Azure AD Connect 1.1.553.0 released – with fix of critical security vulnerability

Last week, Microsoft launched the Azure AD Connect version 1.1.553.0 which include a vast range of fixes, improvements and new features.

Among the most urgent fixes is the update that addresses a vulnerability which could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during setup. This vulnerability allows an attacker to reset passwords and gain unauthorized access to on-premises AD privileged user accounts, and is addressed in the 1.1.553.0 version of Azure AD Connect by not allowing an Azure AD Administrator to reset the password of an arbitrary on-premises AD privileged user account, unless the administrator is the owner of that account.

Download latest version of Azure AD Connect:
https://www.microsoft.com/en-us/download/details.aspx?id=47594

Fixes:

  • Fixed an issue with Password writeback that allows an Azure AD Administrator to reset the password of an on-premises AD privileged user account. For more information, refer to Security Advisory 4033453.
  • Fixed an issue related to the msDS-ConsistencyGuid as Source Anchor feature where Azure AD Connect does not writeback to on-premises AD msDS-ConsistencyGuid attribute.
    The issue occurs when there are multiple on-premises AD forests added to Azure AD Connect and the User identities exist across multiple directories option is selected.
  • Previously, even if the msDS-ConsistencyGuid as Source Anchor feature isn’t enabled, the “Out to AD – User ImmutableId” synchronization rule is still added to Azure AD Connect.
    The effect is benign and does not cause writeback of msDS-ConsistencyGuid attribute to occur. To avoid confusion, logic has been added to ensure that the sync rule is only added when the feature is enabled.
  • Fixed an issue that caused password hash synchronization to fail with error event 611.
    This issue occurs after one or more domain controllers have been removed from on-premises AD. With this fix, the Password Synchronization Manager persists the synchronization cookie correctly.
  • Previously, even if Automatic Upgrade has been disabled using the Set-ADSyncAutoUpgrade cmdlet, the Automatic Upgrade process continues to check for upgrade periodically, and relies on the downloaded installer to honor disablement.
    With this fix, the Automatic Upgrade process no longer checks for upgrade periodically.
    The fix is automatically applied when upgrade installer for this Azure AD Connect version is executed once.

Improvements and new features:

  • Previously, the msDS-ConsistencyGuid as Source Anchor feature was available to new deployments only. Now, it is available to existing deployments.
  • Specific to userCertificate attribute on Device objects, Azure AD Connect now looks for certificates values required for Connecting domain-joined devices to Azure AD for Windows 10 experience and filters out the rest before synchronizing to Azure AD.
    To enable this behavior, the out-of-box sync rule “Out to AAD – Device Join SOAInAD” has been updated.
  • Azure AD Connect now supports writeback of Exchange Online cloudPublicDelegates attribute to on-premises AD publicDelegates attribute.
    This enables the scenario where an Exchange Online mailbox can be granted SendOnBehalfTo rights to users with on-premises Exchange mailbox. To support this feature, a new out-of-box sync rule “Out to AD – User Exchange Hybrid PublicDelegates writeback” has been added.
    This sync rule is only added to Azure AD Connect when Exchange Hybrid feature is enabled.
  • Azure AD Connect now supports synchronizing the altRecipient attribute from Azure AD.
  • The cloudSOAExchMailbox attribute in the Metaverse indicates whether a given user has Exchange Online mailbox or not. Its definition has been updated to include additional Exchange Online RecipientDisplayTypes as such Equipment and Conference Room mailboxes.
    To enable this change, the definition of the cloudSOAExchMailbox attribute, which is found under out-of-box sync rule “In from AAD – User Exchange Hybrid”, has been updated.
  • Added several set of X509Certificate2-compatible functions for creating synchronization rule expressions to handle certificate values in the userCertificate attribute.
  • The following schema changes have been introduced to allow customers to create custom synchronization rules to flow sAMAccountName, domainNetBios, and domainFQDN for Group objects, as well as distinguishedName for User objects:
    • Following attributes have been added to MV schema:
      • Group: AccountName
      • Group: domainNetBios
      • Group: domainFQDN
      • Person: distinguishedName
    • Following attributes have been added to Azure AD Connector schema:
      • Group: OnPremisesSamAccountName
      • Group: NetBiosName
      • Group: DnsDomainName
      • User: OnPremisesDistinguishedName
  • The ADSyncDomainJoinedComputerSync cmdlet script now has a new optional parameter named AzureEnvironment.
  • Updated Sync Rule Editor to use Join (instead of Provision) as the default value of link type during sync rule creation.

AD FS Management

  • Fixes:
  • New features and improvements
    • Previously, the ADFS Certificate Management feature provided by Azure AD Connect can only be used with ADFS farms managed through Azure AD Connect.
      Now, you can use the feature with ADFS farms that are not managed using Azure AD Connect.

Known issues:

  • There is an issue that affects customers who are using OU-based filtering with Azure AD Connect sync.
    When you navigate to the Domain and OU Filtering page in the Azure AD Connect wizard, the following behavior is expected:

    • If OU-based filtering is enabled, the Sync selected domains and OUs option is selected.
    • Otherwise, the Sync all domains and OUs option is selected.

The issue it is that the Sync all domains and OUs option is selected, even if OU-based filtering is enabled.
Before saving any synchronization configuration changes in the wizard, make sure the Sync selected domains and OUs option is selected first. Otherwise, OU-based filtering will be disabled.

 

Leave a Reply