If your installed version of Azure AD Connect is older than 18 months, you’ll miss out on the latest security fixes, performance improvements and more.
In November 2019, Microsoft made an announcement regarding Azure AD Connect which may have slipped by without anyone noticing, yet it is important for any customer who is using Azure Active Directory.
The announcement was around support for older versions of Azure AD Connect. Specifically the removal of support for any version of Azure AD Connect which is over 18 months old:
“Starting on November 1st, 2020, we will begin implementing a deprecation process whereby versions of Azure AD Connect that were released more than 18 months ago will be deprecated. At that time we will begin this process by deprecating all releases of Azure AD Connect with version 1.1.751.0 (which was released on 4/12/2018) and older, and we will proceed to evaluate the deprecation of older versions of Azure AD Connect every time a new version releases.”
Since the initial release of Office 365 and Azure AD – synchronising information from an on-premises AD to Azure is something that we have all had to do. It started with DirSync and moved to Azure AD Connect back in September 2014.
Since the beginning of November, Microsoft have only been providing support for versions of Azure AD Connect that were released in the last 18 months.
As I write this (24 December 2019), that means that any version prior to 1.1.880.0 (released August 2018) is no longer supported. To show how often the system changes the current version no. is 18.104.22.168.
While Microsoft are generally quite good at sending out information to the Azure admin team, your environment may be one of those where the Azure admin accounts are not email enabled, or are not in day-to-day use and so the messages are never received.
Azure AD Connect synchronises identities from an on-premises AD out to Azure AD (and then onwards to other services like Office 365). Initially, this was a simple one-way synchronisation, but over time has become more of a two-way service with additional features.
Azure AD Connect now provides the password update facility for self-service password reset; it creates objects in AD based on them being in an HR system such as Workday, and updates group information based in Azure.
These extra facilities have been added over the last five years, and this has left Microsoft with the issue of supporting many different versions of the software (currently 50 versions).
Obviously, the first thing to be done is finding the currently installed version. This can be done by accessing the server where Azure AD Connect is installed and running the “Programs and Features” option from Control Panel. The version number is shown clearly in the list of applications.
If the version needs to be upgraded, this is normally a straightforward operation. Since version 1.1.750.0, Azure AD Connect has been able to automatically upgrade to the latest version (if your policies allow this to take place). Otherwise an in-place upgrade can be performed.
The newer versions of Azure AD Connect have some features that are very important. As an example, it is no longer possible to overwrite the standard rules when you need to add in a new rule.
Instead, Azure AD Connect will create a copy of the original rule and disable it, meaning that the new rule can be created cleanly. When the system is then upgraded, the new rule is left untouched even if the original rule is updated.
This does mean that care needs to be taken if any custom rules were put in place and overwrote the original rule. In these cases, the custom rule will be overwritten by the update.
If in doubt, make sure that you have a full backup of the Azure AD Connect server (and of course the SQL database that holds the information) so it can be put back if required.
If your configuration is complicated – either has a large number of users, or is linking multiple on-premises AD environments – then a swing upgrade (rather than an in-place upgrade) should be undertaken. This involves using a second environment and swinging the functionality to a second system while the first remains in place.
Alternatively, getting external help to assist with the upgrade (making sure that any custom rules are documented and validated before any upgrade takes place) is something that could be considered.
So, how important is this?
If nothing goes wrong with your system, then there is nothing to worry about, as older versions of Azure AD Connect will continue to operate (although without the newer functionality). However, if something goes wrong, the first thing that will have to happen before any support is offered will be an upgrade. Only when the upgrade has been completed will it be possible to get support from Microsoft on the actual issue.
What should you do next?
If you are reading this after January 2020, then the supported version number will have changed, so please refer to Microsoft’s Azure AD Connect version release history page to get the full version history and determine which version you must update to (we would normally say go with the latest version in any case).
When you know what version number you need to update to then you should check your documentation and see if you have any custom rules in place.
Then proceed to plan the upgrade appropriately using the in-place or switch migration.
If you are unsure at any point, then why not arrange a Vision Call and we will be happy to help with the upgrade process and validation of the correct operation.
Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.
As ThirdSpace’s Solution Architect and Technology Evangelist (yes, he knows it’s a long title), Dave has a background in IT that goes back to installing a piece of kit called a Microsoft Softcard in...
READ AUTHOR'S FULL BIO
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.