Upcoming Azure AD Connect support changes

Warning! These changes could break your Office365 tenant or Authentication to other Applications

By Ted Dasher Jr., Enterprise Architect

Microsoft recently released the 2.0 version of Azure AD Connect, which isn’t particularly notable in and of itself, but some of the consequences of this new version are.  Before getting to the consequences, I’ll cover the actual changes in AAD Connect 2.0.  Functionality-wise, there really are no changes.  All the changes are under the covers and involve upgrades to the underlying infrastructure used by the tool.  Specifically, these are the major changes:

  1. Minimum supported OS is Server 2016
  2. The local database used is now based on SQL Server 2019 rather than 2012
  3. TLS 1.2 is used exclusively
  4. All binaries are now signed with SHA2
  5. The authentication library used for communicating with Azure AD is changed from the old ADAL to the new MSAL.

Most of these changes won’t break your existing Azure AD Connect implementation but two of them can under certain conditions.

In January 2022 it is planned to stop supporting earlier versions of TLS for connections to Azure AD.  If you are running Azure AD connect on an OS earlier than 2016, it is likely that you are using 1.0 or 1.1 currently.  If so, then you need to upgrade this by the end of the year or risk breaking your replication to Azure AD.  If you are running 2016 or 2019 versions of Windows Server, then you are likely OK but it would be a good idea to verify this.  I have seen documented cases where earlier versions of TLS are running on these newer server platforms.

As of June 30th 2022, ADAL will go out of support and it is likely that Microsoft will cease to respond to ADAL requests, although their position on this is not 100% clear.  That said, it will happen sooner or later, and you would be smart to be sure you have upgraded before this time.  As with TLS, the risk is that you would break replication to Azure AD.

If you are wondering why these changes are being made, it’s simple; Microsoft is working to increase the security of the product and make it scale to larger environments.  Enforcing newer versions of TLS and changing ADAL to MSAL improves security and the move to SQL 2019 increases the scale of what an instance of AAD Connect can handle from approximately 50k objects to more than 250k objects.  While the scale improvements will only help a small subset of clients, the improved security is a plus for everyone.

With the recent release of Windows Server 2022, we recommend that all new installations be on either Server 2019 or Server 2022 as the end of mainstream support for 2016 is just around the corner in January 2022.

As always Dasher and the Converge family of companies are ready to help you if you have any questions or would like help with navigating this change. Please reach out us by going to our Contact Us page.