These days I’m in The Netherlands where I had the opportunity to meet some great people and we’ve started talking about Azure AD. So I had to spread the news about a new version of the Azure AD Connect tool.
Microsoft now provides us version 1.1. Azure AD Connect is a simple tool that allows you to synchronize your on-premises AD objects to Azure AD, doing that easily and effectively.
If you want to know more about Azure AD Connect, you can see a presentation that I’ve delivered lately using the previous version of the tool. The video of the presentation can be found here: https://spanougakis.wordpress.com/2016/01/24/azure-ad-what-is-multifactor-authentication-2/
So let’s go and see what is new about this new version of AAD Connect. You can first download the tool from the Microsoft web site here: https://www.microsoft.com/en-us/download/details.aspx?id=47594 and if you go and check the version, you can clearly see that this is version 188.8.131.52, published on the 16th of February 2016. Assuming that you’ve already downloaded this new version, you should install it on your on-premises Domain Controller. On my Domain Controller I had the previous version of AAD Connect, so I could tell the differences by just comparing the 2 files, where you can clearly see a difference in size:
So let’s install the new version. You can immediately see that this will be an upgrade of the old version of AAD Connect. Please note that synchronization will stop during the upgrade:
As soon as the synchronization engine is upgraded, you’re asked to provide your credentials to connect to Azure AD:
The next step is to provide your local Domain Administrator credentials:
And we’re almost finished, you should click the “Upgrade” button to go on:
If you want to check the status of the synchronization, you can use the Synchronization Service Manager console to see when the last synchronization happened:
If you logon to the Azure AD Portal, you could quickly identify the user accounts that were synchronized from your on-premises Active Directory:
But what are actually the new benefits and improvements we get from that new version of AAD Connect? Let’s take a look.
Automatic Upgrade: Microsoft says that they may update Azure AD Connect on a regular basis. By enabling this feature, it will be possible to auto-update the tool to future versions and benefit from improvements and new capabilities with no administrative intervention.
Reduced Sync Interval: The default sync interval was set at 3 hours and changing that frequency has not been supported. Now the tool now supports sync directory data every 30 minutes. Additionally, you can configure the sync interval in a supported way. However, you choosing a value lower than 30 minutes is not supported.
To see your current configuration settings, go to PowerShell and run
Get-ADSyncScheduler. It will show you something like this:
- AllowedSyncCycleInterval. The most frequently Azure AD will allow synchronizations to occur. You cannot synchronize more frequently than this and still be supported.
- CurrentlyEffectiveSyncCycleInterval. The schedule currently in effect. It will have the same value as CustomizedSyncInterval (if set) if it is not more frequent than AllowedSyncInterval. If you change CustomizedSyncCycleInterval, this will take effect after next synchronization cycle.
- CustomizedSyncCycleInterval. If you want the scheduler to run at any other frequency than the default 30 minutes, you will configure this setting. If you set this to a value lower than AllowedSyncInterval, the latter will be used.
- NextSyncCyclePolicyType. Either Delta or Initial. Defines if the next run should only process delta changes, or if the next run should do a full import and sync, which would also reprocess any new or changed rules.
- NextSyncCycleStartTimeInUTC. Next time the scheduler will start the next sync cycle.
- PurgeRunHistoryInterval. The time operation logs should be kept. These can be reviewed in the synchronization service manager. The default is to keep these for 7 days.
- SyncCycleEnabled. Indicates if the scheduler is running the import, sync, and export processes as part of its operation.
- MaintenanceEnabled. Shows if the maintenance process is enabled. It will update the certificates/keys and purge the operations log.
- IsStagingModeEnabled. Shows if staging mode is enabled.
You can modify all these settings with
Set-ADSyncScheduler. The parameter IsStagingModeEnabled can only be set by the installation wizard.
More details about the scheduler can be found in this article, which I recommend you should take it a look: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-scheduler/
Modern Authentication: in the past the Azure AD Connect wizard did not natively integrate with Multi-Factor Authentication in Azure AD. As a result, using an admin account with MFA was difficult (take a look at this blog post to find out what is Azure AD Multi-Factor Authentication: https://spanougakis.wordpress.com/2016/01/24/azure-ad-what-is-multifactor-authentication-2/). Now we can specify an admin user that has MFA or PIM configured to connect to Azure AD:
(Picture taken from that blog post: https://blogs.technet.microsoft.com/ad/2016/02/18/azure-ad-connect-1-1-is-now-ga-faster-sync-times-automatic-upgrades-and-more/)
Domain and OU Filtering: In some specific cases you need to be able to specify some OUs that you want to synchronize their contents: This capability was not natively supported in the Azure AD Connect wizard before and required a post-install step outside of the Azure AD Connect wizard to configure. With this release, in the ‘customize’ path of the Azure AD Connect install, you will now have the option to select domains and OUs which should be synchronized.
So we need to run the AAD Connect tool and specify that we want to “Customize synchronization options”:
We can select the OUs that we want to include in the sync process:
It is important to see here something new: Group writeback is now in Preview, meaning that a group created on Azure AD should be able to be created back to our on-premises AD:
Changing user’s sign in method: In previous releases of Azure AD Connect, once a particular sign-in method was chosen at the time of install, you could couldn’t change the chosen method through the wizard without a reinstallation. It is now possible to change the method through the Azure AD Connect wizard. Just run the installation wizard again to change the sign-in option:
It’s now possible to change the user’s sign in method to AD Federation Services:
You can take a look at the version release history of AAD Connect here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-version-history/
Have a nice weekend!