If you are synching your Active Directory with Entra ID, you know you need to keep up with the Entra ID Connect version to ensure you are supported but also enjoy improvements and/or new features.
Well, this is it, a new Entra ID Connect version has been released and this is a major one.
First thing first, Entra ID Connect is no longer available for download from Microsoft Download Center but from Entra ID portal (http://entra.microsoft.com).
You need to access the Hybrid management\Entra Connect\Get started blade (direct link Microsoft Entra Connect – Microsoft Entra admin center) and access the Manage tab to download Entra ID Connect under the “Manage from on-premises”
So, what’s new with this new version:
- Support for modern authentication (preview) to allow the configuration of application-based authentication to enhance security posture. This replace the need to use a service account credentials with a certificate for syncing AD to Entra ID. (more details Authenticate to Microsoft Entra ID using Application Identity – Microsoft Entra ID | Microsoft Learn)
You use the Microsoft managed application or create your own service principal or your own certificate.
Your AD schema version must be at least 2016.
- New version of the health agent (4.5.2520.0)
- Administrator credentials are now required when enabling, disabling, staging or removing SSPR configuration with PowerShell
The application-based authentication is supposed to be the new default for new installation of Entra ID Connect; if you are upgrading, you will have to enable it during the first step of the upgrade process.
You can also enable at any point by running the configuration wizard.
When enabling application-based authentication, you will be prompted a second time during the configuration.
You can confirm application-based has been enabled by running the below command
Get-ADSyncEntraConnectorCredential
If you have enabled application-based, you can manually manage the rotation of the application certificate from the same location; this is important if you choose to bring your own application/certificate.
The previous user object referencing the Entra ID Connect instance will be automatically hard deleted when enabling application-based authentication.
You can find the created application in your Entra ID portal by accessing the Applications\App registrations and search for the application named ConnectSyncProvisioning_<server name>_<identifier>
