Updates to our Azure AD Connect training courses – relevant to those using v1.6.2.4 and later

Oxford Computer Training provides the only comprehensive training courses for Azure AD Connect, and there are three ways to learn. You can take our Azure AD Connect Masterclass as an instructor-led course via Teams or at your own pace online. We also offer a series of highly practical “view it, then do it” Azure AD Connect training videos

All our courses have been updated to reflect recent Azure AD Connect changes, particularly the important changes that came with v1.6.2.4 and v2.0.3.0.

Recent changes to Azure AD Connect are significant, but they are not so big as to require anyone to retake our Azure AD Connect Masterclass or watch any previously viewed Azure AD Connect training videos again. Instead, we thought it would be useful to provide a summary of the updates we have made, and some recommendations about what to do and what not to do. And if you have yet to watch any of the training videos you have purchased, you will get the latest content.

New pre-requisites from version

  • The default installation of Azure AD Connect utilizes, and installs, SQL Server Express LocalDB – this version of Azure AD Connect utilizes the 2019 components of SQL Server localDB.
  • You will need Windows Server 2016 or newer (this is to support SQL Server 2019).
  • TLS 1.2 must be enabled.
  • PowerShell 5.0 is required (part of Windows Server 2016 and newer in any case).

These changes are significant enough that an in place automatic update is not possible. It is probably best to do a swing migration, where a new (fully upgraded server) staging mode server is brought up, and once settled down brought into production. The production server can then be upgraded, in staging mode. If you have more staging mode servers, just rinse and repeat. Finally put your favoured server into production (with any others in staging mode).

Creating the Service Connection Point – new recommendation

When performing an Express Installation of Azure AD Connect, if you intend additionally to configure Hybrid Azure Join (so that domain-joined PCs become Azure AD joined, too), you will need to create a Service Connection Point (an object in AD with details of your Azure AD tenant). We originally recommended using a PowerShell command to do this. We now recommend that once you have finished your Express Installation, you run the wizard again, and:

  • Click Configure
  • Select Configure device options and click Next
  • Click Next again and enter your Azure admin credentials
  • Select Configure Hybrid Azure AD join
  • Select Windows 10 or later domain-joined devices (you will not be able to select Downlevel devices unless and until you configure SSO)
  • Click Next
  • Select your forest, select Azure Active Directory as the Authentication Service and click Add
  • Enter your enterprise admin credentials, click OK, and click Next
  • Click Configure
  • When it completes click Exit

New run profiles step types – ignore them!

During our training courses, we talk about the five run profile step types, and the five run profiles that are created (by default) for each connector (each AD forest, and Azure AD) – these are Export, Delta Synchronization, Full Import and Full Synchronization. There are two new ones, which are there to support the new single object sync PowerShell Cmdlet (see below). You should ignore these! In any case, our recommendation is that you do not change run profiles, and that if you add any of your own (for example, for testing or troubleshooting purposes) you should delete them when you’ve finished using them.

New single object sync PowerShell Cmdlet – use with caution!

The new single object sync PowerShell Cmdlet is there to synchronize a single object – for example to test or troubleshoot your configuration. While this is a valuable addition, we think this should be used with some caution as it does not always exactly reproduce what would happen during an actual synchronization. For example, it will typically not delete anything in relation to the single object concerned, even though the actual synchronization might do so. For this reason, we prefer using the preview function within the Sync Service Manager.

Changes to the default rules in relation to groups and the 50,000 limit on group membership

In version it became possible to increase the original 50,000 limit on group membership to 250,000. In version, the default limit is 250,000.

Also, the strategy used to handle the limit has changed. It is now simpler, but the behaviour of the rules has changed a little.

Previously, the default situation was that a group with more than 50,000 members would not be provisioned, and a group that had been provisioned but which later reached that limit would stop synchronizing (but would not be deprovisioned). The situation now is that a group with any membership can be provisioned, but its membership will not synchronize if the limit is exceeded. The only check for the group size limit is now in a new rule called “Group Writeup Member Limit” (which has a low precedence number and therefore has ultimate power to control).

Group write-back now applies to all Azure AD security groups, as well O365 groups, but in all cases only distribution groups are provisioned in AD (assuming Exchange is present). In version a membership limit of 50,000 was included, but later dropped (presumably because Azure will not provide a group with a membership greater than 250,000 anyway).

Exporting and importing configuration – some guidance

You can now export the configuration, and import it when doing a new installation. The obvious use of this is to export your production server configuration, and use it when installing a staging server. This has the advantage of producing a configuration that includes rule changes you may have made, saving you the trouble of migrating your changes. However, it may not produce an identical server configuration – notably:

  • Any disabled rules in your production server will be enabled in your new server
  • The new server may use different precedence numbers – which is not a problem as long as they remain in the correct order
  • Device write-back settings are not applied
  • Some settings made outside the wizard are not applied (for example object-type selection or run profiles in connectors)
  • If configuring for federated sign-on, parameters will still have to be entered interactively
  • Of course, there will be other changes such as a different MSOL account, and different date/time stamps, but these are not important.

That’s it for now – let us know if you need further information on these or other topics relating to Azure AD Connect.

Our Azure AD Connect training courses get great feedback from students.

There is so much more to Azure AD Connect that meets the eye or is covered in Microsoft documentation! This Masterclass effortlessly strips away Azure AD Connect’s veneer of simplicity to explore and demonstrate important technical details. Chris, IT Consultant, Australia

How would you like to learn? Instructor-led Azure AD Connect courses via Teams, self-paced online courses or video training – the choice is yours!