Updates to our Microsoft Entra Connect training course – relevant to those using v1.6.2.4 and later

Oxford Computer Training provides the only comprehensive training course for Azure AD Connect (now Microsoft Entra Connect).

Our course has been updated to reflect changes to Microsoft Entra Connect, particularly the important changes that came with v1.6.2.4 and v2.0.3.0 as well as the rebrand from Azure AD Connect to Microsoft Entra Connect.

Recent changes to Microsoft Entra Connect are significant, but they are not so big as to require anyone to retake our Microsoft Entra Connect Masterclass.

Instead, we thought it would be useful to provide a summary of the updates we made, and some recommendations about what to do and what not to do.

This blog refers to changes before the rebrand of Azure AD Connect to Microsoft Entra Connect.

New pre-requisites from version

  • The default installation of Azure AD Connect utilizes, and installs, SQL Server Express LocalDB – this version of Azure AD Connect utilizes the 2019 components of SQL Server localDB.
  • You will need Windows Server 2016 or newer (this is to support SQL Server 2019).
  • TLS 1.2 must be enabled.
  • PowerShell 5.0 is required (part of Windows Server 2016 and newer in any case).

These changes are significant enough that an in-place automatic update is not possible. It is probably best to do a swing migration, where a new (fully upgraded server) staging mode server is brought up, and once settled down brought into production. The production server can then be upgraded, in staging mode. If you have more staging mode servers, just rinse and repeat. Finally, put your favoured server into production (with any others in staging mode).

Creating the Service Connection Point – new recommendation

When performing an Express Installation of Azure AD Connect, if you intend additionally to configure Hybrid Azure Join (so that domain-joined PCs become Azure AD joined, too), you will need to create a Service Connection Point (an object in AD with details of your Azure AD tenant). We originally recommended using a PowerShell command to do this. We now recommend that once you have finished your Express Installation, you run the wizard again, and:

  • Click Configure
  • Select Configure device options and click Next
  • Click Next again and enter your Azure admin credentials
  • Select Configure Hybrid Azure AD join
  • Select Windows 10 or later domain-joined devices (you will not be able to select Downlevel devices unless and until you configure SSO)
  • Click Next
  • Select your forest, select Azure Active Directory as the Authentication Service and click Add
  • Enter your enterprise admin credentials, click OK, and click Next
  • Click Configure
  • When it completes click Exit

New run profiles step types – ignore them!

During our training courses, we talk about the five-run profile step types, and the five-run profiles that are created (by default) for each connector (each AD forest, and Azure AD) – these are Export, Delta Synchronization, Full Import, and Full Synchronization. There are two new ones, which are there to support the new single object sync PowerShell Cmdlet (see below). You should ignore these! In any case, we recommend that you do not change run profiles and that if you add any of your own (for example, for testing or troubleshooting purposes) you should delete them when you’ve finished using them.

New single object sync PowerShell Cmdlet – use with caution!

The new single object sync PowerShell Cmdlet is there to synchronize a single object – for example to test or troubleshoot your configuration. While this is a valuable addition, we think this should be used with some caution as it does not always exactly reproduce what would happen during an actual synchronization. For example, it will typically not delete anything about the single object concerned, even though the actual synchronization might do so. For this reason, we prefer using the preview function within the Sync Service Manager.

Changes to the default rules about groups and the 50,000 limit on group membership

In version it became possible to increase the original 50,000 limit on group membership to 250,000. In version, the default limit is 250,000.

Also, the strategy used to handle the limit has changed. It is now simpler, but the behaviour of the rules has changed a little.

Previously, the default situation was that a group with more than 50,000 members would not be provisioned, and a group that had been provisioned but which later reached that limit would stop synchronizing (but would not be de-provisioned). The situation now is that a group with any membership can be provisioned, but its membership will not synchronize if the limit is exceeded. The only check for the group size limit is now in a new rule called “Group Writeup Member Limit” (which has a low precedence number and therefore has the ultimate power to control).

Group write-back now applies to all Azure AD security groups, as well as Microsoft 365 groups, but in all cases, only distribution groups are provisioned in AD (assuming Exchange is present). In version a membership limit of 50,000 was included, but later dropped (presumably because Azure will not provide a group with a membership greater than 250,000 anyway).

Exporting and importing configuration – some guidance

You can now export the configuration, and import it when doing a new installation. The obvious use of this is to export your production server configuration and use it when installing a staging server. This has the advantage of producing a configuration that includes rule changes you may have made, saving you the trouble of migrating your changes. However, it may not produce an identical server configuration – notably:

  • Any disabled rules in your production server will be enabled in your new server
  • The new server may use different precedence numbers – which is not a problem as long as they remain in the correct order
  • Device write-back settings are not applied
  • Some settings made outside the wizard are not applied (for example object-type selection or run profiles in connectors)
  • If configuring for federated sign-on, parameters will still have to be entered interactively
  • Of course, there will be other changes such as a different MSOL account, and different date/time stamps, but these are not important.

That’s it for now – let us know if you need further information on these or other topics relating to Azure AD Connect.

Our Microsoft Entra Connect training courses get great feedback from students.

There is so much more to Azure AD Connect (now Microsoft Entra Connect) that meets the eye or is covered in Microsoft documentation! This Masterclass effortlessly strips away Azure AD Connect’s veneer of simplicity to explore and demonstrate important technical details. Chris, IT Consultant, Australia

Join a small group of IT professionals on our Microsoft Entra Connect Masterclass in a live, instructor-led virtual classroom via Teams, or our Microsoft Entra Connect Masterclass can be taken as private training for your IT team via Teams at a time to suit you.