New Version of AAD Connect Fixes Vulnerability

Thursday, July 7, 2022

Microsoft released Azure AD Connect version 2.1.15.0 today. This version fixes a vulnerability that was discovered in the Azure AD Connect Admin Agent. If you have installed the Admin Agent previously it is important that you update your Azure AD Connect server(s) to this version to mitigate the vulnerability.

The Azure AD Connect Admin Agent collects specific data from your Active Directory environment that helps a Microsoft support engineer to troubleshoot issues when you open a support case. See What is the Azure AD Connect Admin Agent - Azure AD Connect - Microsoft Entra | Microsoft Docs for more information.

Be aware that installing this version will cause AAD Connect to perform an Initial (Full) sync.

This update will roll out soon automatically if your configuration is enabled for auto-upgrade.

In addition to fixing the vulnerability, there are some functional changes and bug fixes. See Azure AD Connect: Version release history - Microsoft Entra | Microsoft Docs for full details.

Functional changes

  • We have removed the public preview functionality for the Admin Agent from Azure AD Connect. We will not provide this functionality going forward.
  • We added support for two new attributes: employeeOrgDataCostCenter and employeeOrgDataDivision.
  • We added CerificateUserIds attribute to AAD Connector static schema.
  • The AAD Connect wizard will now abort if write event logs permission is missing.
  • We updated the AADConnect health endpoints to support the US government clouds.
  • We added new cmdlets “Get-ADSyncToolsDuplicateUsersSourceAnchor and Set-ADSyncToolsDuplicateUsersSourceAnchor“ to fix bulk "source anchor has changed" errors. When a new forest is added to AADConnect with duplicate user objects, the objects are running into bulk "source anchor has changed" errors. This is happening due to the mismatch between msDsConsistencyGuid & ImmutableId. More information about this module and the new cmdlets can be found in this article.

Bug fixes

  • We fixed a bug that prevented localDB upgrades in some Locales.
  • We fixed a bug to prevent database corruption when using localDB.
  • We added timeout and size limit errors to the connection log.
  • We fixed a bug where, if child domain has a user with same name as parent domain user that happens to be an enterprise admin, the group membership failed.
  • We updated the expressions used in the "In from AAD - Group SOAInAAD" rule to limit the description attribute to 448 characters.
  • We made a change to set extended rights for "Unexpire Password" for Password Reset.
  • We modified the AD connector upgrade to refresh the schema – we no longer show constructed and non-replicated attributes in the Wizard during upgrade.
  • We fixed a bug in ADSyncConfig functions ConvertFQDNtoDN and ConvertDNtoFQDN - If a user decides to set variables called '$dn' or '$fqdn', these variables will no longer be used inside the script scope.
  • Multiple accessibility fixes (see article for details).

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.