window, and execute:

      CD "<Folder With Script>"

      $csExportCSVFilepath = $csExportXMLFilepath.TrimEnd(".xml")

      .\Parse-CS-Export-XML-To-CSV.ps1 -outToAll -sourceXMLfilePaths $csExportXMLFilepath -targetFilePath $csExportCSVFilepath

      REMARK: the GridView will be opened automatically!

      image

      Figure 1: Results After Parsing The XML File(s) To A CSV

      In the GridView or Excel, any value added or deleted, will be specified as such. Unchanged values are not listed

      image

      Figure 2: GridView Sample Output

      image

      Figure 3: GridView Sample Output

      image

      Figure 4: GridView Sample Output

       image

      Figure 5: GridView Sample Output

      REMARK: To reopen the GridView using the CSV file use the following command:

      Import-CSV $($csExportCSVFilepath + ".csv") | Out-Gridview

      or

      Import-CSV "<CSV File Path>" | Out-Gridview

      [ad.5a] Check Deleted USERS Against AD

      $csExportCSV = Import-CSV $($csExportCSVFilepath + ".csv")
      $objectListUsers = @()
      $csExportCSV | ?{$_."Object-Type" -eq "user" -And $_."Ops-Type" -eq "delete"} | %{
          $immutableID = $null
          $immutableID = $_."Source-ID"
           $userPrincipalName = $null
          $userPrincipalName = $_."AD-ID"

          $ldapFilter = $null
          $ldapFilter = "(|(raboADImmutableID=$immutableID)(userPrincipalName=$userPrincipalName))"

          $adObject = $null
          $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server :3268 -Properties *

          $displayName = $null
          $status = $null
          $canonicalName = $null

          If ($adObject) {
              $displayName = $adObject.DisplayName
              $status = If (($adObject.userAccountControl -band 2) -eq "2") {"Disabled"} Else {"Enabled"}
              $canonicalName = $adObject.CanonicalName
          } Else {
              $displayName = "Unavailable"
              $status = "Unavailable"
              $canonicalName = "Unavailable"
          }

          $object = New-Object -TypeName System.Object
          $object | Add-Member -MemberType NoteProperty -Name "immutableID" -Value $immutableID
          $object | Add-Member -MemberType NoteProperty -Name "userPrincipalName" -Value $userPrincipalName
          $object | Add-Member -MemberType NoteProperty -Name "displayName" -Value $displayName
          $object | Add-Member -MemberType NoteProperty -Name "status" -Value $status
          $object | Add-Member -MemberType NoteProperty -Name "canonicalName" -Value $canonicalName
          $objectListUsers += $object
      }
      $objectListUsers | Out-GridView

      REMARK: A Gridview will be opened automatically telling you the status of the object and if it exists in AD

      [ad.5b] Check Deleted GROUPS Against AD

      $objectListGroups = @()
      $csExportCSV | ?{$_."Object-Type" -eq "group" -And $_."Ops-Type" -eq "delete"} | %{
          $immutableID = $null
          $immutableID = $_."Source-ID"
          $domain = $null
           $domain = $($_."AD-ID").SubString(0, $($_."AD-ID").IndexOf("\"))
          $sAMAccountName = $null
          $sAMAccountName = $($_."AD-ID").SubString($($_."AD-ID").IndexOf("\") + 1)
          $ldapFilter = $null
          $ldapFilter = "(|(raboADImmutableID=$immutableID)(sAMAccountName=$sAMAccountName))"
          $adObject = $null
          $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server $domain`:389 -Properties *
          $displayName = $null
          $canonicalName = $null
          If ($adObject) {
              $displayName = $adObject.DisplayName
              $canonicalName = $adObject.CanonicalName
          } Else {
              $displayName = "Unavailable"
              $canonicalName = "Unavailable"
          }
          $object = New-Object -TypeName System.Object
          $object | Add-Member -MemberType NoteProperty -Name "immutableID" -Value $immutableID
          $object | Add-Member -MemberType NoteProperty -Name "sAMAccountName" -Value $sAMAccountName
          $object | Add-Member -MemberType NoteProperty -Name "displayName" -Value $displayName
          $object | Add-Member -MemberType NoteProperty -Name "canonicalName" -Value $canonicalName
          $objectListGroups += $object
      }
      $objectListGroups | Out-GridView

      REMARK: A Gridview will be opened automatically telling you the status of the object and if it exists in AD

