A new version of Azure AD Connect has just been released that includes a significant number of changes and updates.
As of writing, this new version of Azure AD Connect is not currently available for auto-update and must be downloaded. But if you have auto-update enabled, keep an eye out for it coming soon.
Manually upgrading the product is easy enough, but make sure you have backups in place, and compare your configuration before and after to make sure no unexpected changes have occurred.
If you have a staging environment, it makes sense to upgrade this first, confirm everything is working as expected, and that the pending exports are okay. If everything looks good, you can then turn the production box to standby, and put the standby box into production mode.
Two new features in this release are now in general availability, the first being group writeback.
This allows distribution groups created in Azure AD to be created on-premises. This means that if you have users who only have on-premises accounts, they can now be a member of an Office 365 (O365) group and access the resources of that group, such as files stored in OneDrive or previously sent messages.
To use this feature, you need Azure Active Directory Premium Licences, and to have configured a hybrid deployment between your Exchange on-premises and O365 environment.
It is important to note, this does not allow you to manage on-premises security groups in Azure AD, or to create new on-premises Security Groups in Azure AD and have these written back. It is just to allow users who have not migrated to the Cloud to access O365 Group resources.
See here for more information.
Exchange Mail Public is the other feature to go into general availability, allowing you to share and work with colleagues with greater ease.
Remove the complexity from Microsoft’s comprehensive security technology ecosystem. Download the 43-page e-Guide today and understand:
Let’s look at the 3 big changes included in this release:
Unlike previous versions, which only advised against it, it is now no longer possible to change the default rules in the Rules Editor. When you upgrade, any existing rules will have a warning symbol to alert you that a change has been made.
It is still possible to disable a default rule and create a copy. More info here.
This new support agent allows Microsoft to see the data and error messages in your environment, without it ever being saved.
The data is requested in the Azure Portal by a Microsoft Consultant and the agent sends the data to Azure, where the Microsoft consultant can view the information. Once the session is finished, all the data is removed.
The final significant change is that the connectors within the Sync Engine have been updated with a warning against making any changes, suggesting that the Wizard is used instead. This has always been recommended best practice, but this warning now makes that very clear.
Several other smaller changes and advances have also been made, such as improved error handling and messaging. A few changes are also around ADFS, with auto-upgrade support for more scenarios and additions to the functionality.
There are also numerous fixes, that will improve the performance of the sync engine and reduce the number of errors you will see.
As of now, the only defect I have run into so far is when using the Merge or MergeIgnoreCase transformations.
In the past, this has been one of the few exceptions to the rule, where it was required to edit the default rules. Just disabling them, still caused the validation to fail.
Now that it is no longer possible to edit the default rules in the Rule Editor, it would be nice for the validation checks to be ignored on disabled rules as, after all, they should not be run.
As a workaround for this issue, it is still possible to delete default rules. Before you delete it, use the export command to create a PowerShell command to re-create it. Once this is created, and saved, you can then delete the default rule. Open the file, make the change to transformation for the rule which is causing the issue, and then run the PowerShell.
The rule will now be back in the solution, with the change made as required. It is still recommended to create a duplicate rule and leave this one disabled, but at least the solution will continue to work.
Keep your finger on the pulse of identity and Microsoft technology. Submit your business email to get the latest content and event invites straight to your inbox.
Ian Bassi is a Senior Consultant and Identity Imagineer at ThirdSpace. He is always looking for new ways to do things and try out the latest releases – he loves learning! He is responsible for...
READ AUTHOR'S FULL BIO
Understand what each Microsoft technology does and how they all integrate.Download 43-page Guide
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.