History of AAD Connect
User synchronization solutions has been here for a long time and they have evolved all the time, sometimes faster sometimes slower.
Middle of September Microsoft released a new main version from Azure AAD Connect and the same time released the retirement of the old client and the deadline for this is August 31st 2022.
With the new client you have to user at least Server 2016, 2012 r2 isn’t supported anymore.
Microsoft released 21st of September a new version of 1.x client as an auto-upgrade for organizations that cannot upgrade to V2, thanks Microsoft. I know that there is still a lot of organization using 2012 r2 so this is nice option.
I’m not that much following Windows Server versions roadmap and their new features but for this purpose I had to to dig deeper.
Windows Server 2022
Windows Server 2022 has AAD Connect version 18.104.22.168 installed by default.
In-place upgrade or staged?
There is no short answer for this, if you have Server 2012 r2 staged because you cannot install v2 endpoint to Server 2012 r2 and in many of the cases it would better for your to do a staged migration.
When you are doing this one you could find out what is inside your sync config with this tool.
It will create a one page html file with the configuration so it’s easy for you to browse the config and it’s also generated a PowerShell file to check the exported config against the new config that will implement.
Azure AD roles
Always use the principle of least permissive to prevent trouble. User syncing was at first a different animal. It needed the highest privileges that you could have, both side on-premises and Azure.
Thank God today there an option to use less destructive force.
For Azure AD roles the is a Hybrid Identity Administrator role available that is all you need.
|Hybrid Identity Administrator||Can manage AD to Azure AD cloud provisioning, Azure AD Connect, and federation settings.|
And inside on-premises AD you need Enterprise admin rights only for the install (and possible not even for that) not after that one. You should be always using a Managed service account for service account not a real “my password will not expire and I have sudo rights to all doors” user.
Security first, always.
Synced attribute changes
Synced attributes from and to the cloud. No news attributes coming with version 2.
ADAL to MSAL
MSAL is more secure and support more features for your identity than ADAL did.
|Security fixes beyond June 30, 2022|
|Proactively refresh and revoke tokens based on policy or critical events for Microsoft Graph and other APIs that support Continuous Access Evaluation (CAE).|
|Standards compliant with OAuth v2.0 and OpenID Connect (OIDC)|
|User accounts and experiences|
|Azure Active Directory (Azure AD) accounts|
|Microsoft account (MSA)|
|Azure AD B2C accounts|
|Best single sign-on experience|
|Proactive token renewal|
MSAL in AD FS
You can use MSAL.NET, MSAL Java, and MSAL Python to get tokens from Active Directory Federation Services (AD FS) 2019 or later. Earlier versions of AD FS, including AD FS 2016, are unsupported by MSAL.
If you need to continue using AD FS, you should upgrade to AD FS 2019 or later before you update your applications from ADAL to MSAL.
But if you want to move to cloud only from on-premise federation it available for you with staged features.
EOL for ADAL aka the v1 endpoint
Starting, June 30th, 2020, we will no longer add any new features to ADAL and Azure AD Graph
Starting June 30th, 2022, we will end support for ADAL and Azure AD Graph and will no longer provide technical support or security updates.
In summary what’s new with v2 compared to v1
|Needs Server 2016 or up||Enforces and requires TLS 1.2|
|SQL express will be upgraded to version 2019||Now supports up to 250k group size|
|No need for Global admin account, use Hybrid Identity Administrator instead||No need for Global admin account, use Hybrid Identity Administrator instead|
|MSAL for authentication|
There are two major differences for the new version and these are the reason I think you really should update to it.
- Hybrid Identity Administrator usage and the principle of least privilege, a major change compared to the old one.
- MSAL library usage, huge change also with this one. Feature amount goes up and the identity usage will be a lot better.
And because all the cute cat videos get a lot of attention inside social media.
Keep tuned for more Identity related content (and others)!