Entra Connect Sync 2.5.3 released
Hi All,
Just a few days ago, Microsoft has released a new Version of Entra Connect Sync.
It’s only downloadable via the Microsoft Entra Admin Center
It’s really hidden: Entra Admin Center > Identity > Hybrid Management > Microsoft Entra Connect > Get started > Manage > Download Connect Sync Agent
If you click on the Download Link you have to click on the “Accept terms & download” Button. It will download AzureAdConnect.msi 😂
Another missed chance to rename the Downloaded File 😉
Preparation
There is a more detailed Guide here. Probably you should read that first.
There are Options like:
- Bring Your Own Application (BYOA)
- Bring Your Own Certificate (BYOC)
They recommend, that TPM should be available.
Check if TPM is available with the following PowerShell command. If not, you can use my Guide for Hyper-V:
Get-TPM
Check OnPrem
Get-ADSyncEntraConnectorCredential
Check Entra
Connect-MgGraph -Scope OnPremDirectorySynchronization.Read.All -NoWelcome
$Sync = Get-MgBetaDirectoryOnPremiseSynchronization
$sync.Configuration.CurrentExportData.ServiceAccount
$Sync.Configuration.SynchronizationClientVersion
Installation and Configuration
Checks
Let’s check the Version after the Installation
(Get-Item "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe").VersionInfo
Now let’s check the Credential. This has changed to the Entra Application
Get-ADSyncEntraConnectorCredential
Get-ADSyncEntraConnectorCredential | fl
With the following Code, we can see the details of the Certificate.
$SyncCred = Get-ADSyncEntraConnectorCredential
$SyncCred.CertificateCredential
The Certificate is not in the Local Machine Store.
Found this file: The private key seems to be wrapped by a key in the TPM: C:\Users\AAD_b37a5b1b7812\AppData\Local\Microsoft\Crypto\PCPKSP\d09768588a2b2bb8c6f54cb095f82dcbfe351d2e\b5a4e5ed7fe422260835acdd2e4c95f69a77037b.PCPKEY
Get-ChildItem Cert:\LocalMachine\My
The following Command still shows the old SyncUser but the new Version
Connect-MgGraph -Scope OnPremDirectorySynchronization.Read.All -NoWelcome
$Sync = Get-MgBetaDirectoryOnPremiseSynchronization
$sync.Configuration.CurrentExportData.ServiceAccount
$Sync.Configuration.SynchronizationClientVersion
Check Entra Connect Sync Health
Shows the new Version
AAD Connect Health Agent is also updated
Review Entra Connect Sync Configuration
It’s a good idea to Export the Config and review your Entra Connect Sync Configuration
Review Entra Application
Let’s have a look at the created Entra Application
Athentication with Certificate
Permissions:
Microoft Entra AD Syncronization Service
- ADSyncronization.ReadWrite.All
Microsoft password reset Service
- PasswordWriteback.OffboardClient.All
- PasswordWriteback.RefreshClient.All
- PasswordWriteback.RegisterClientVersion.All
No Owner has been set
You can also Check the Details of the Entra App with the Microsoft.Graph PowerShell
Connect-MgGraph -Scope Application.Read.All -NoWelcome
Get-MgApplication -Filter "AppID eq 'd5b79403-7358-486a-a1fb-d27c01c10113'"
Get-MgApplication -Filter "AppID eq 'd5b79403-7358-486a-a1fb-d27c01c10113'" | fl
Remove old Sync Account
First make sure, your Entra Connect sync is using the Entra App Service Principal
Use the following Command to remove the old Serviceaccount (without UPN)
Remove-ADSyncAADServiceAccount -Name <>
Finishes without an Error
Didn’t change anything here.
Connect-MgGraph -Scope OnPremDirectorySynchronization.Read.All -NoWelcome
$Sync = Get-MgBetaDirectoryOnPremiseSynchronization
$sync.Configuration.CurrentExportData.ServiceAccount
$Sync.Configuration.SynchronizationClientVersion
FirstStandardRulePrecedence
With 2.4.18.0 there was just this line in the release notes. Google Search did not reveal much more.
Introduced a registry key that allows you to set the precedence number for custom rules to be more than 100, if needed. The precedence of the first standard rule can be set using the key HLKM:\SOFTWARE\Microsoft\Azure AD Connect\FirstStandardRulePrecedence, allowing for more custom rules. If no value is set, 100 is the default.
I’ve created this registry Key (decimal:200)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect
"FirstStandardRulePrecedence"=dword:000000c8
I noticed that with this Upgrade the default Rules have been moved to 200 😊
Summary
I’ve explained in detail how you can install the new Version, how to check all the details about App Authentication with Entra Connect Sync.
On Machines with TPM the Certificate is secured with TPM - but you are not unable to export that.
This is much more secure and i like that the default rules are now starting at the value from the Registry.
Regards
Andres Bohren
EntraID Logo Security Logo