      [ad.5c] Check Deleted CONTACTS Against AD

      Function GuidToEscapedByte($guid) {
          $guidParts = $guid.Split("-")
           $reverse = $guidParts[0].ToCharArray()[($guidParts[0].Length – 1)..0] + $guidParts[1].ToCharArray()[($guidParts[1].Length – 1)..0] + $guidParts[2].ToCharArray()[($guidParts[2].Length – 1)..0]
          $rest = $guidParts[3].ToCharArray() + $guidParts[4].ToCharArray()
          for ($inc =0; $inc -lt $reverse.Length; $inc+=2) {
              $escapedGUID = $escapedGUID + "\" + $reverse[$inc+1] + $reverse[$inc]
          }
          for ($inc =0; $inc -lt $rest.Length; $inc+=2) {
              $escapedGUID = $escapedGUID + "\" + $rest[$inc] + $rest[$inc+1]
          }
          return $escapedGUID
      }
      $csExportCSV = Import-CSV $($csExportCSVFilepath + ".csv")
      $objectListContacts = @()
      $csExportCSV | ?{$_."Object-Type" -eq "contact" -And $_."Ops-Type" -eq "delete"} | %{
          $immutableID = $null
          $immutableID = $_."Source-ID"
          $objectGUID = $null
          $objectGUID = (New-Object -TypeName System.Guid -ArgumentList(,(([System.Convert]::FromBase64String($immutableID))))).Guid
          $objectGUIDEscaped = $null
          $objectGUIDEscaped = GuidToEscapedByte $objectGUID
          $mail = $null
          $mail = $_."AD-ID"
           $ldapFilter = $null
          $ldapFilter = "(|(objectGUID=$objectGUIDEscaped)(mail=$mail))"
          $adObject = $null
          $adObject = Get-ADObject -LDAPFilter $ldapFilter -Server :3268 -Properties *
          $displayName = $null
          $canonicalName = $null
          If ($adObject) {
              $displayName = $adObject.DisplayName
               $canonicalName = $adObject.CanonicalName
          } Else {
               $displayName = "Unavailable"
              $canonicalName = "Unavailable"
          }
          $object = New-Object -TypeName System.Object
           $object | Add-Member -MemberType NoteProperty -Name "immutableID" -Value $immutableID
          $object | Add-Member -MemberType NoteProperty -Name "mail" -Value $mail
          $object | Add-Member -MemberType NoteProperty -Name "displayName" -Value $displayName
          $object | Add-Member -MemberType NoteProperty -Name "canonicalName" -Value $canonicalName
          $objectListContacts += $object
      }
      $objectListContacts | Out-GridView

      REMARK: A Gridview will be opened automatically telling you the status of the object and if it exists in AD

      Now assuming you have confirmed all deletions are expected, you can lift the threshold or increase its value (temporarily) to allow the sync cycle to succeed! You need an Azure AD Admin Account with the Global Administrator role

      • If needed elevate your account through https://portal.azure.com/ → Privileged Identity Management \ Azure AD Roles \ Global Administrator – Activate
      • On the active AAD Connect server, open a PowerShell Command prompt Window and execute:

      $aadAdminCreds=Get-Credential

      Get-ADSyncExportDeletionThreshold -AADCredential $aadAdminCreds

      Disable-ADSyncExportDeletionThreshold -AADCredential $aadAdminCreds

      REMARK: The sync engine maybe synching as you do that and you may receive an error. Just wait until the sync engine finishes.

      • As soon as the sync engine is not executing a sync cycle, execute:

      Start-ADSyncCycle -PolicyType Delta

      • As soon as that sync cycle has finished enable the threshold again using the previous value

      Enable-ADSyncExportDeletionThreshold -DeletionThreshold <value> -AADCredential $aadAdminCreds

      PS: this script also works for Pending Export Deletes in FIM/MIM and the script supports multiple source XML files (each for a different CS) as input files!

      Ohhh, and I almost forgot! You can download the script from here! Smile

      Cheers,

      Jorge

      ————————————————————————————————————————————————————-
      This posting is provided "AS IS" with no warranties and confers no rights!
      Always evaluate/test everything yourself first before using/implementing this in production!
      This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
      DISCLAIMER:
      https://jorgequestforknowledge.wordpress.com/disclaimer/
      ————————————————————————————————————————————————————-
      ########################### Jorge’s Quest For Knowledge ##########################
      ####################
      http://JorgeQuestForKnowledge.wordpress.com/ ###################
      ————————————————————————————————————————————————————-

      Posted in Azure AD Connect, Connector/MA, CSExport, Forefront Identity Manager (FIM) Sync, Microsoft Identity Manager (MIM), PowerShell, Tooling/Scripting, Tools, Windows Azure Active Directory | 1 Comment »

      (2019-10-04) Azure AD Connect v1.4.25.0 Has Been Released

      Posted by Jorge on 2019-10-04


      Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

      • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
      • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
      • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
      • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

      Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

      Download "Microsoft Azure Active Directory Connect" (Always The Latest Downloadable Version Only!)

      Azure AD Connect: Version Release History

      1.4.25.0

      Released: 09/28/2019

      Released for auto-upgrade to select tenants. Not available for download

      Prerequisites for Azure AD Connect

      More information about Azure AD Connect

      New Features And Improvements

      • N.A.

      Fixed issues

      • Under certain circumstances, servers that were auto upgraded to version 1.4.18.0 did not re-enable Self-service password reset and Password Writeback after the upgrade was completed. This auto upgrade release fixes that issue and re-enables Self-service password reset and Password Writeback

      I ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle! I do not have auto-upgrade enabled, therefore unfortunately I cannot say anything about this version.

      On a side note, I once did experience that Password Writeback was disabled out of nothing and not understanding how it happened. Asking colleagues about this, and although we did not expect anyone to deliberately disable this, we did susprect it occurred during the upgrade of AAD Connect. By the way, it is good to know that those features are disabled on the AAD Connect server being upgraded!

      Cheers,
      Jorge

      ————————————————————————————————————————————————————-
      This posting is provided "AS IS" with no warranties and confers no rights!
      Always evaluate/test everything yourself first before using/implementing this in production!
      This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
      DISCLAIMER:
      https://jorgequestforknowledge.wordpress.com/disclaimer/
      ————————————————————————————————————————————————————-
      ########################### Jorge’s Quest For Knowledge ##########################
      ####################
      http://JorgeQuestForKnowledge.wordpress.com/ ###################
      ————————————————————————————————————————————————————-

      Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

       
      %d bloggers like this: