UPDATE Oct 8th, 2019 it has been reported that some issues with Self-Service Password Reset (SSPR) and Hybrid Azure AD join have been reported. Microsoft has recommended to post-pone upgrading to the 18.104.22.168 version until root cause has been identified and solved. Regarding the SSPR, a new version has been already released for auto-upgrade only to fix the issue with SSPR not being re-enabled again after the upgrade.
A new major version (22.214.171.124) of the Azure Active Directory (AAD) synchronization tool – Azure AD Connect – has been released and available for download here https://go.microsoft.com/fwlink/?LinkId=615771.
This version includes lot of improvements and fixes; one major change is you may see your devices disappear from the Devices blade in your Azure AD portal, this is an expected situation described in this documentation https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-device-disappearance.
Another improvement is the ability to define the primary AD FS (Active Directory Federation Services) server when setting up and managing AD FS with AD Connect.
The complete list of improvement is as below:
- New troubleshooting tooling helps troubleshoot “user not syncing”, “group not syncing” or “group member not syncing” scenarios
- Add support for national clouds in AAD Connect troubleshooting script
- Customers should be informed that the deprecated WMI endpoints for MIIS_Service have now been removed. Any WMI operations should now be done via PS cmdlets
- Security improvement by resetting constrained delegation on AZUREADSSOACC object
- When adding/editing a sync rule, if there are any attributes used in the rule that are in the connector schema but not added to the connector, the attributes automatically added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next sync cycle
- Using an Enterprise or Domain admin as the connector account is no longer supported in new AAD Connect Deployments. Current AAD Connect deployments using an Enterprise or Domain admin as the connector account will not be affected by this release
- In the Synchronization Manager a full sync is run on rule creation/edit/deletion. A popup will appear on any rule change notifying the user if full import or full sync is going to be run
- Added mitigation steps for password errors to ‘connectors > properties > connectivity’ page
- Added a deprecation warning for the sync service manager on the connector properties page. This warning notifies the user that changes should be made through the AADC wizard
- Added new error for issues with a user’s password policy
- Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain/OU of the entered group is already filtered out and keep the user from moving forward until the issue is resolved
- Users can no longer create a connector for Active Directory Domain Services or Windows Azure Active Directory in the old UI
- Fixed accessibility of custom UI controls in the Sync Service Manager
- Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the “Update AD FS SSL certificate” task was available for all sign-ins.)
- Added a warning when changing the sign-in method from federation to PHS or PTA that all Azure AD domains and users will be converted to managed authentication
- Removed token-signing certificates from the “Reset Azure AD and AD FS trust” task and added a separate sub-task to update these certificates
- Added a new federation management task called “Manage certificates” which has sub-tasks to update the SSL or token-signing certificates for the AD FS farm
- Added a new federation management sub-task called “Specify primary server” which allows administrators to specify a new primary server for the AD FS farm
- Added a new federation management task called “Manage servers” which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server
- Added a new federation management task called “View federation configuration” that displays the current AD FS settings