What’s new with AAD Connect V2 and why to migrate?

History of AAD Connect

User synchronization solutions has been here for a long time and they have evolved all the time, sometimes faster sometimes slower.

Middle of September Microsoft released a new main version from Azure AAD Connect and the same time released the retirement of the old client and the deadline for this is August 31st 2022.

With the new client you have to user at least Server 2016, 2012 r2 isn’t supported anymore.

Microsoft released 21st of September a new version of 1.x client as an auto-upgrade for organizations that cannot upgrade to V2, thanks Microsoft. I know that there is still a lot of organization using 2012 r2 so this is nice option.

I’m not that much following Windows Server versions roadmap and their new features but for this purpose I had to to dig deeper.

Windows Server 2022

Windows Server 2022 has AAD Connect version 2.0.25.1 installed by default.

In-place upgrade or staged?

There is no short answer for this, if you have Server 2012 r2 staged because you cannot install v2 endpoint to Server 2012 r2 and in many of the cases it would better for your to do a staged migration.

When you are doing this one you could find out what is inside your sync config with this tool.

It will create a one page html file with the configuration so it’s easy for you to browse the config and it’s also generated a PowerShell file to check the exported config against the new config that will implement.

Azure AD roles

Always use the principle of least permissive to prevent trouble. User syncing was at first a different animal. It needed the highest privileges that you could have, both side on-premises and Azure.

Thank God today there an option to use less destructive force.

For Azure AD roles the is a Hybrid Identity Administrator role available that is all you need.

Hybrid Identity AdministratorCan manage AD to Azure AD cloud provisioning, Azure AD Connect, and federation settings.

And inside on-premises AD you need Enterprise admin rights only for the install (and possible not even for that) not after that one. You should be always using a Managed service account for service account not a real “my password will not expire and I have sudo rights to all doors” user.

Security first, always.

Synced attribute changes

Synced attributes from and to the cloud. No news attributes coming with version 2.

ADAL to MSAL

MSAL is more secure and support more features for your identity than ADAL did.

FeaturesMSALADAL
Security
Security fixes beyond June 30, 2022Security fixes beyond June 30, 2022 - MSAL provides the featureSecurity fixes beyond June 30, 2022 - ADAL doesn't provide the feature
Proactively refresh and revoke tokens based on policy or critical events for Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE).Proactively refresh and revoke tokens based on policy or critical events for Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE) - MSAL provides the featureProactively refresh and revoke tokens based on policy or critical events for Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE) - ADAL doesn't provide the feature
Standards compliant with OAuth v2.0 and OpenID Connect (OIDC)Standards compliant with OAuth v2.0 and OpenID Connect (OIDC) - MSAL provides the featureStandards compliant with OAuth v2.0 and OpenID Connect (OIDC) - ADAL doesn't provide the feature
User accounts and experiences
Azure Active Directory (Azure AD) accountsAzure Active Directory (Azure AD) accounts - MSAL provides the featureAzure Active Directory (Azure AD) accounts - ADAL provides the feature
Microsoft account (MSA)Microsoft account (MSA) - MSAL provides the featureMicrosoft account (MSA) - ADAL doesn't provide the feature
Azure AD B2C accountsAzure AD B2C accounts - MSAL provides the featureAzure AD B2C accounts - ADAL doesn't provide the feature
Best single sign-on experienceBest single sign-on experience - MSAL provides the featureBest single sign-on experience - ADAL doesn't provide the feature
Resilience
Proactive token renewalProactive token renewal - MSAL provides the featureProactive token renewal - ADAL doesn't provide the feature
ThrottlingThrottling - MSAL provides the featureThrottling - ADAL doesn't provide the feature

MSAL in AD FS

You can use MSAL.NET, MSAL Java, and MSAL Python to get tokens from Active Directory Federation Services (AD FS) 2019 or later. Earlier versions of AD FS, including AD FS 2016, are unsupported by MSAL.

If you need to continue using AD FS, you should upgrade to AD FS 2019 or later before you update your applications from ADAL to MSAL.

But if you want to move to cloud only from on-premise federation it available for you with staged features.

EOL for ADAL aka the v1 endpoint

Starting, June 30th, 2020, we will no longer add any new features to ADAL and Azure AD Graph

Starting June 30th, 2022, we will end support for ADAL and Azure AD Graph and will no longer provide technical support or security updates.

In summary what’s new with v2 compared to v1

RequirementsFeatures
Needs Server 2016 or upEnforces and requires TLS 1.2
SQL express will be upgraded to version 2019Now supports up to 250k group size
No need for Global admin account, use Hybrid Identity Administrator insteadNo need for Global admin account, use Hybrid Identity Administrator instead
MSAL for authentication

Final recommendations

There are two major differences for the new version and these are the reason I think you really should update to it.

  1. Hybrid Identity Administrator usage and the principle of least privilege, a major change compared to the old one.
  2. MSAL library usage, huge change also with this one. Feature amount goes up and the identity usage will be a lot better.

And because all the cute cat videos get a lot of attention inside social media.

funny cat GIF

Keep tuned for more Identity related content (and others)!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code