It’s time for a new version of Azure AD Connect to incorporate Microsoft’s lessons learned and distribute the fixes Microsoft made to the larger public. Last Friday, Microsoft released the first version in the 1.4 branch of Azure AD Connect: v1.4.x.0

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

Highlights

The headline for this release is the refinement of the AD FS management tasks:

• Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the “Update AD FS SSL certificate” task was available for all sign-ins.)
• Removed token-signing certificates from the “Reset Azure AD and AD FS trust” task and added a separate sub-task to update these certificates.
• Added a new federation management task called “Manage certificates” which has sub-tasks to update the SSL or token-signing certificates for the AD FS farm.
• Added a new federation management sub-task called “Specify primary server” which allows administrators to specify a new primary server for the AD FS farm.
• Added a new federation management task called “Manage servers” which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server.
• Added a new federation management task called “View federation configuration” that displays the current AD FS settings. (Because of this addition, AD FS settings have been removed from the “Review your solution” page.)

What’s New

However, this release of Azure AD Connect contains many more new features and improvements:

• New troubleshooting tooling helps troubleshoot the following scenarios:
• “user not syncing”
• “group not syncing”
• “group member not syncing”
• Support for national clouds in the Azure AD Connect troubleshooting script
• The deprecated WMI endpoints for MIIS_Service have now been removed. Any WMI operations should now be done via the Windows PowerShell cmdlets.
• Security improvement by resetting constrained delegation on AZUREADSSOACC object
• When adding and/or editing a synchronization rule, if there are any attributes used in the rule that are in the connector schema but not added to the connector, the attributes are automatically added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next synchronization cycle.
• Using an account that is a member of the Enterprise admins or Domain admins security group as the connector account is no longer supported.
• In the Synchronization Manager, a full sync is run when a synchronization rule is created, edited and/or deleted. A popup appears on any rule change, notifying the admin if full import or full sync is going to be run.
• New mitigation steps for password errors to the ‘connectors > properties > connectivity’ page
• New deprecation warning for the sync service manager on the connector properties page. This warning notifies the admin that changes should be made through the Azure Active Directory Connect wizard.
• New error definition for issues with a user’s password policy.
• Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain and/or OU of the entered group is already filtered out and keep the admin from moving forward until the issue is resolved.
• Admins can no longer create a connector for Active Directory Domain Services or Azure Active Directory in the old User Interface.
• Fixed accessibility of custom UI controls in the Sync Service Manager
• New warning when changing the sign-in method from federation to Password Hash Synchronization (PHS) or Pass-through Authentication (PTA), that all Azure AD domains and users will be converted to managed authentication.

What’s Fixed

The following issues in Azure AD Connect have been resolved:

• Resolved a synchronization error issue for the scenario where a user object taking over its corresponding contact object has a self-reference (e.g. user is their own manager).
• Help popups now show on keyboard focus.
• For automatic upgrades, if any conflicting app is running from 6 hours, kill it and continue with upgrade.
• Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. This will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object.
• Fixed a bug to make the Active Directory Connectivity script more robust
• Fixed a bug to make Azure AD Connect install on a machine using an existing Named Pipes WCF service more robust.
• Improved diagnostics and troubleshooting around group policies that do not allow the ADSync service to start when initially installed.
• Fixed a bug where the display name for a Windows computer was written incorrectly.
• Fix a bug where the OS type for a Windows computer was written incorrectly.
• Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.
• Added several new (internal) cmdlets to the ADSync PowerShell module.

Version information

This is version 1.4.x.0 of Azure AD Connect.
The first release in the 1.4 branch for Azure AD Connect was made available for download on September 10, 2019.

The post Azure AD Connect version 1.4 introduces refined AD FS Management Capabilities appeared first on The things that are better left unspoken.