Oxford Computer Training provides the only comprehensive training courses for Azure AD Connect, and there are three ways to learn. You can take our Azure AD Connect Masterclass as an instructor-led course via Teams or at your own pace online. We also offer a series of highly practical “view it, then do it” Azure AD Connect training videos.
All our courses have been updated to reflect recent Azure AD Connect changes, particularly the important changes that came with v22.214.171.124 and v126.96.36.199.
Recent changes to Azure AD Connect are significant, but they are not so big as to require anyone to retake our Azure AD Connect Masterclass or watch any previously viewed Azure AD Connect training videos again. Instead, we thought it would be useful to provide a summary of the updates we have made, and some recommendations about what to do and what not to do. And if you have yet to watch any of the training videos you have purchased, you will get the latest content.
New pre-requisites from version 188.8.131.52
- The default installation of Azure AD Connect utilizes, and installs, SQL Server Express LocalDB – this version of Azure AD Connect utilizes the 2019 components of SQL Server localDB.
- You will need Windows Server 2016 or newer (this is to support SQL Server 2019).
- TLS 1.2 must be enabled.
- PowerShell 5.0 is required (part of Windows Server 2016 and newer in any case).
These changes are significant enough that an in place automatic update is not possible. It is probably best to do a swing migration, where a new (fully upgraded server) staging mode server is brought up, and once settled down brought into production. The production server can then be upgraded, in staging mode. If you have more staging mode servers, just rinse and repeat. Finally put your favoured server into production (with any others in staging mode).
Creating the Service Connection Point – new recommendation
When performing an Express Installation of Azure AD Connect, if you intend additionally to configure Hybrid Azure Join (so that domain-joined PCs become Azure AD joined, too), you will need to create a Service Connection Point (an object in AD with details of your Azure AD tenant). We originally recommended using a PowerShell command to do this. We now recommend that once you have finished your Express Installation, you run the wizard again, and:
- Click Configure
- Select Configure device options and click Next
- Click Next again and enter your Azure admin credentials
- Select Configure Hybrid Azure AD join
- Select Windows 10 or later domain-joined devices (you will not be able to select Downlevel devices unless and until you configure SSO)
- Click Next
- Select your forest, select Azure Active Directory as the Authentication Service and click Add
- Enter your enterprise admin credentials, click OK, and click Next
- Click Configure
- When it completes click Exit
New run profiles step types – ignore them!
During our training courses, we talk about the five run profile step types, and the five run profiles that are created (by default) for each connector (each AD forest, and Azure AD) – these are Export, Delta Synchronization, Full Import and Full Synchronization. There are two new ones, which are there to support the new single object sync PowerShell Cmdlet (see below). You should ignore these! In any case, our recommendation is that you do not change run profiles, and that if you add any of your own (for example, for testing or troubleshooting purposes) you should delete them when you’ve finished using them.
New single object sync PowerShell Cmdlet – use with caution!
The new single object sync PowerShell Cmdlet is there to synchronize a single object – for example to test or troubleshoot your configuration. While this is a valuable addition, we think this should be used with some caution as it does not always exactly reproduce what would happen during an actual synchronization. For example, it will typically not delete anything in relation to the single object concerned, even though the actual synchronization might do so. For this reason, we prefer using the preview function within the Sync Service Manager.
Changes to the default rules in relation to groups and the 50,000 limit on group membership
In version 184.108.40.206 it became possible to increase the original 50,000 limit on group membership to 250,000. In version 220.127.116.11, the default limit is 250,000.
Also, the strategy used to handle the limit has changed. It is now simpler, but the behaviour of the rules has changed a little.
Previously, the default situation was that a group with more than 50,000 members would not be provisioned, and a group that had been provisioned but which later reached that limit would stop synchronizing (but would not be deprovisioned). The situation now is that a group with any membership can be provisioned, but its membership will not synchronize if the limit is exceeded. The only check for the group size limit is now in a new rule called “Group Writeup Member Limit” (which has a low precedence number and therefore has ultimate power to control).
Group write-back now applies to all Azure AD security groups, as well O365 groups, but in all cases only distribution groups are provisioned in AD (assuming Exchange is present). In version 18.104.22.168 a membership limit of 50,000 was included, but later dropped (presumably because Azure will not provide a group with a membership greater than 250,000 anyway).
Exporting and importing configuration – some guidance
You can now export the configuration, and import it when doing a new installation. The obvious use of this is to export your production server configuration, and use it when installing a staging server. This has the advantage of producing a configuration that includes rule changes you may have made, saving you the trouble of migrating your changes. However, it may not produce an identical server configuration – notably:
- Any disabled rules in your production server will be enabled in your new server
- The new server may use different precedence numbers – which is not a problem as long as they remain in the correct order
- Device write-back settings are not applied
- Some settings made outside the wizard are not applied (for example object-type selection or run profiles in connectors)
- If configuring for federated sign-on, parameters will still have to be entered interactively
- Of course, there will be other changes such as a different MSOL account, and different date/time stamps, but these are not important.
That’s it for now – let us know if you need further information on these or other topics relating to Azure AD Connect.
Our Azure AD Connect training courses get great feedback from students.
There is so much more to Azure AD Connect that meets the eye or is covered in Microsoft documentation! This Masterclass effortlessly strips away Azure AD Connect’s veneer of simplicity to explore and demonstrate important technical details. Chris, IT Consultant, Australia
How would you like to learn? Instructor-led Azure AD Connect courses via Teams, self-paced online courses or video training – the choice is yours!
- Join a small group of IT professionals on our Azure AD Connect Masterclass in a live, instructor-led virtual classroom via Teams
- Take our Azure AD Connect Masterclass online self-paced with support from an expert personal tutor.
- Our Azure AD Connect Masterclass can be taken as private training for your IT team via Teams at a time to suit you.
- Our highly practical Azure AD Connect video training series teaches and demos everything from installation to configuration and all-important troubleshooting, giving you “how-to” knowledge as and when you need it. You can view it, then do it! Watch our free taster videos and discover what you’ll learn!