Azure AD Connect (now Microsoft Entra Connect) webinar – our expert panel answers your questions

Our ‘Everything you ever wanted to know about Azure AD Connect but were afraid to ask’ webinar was the third Q&A panel session we have run about this technology – and it generated even more interest and questions than our previous ones.

During the webinar, our panel of experts – including special guest Rob de Jong, PM responsible for Azure AD Connect at Microsoft – answered the many questions that were sent to us in advance.  Watch now.

Note: Since the webinar was recorded, Microsoft has rebranded Azure AD Connect to Microsoft Entra Connect.

Additional questions were asked during the webinar which we have answered below.

Who was on the panel?

Our panel comprised: co-writers of Oxford Computer Training’s Microsoft Entra Connect (Azure AD Connect) Masterclass: Andreas Kjellman (formerly Program Manager for Azure AD Connect at Microsoft, and now at Knowledge Factory), James Cowling (CTO, Oxford Computer Group) and me, Hugh Simpson-Wells (Founder and CEO, Oxford Computer Group) PLUS special guest Microsoft’s Rob de Jong (Senior Program Manager responsible for Azure AD Connect).

What questions were covered during the webinar?

To give you a flavour of the wide range of questions that were covered in the webinar, I have included some highlights below. [You may also be interested in my blog about the April 2020 Azure AD Connect update (version 1.5.18.0)]

Staging mode

We started with a couple of questions that relate to high availability and resilience. The important Microsoft Entra Connect (Azure AD Connect) feature in this regard is staging mode – effectively a stand-by server, plus multiple PTA agents (if you are using PTA). Staging mode was also the answer to another question about best practice for (manual) upgrade or replacement: upgrade or replace a staging server first, then cut over.

Rule editing

There were questions about rule editing. Remember that the expression evaluator is case-sensitive in every aspect. Anyone editing rules should download our Microsoft Entra Connect Rule Tool – it’s free, makes the experience way more pleasant, and catches many syntax errors. 

One answer we gave, about modifying rules, deserves a little amplification.

When modifying out-of-the-box rules:

  1. If you can, create additional rules with higher (<100) precedence to achieve what you want – this works great for most transformation changes or additions, and will not be affected by any future updates.
  2. You may disable rules you don’t need at all (sometimes you can do this in the wizard using “App and attribute filtering”). Again, this will not be affected by any future updates.
  3. If you need to “change” a rule (for example when you need to change a join rule), copy the rule (using a precedence of <100) and disable it – but remember that after future updates, you will need to check (manually) whether anything important was changed in the now disabled rule.
  4. There is a well-known scenario (group merge) where you would need to change a rule. It would take a much longer piece to explain this but it’s covered in our Microsoft Entra Connect Masterclass.

Security

Several questions related to concerns about security were comprehensively answered in the webinar. If you’re interested in security, I suggest you watch the webinar recording rather than me attempting to summarise the answers here.

Converting users to cloud-only

One question to which it isn’t currently possible to give a great answer was about how an individual user can be converted from locally managed (synchronized), to cloud-managed (cloud only). There just isn’t a supported way to do this (although Microsoft is working on it). What most people do is a bit of a manual hack – allow it to be deleted, then manually recover it in Microsoft Entra ID.

Federation to managed authentication

We had a question about moving from Federation to a managed Authentication mechanism (PTA or PHS). This excellent article covers a staged rollout – and we have found it to be a trouble-free process.

Other questions

Andreas tackled a series of questions:

  • How does password hash sync work? Key takeaway: there is nothing you can change, here!
  • Duplicate UserPrincipalNames? Andreas talked about shadow attributes, and the key takeaway is: ensure that you have no duplicates in the local AD (perhaps using IDFix), and Microsoft Entra ID will eventually settle on the correct values.
  • Interforest risks? Key takeaway: treat your Microsoft Entra Connect (from a security perspective) as you would a domain controller.
  • Shared PC for read-only access to sync service. Key takeaway: doesn’t sound like a great idea – see above about treating it as a domain controller.
  • Quite a long explanation of how schema extensions are handled…you’ll need to watch the webinar recording to hear Andreas’ answers in full.

