When delivering Office 365 Security Optimisation Assessments (SOA) to customers, one of the control items is the version of Azure AD Connect deployed along with some related configuration elements. In many cases, Azure AD Connect is not updated to a build that resolves both security and feature issues. Why is Azure AD Connect not current? Good question.
There are two main scenarios that I see right now.
- Initial version 2.x build was deployed but never updated
- Version 1.x still installed and not upgraded
We can look at these items in the order as that since #1 is simpler, then we can get into the longer #2 explanation.
Version 2.x Requires Manual Updates At This Time
If you read the release notes for all of the version 2.x updates, as of the time of writing, none have been released for auto upgrade. This takes us back to the initial DirSync, Azure AD Sync days when we had to always manually download and update. The red arrows indicate there is no auto upgrade for the latest 2.x builds.
The same is true for the initial 2.x build which was released 2.0.3.0 – it also is not available for auto upgrade. The release statement is included below along with some of the major new features and changes. Note that the image is truncated and there are more details in the release notes.
In the “What else do I need to know” section of the What is Azure AD Connect V2 article, it does state this is the expected behaviour at this time.
The take away is that to get security and feature updates on the 2.x releases, you need to download and install the updates manually at this time.
Action Required to Upgrade From 1.x To 2.x
At the time of writing in January 2022, the latest version was 2.0.91.0 and many servers will still be running build 1.6.16.0. That is the latest version of the 1.x product and was previously updated to address the recent security issues with Azure AD Connect. While that is OK from a patching perspective, it does not address the upcoming end of support for all 1.x versions, and 2.x is required as of August 31st 2022.
In addition to the upcoming end of support, Azure AD Connect V2 is where new features and enhancements will be added. 1.x is in maintenance mode with minimal change. The older versions of Connect use SQL 2012 components which are out of the support in 2022. Version 2.0 uses SQL 2019 which requires up to date components such as the underlying OS, PowerShell and TLS. Hint -- Windows Server 2019 will offer the longest support if you have to deploy a new server.
Please take a look at Introduction to Azure AD Connect V2.0 for additional details.
The recent versions of Connect are shown below, and you can see that 2.x has many more builds recently than 1.x - this is not surprising given where we are with the 1.x support lifecycle.
Take away is that we need to plan and manually upgrade to Azure AD Connection V2. This may require deploying a new OS which has support for all of the new prerequisites of Azure AD Connect V2. Specifically note that Windows Server 2012 and 2012 R2 are NOT supported. The preference will be Windows Server 2019 in most environment.
If you need to upgrade the OS, please refer to this article.
Bootnote – Checking Auto Upgrade Status
We can check the status of auto upgrade in a couple of places:
- Using PowerShell
- Using Azure AD Connect view configuration option
Get-ADSyncAutoUpgrade
Note that the –Detail parameter can be added. For detailed issues, you will likely have to look at the EventLogs to help determine root cause.
If you run the main Azure AD Connect UI – the same was observed in the view configuration tool.
Cheers,
Rhoderick