Where is Microsoft going next with Azure AD Connect?

One of the most interesting parts of the webinar was when Rob gave us some insight into where Microsoft is going next with Azure AD Connect. I have included some key points below but, to hear Rob’s answers in full, watch the video.

  • Microsoft is working on a new model for “source of authority” – i.e. who owns an attribute, or a whole object, is it AD, Azure AD, or some HR app? This is hard to do as it has consequences, and so may not show up soon in a public release. Eventually, this will allow for user write-back. Great news!
  • Azure AD Connect cloud provisioning is being developed, but Azure AD Connect will be around for a long time yet before there is parity of capability.
  • Features in the immediate pipeline:
    • A new “V2” endpoint in Azure AD which greatly improves performance when handling large groups
    • The ability to export and import server configuration (so you can compare configurations, and – effectively – clone a server)
    • MS-DS-ConsistencyGuid for groups (easier disaster recovery, and easier to move groups between forests)
    • Lifting of the 50,000 limit for group membership – initially to 250,000
    • Further off: more group writeback capability

Important announcement: From November 2020 a whole bunch of older versions of Azure AD Connect will no longer be supported.

During the webinar, several people asked questions that we didn’t have time to answer publicly, so here goes:

Question: What is the best practice for keeping sync rules (when modified) in sync with the staging server? Do we update at the same time or keep an exported copy on the staging server that can be imported when needed? 

Answer: Those on the webinar will have heard Rob say that it will be possible to export and import the entire configuration in the future, but right now I would say that the best practice is:

  • Keep your rules the same across your production and staging servers.
  • You will do this by exporting rules (to create PowerShell scripts), and importing them (running the scripts).
  • Also, keep these scripts as a further backup.
  • Use the sync rule documenter (https://github.com/Microsoft/AADConnectConfigDocumenter) to compare your rule configurations to ensure they are the same.

Question: How to best handle synced AD groups from accidental deletion?

Answer: Rob mentioned that Microsoft is working on a recovery bin for groups in Azure AD – but no ETA right now. (FYI, This questioner expressed the opinion that once a group is used in an application or role, it should not be removed by Azure AD Connect. Great feedback.)

Question: When using this command to stop syncing, Set-MsolDirSyncEnabled -EnableDirSync $false, and turn all accounts into cloud-only, why is it that distribution groups are not released and editable? When we work on tenant-to-tenant migrations, we need to stop Azure AD Connect, and turn all objects to cloud-only, so we can remove the internet domain name(s) from the source to add to the destination tenant. We end up deleting the DLs instead of changing them.

Answer: Distribution groups are owned by Exchange and not by AD or Azure AD. So it is an Exchange migration issue rather than an Azure AD Connect issue.

Question: We are running an older version (1.1.189) and notice issues that a ProxyAddress change doesn’t get picked up as a delta unless we delete an entry, give it a min then add a new one. Will version update fix it? Is this a known bug or unique to my environment?

Answer: Rob said that he didn’t recall having fixed a bug here – but that you should always try to use the latest releases of Azure AD Connect. Note that the release you are using will be deprecated in November 2020. To fix the problem you were mentioning you probably need to open a support case.

I am pretty sure I have seen something similar, but it’s hard to reproduce in our training labs. If I see it again, I will try to document it – but I don’t think you are unique and it is worth opening a support case.

Question: What happens to Azure AD B2B guest users when they get synched with an on-prem AD account?

Answer: Synching of user accounts is only from AD to Azure AD currently – so the simple answer is, nothing. Note that there is a MIM connector that can be used to represent B2B users in AD (a special case of synchronization), but these have nothing to do with Azure AD Connect.

In the category of “We would say this, wouldn’t we?” – you will find much fuller coverage of these topics in our Microsoft Entra Connect Masterclass which will be updated to reflect the changes Rob was talking about!

All in all, this webinar was a great information download! Thanks to our panel, to everyone who submitted questions, and to everyone who attended the session.