This year on 30 August 2022, V1.0 of Azure AD Connect will retire. Certain components in V1.0 will also retire, become deprecated or will no longer be supported by V2.0. This includes ADAL, SQL Server 2012, and servers such as Microsoft Server 2012, 2012 RS and 2016. Organisations will therefore be left with no other option but to carry out migrations, and upgrades to attain full functional operation with Azure AD Connect V2.0.

Due to the various dates in which V1.0 components will be deprecated, and others no longer supported, we strongly advise that the necessary updates and migrations are carried out prior to the Azure AD Upgrade V2.0 and before June 30, 2022.

A quick recap: what is Azure AD (Active Directory) Connect?

Azure AD Connect is a tool used to synchronise identities (i.e., user accounts) to Azure Active directory and the cloud. AAD gives an organisation a “hybrid identity” between on-premises and the cloud.

Azure AD Connect can provide the following features for your organisation:

1. Password hash sync – this is the feature whereby users can sign-in to Azure AD services like Microsoft 365, using the same password you use to sign in on-premises.
2. Pass-through authentication – similar to password hash sync, pass-through authentication allows users to use the same on-premises passwords in the cloud – without requiring federated infrastructure environments.
3. Federation integration (optional) – another sign-in feature, federation sign-in enables used to sign-in to Azure-AD based services using on-premises password, and when within a corporate network, dropping the requirement to re-enter passwords.
4. Azure AD Connect sync (synchronisation) – feature responsible for creating users, groups, and objects, making sure ID information for on-premises users and groups match in the cloud (including hashes).
5. Azure AD Connect Health – monitors on-premises ID infrastructure, enabling organisations to maintain reliable connect to Microsoft 365 and online services. Connect Health also provides a central location in the Azure portal to view activities.

For more detail on Azure AD Connect, please refer to Microsoft’s technical documentation here.

It is to be noted however, that several components and installations within the current Azure AD Connect server will soon go out of support. More importantly, the underlying technology behind Azure AD Connect – ADAL – is being retired in December 2022. Therefore, it is strongly advised that those utilising Azure AD Connect upgrade to V2.0 are prepared, and upgrade in advance.

What is changing in Active Directory (AD) Connect V2.0?

There are several key components that Microsoft has reported will be changing, deprecated, or upgraded. These included SQL Servers 2012 and 2019, Visual C++ Redist 14, ADAL and MSAL, TLS 1.2, SHA-1 and SHA-2, Windows Server 2012 and 2012 RS, and PowerShell 5.0. More information on these components can be found below.

SQL Server 2012 LocalDB
Azure AD Connect currently ships with SQL Server 2012 LocalDB. Following the V2.0 upgrade, the SQL Server 2012 LocalDB will be replaced with SQL Server 2019 LocalDB. Systems will need to make the switch before 12 July, 2022, when extended support for SQL Server 2012 will end.

• Switch to SQL Server 2019 LocalDB
  Also referred to as, Microsoft SQL 2019, “…represents not only an evolutionary release, but a revolutionary release” – promising enhanced reliability, scalability, and security performance  both on-premises and in the cloud. For more detail on the specific features of Microsoft SQL 2019 click here.

Visual C++ Redist 14
For SQL Server 2019 to be n full operating order, Visual C++ runtime is required. Therefore, Microsoft is updating the C++ runtime library. This component will be installed with and included within the Azure AD Connect V2.0 package, therefore no precautionary action will be needed to update.

Active Directory Authentication Library (ADAL)
Previous versions of Azure AD Connect have used ADAL for authentication. Following December of this year, this library will be depreciated. Therefore, prior to the V2.0 upgrade, organisations will need to migrate from ADAL to the newer Microsoft Authentication Library (MSAL) prior to the end of June. If you do not make the move, while ADAL apps may continue to work, no support or security fixes will be provided past end of life.

• Migrate to Microsoft Authentical Library (MSAL)
  Different from ADAL, MSAL integrates with the Microsoft identity platform. Whereas the v.1.0 endpoint only supports work accounts, v2.0 unifies both personal and work accounts into a single authentication system. With MSAL, authentication can also be approved for Azure AD B2C. For more detail on the newer authentication library (MSAL) click here, and for information on how to migrate from ADAL to MSAL click here.

TLS 1.2
Microsoft has deemed protocols TLS 1.0 and TLS 1.1. unsafe, and as a result both are being deprecated. Microsoft expect TLS 1.0/1.1 was deprecated in January 2022. The newer release of Azure AD Connect (V2.00) will now only support TLS 1.2, and all versions of Window Servers that are supported for V2.0 will default to TLS 1.2. In the case that your Server does not support TLS 1.2, you will be required to enable this before the deployment of V2.0. You can find more information on this here.

All binaries signed with SHA-2
Microsoft Azure AD Connect V2.0 no longer supports the Secure Hash Algorithm 1 (SHA-1) for downloadable binaries and has upgraded to SHA-2 signing. Microsoft noted “weaknesses” in the SHA-1 algorithm, therefore, to align with industry standards have updated to a “more secure” SHA-2 algorithm. Microsoft allowed the Secure Hash Algorithm 1 (SHA-1) Trusted Root Certificate Authority to expire earlier this year (May 9, 2022). SHA-2 will be applied with the V2.0 bundle, and no action is required.

Windows Server 2012 and Windows Server 2012 R2 not supported by V2.0.
For SQL Server 2019 (and Azure AD Connect V2.0) to be in full operating order, Windows Server 2016 or newer is needed as its operating system. Because of this, older Windows Server versions such as Windows Server 2012 and Windows Server 2012 R2 will no longer be supported by V2.0. It must also be noted that V2.0 cannot be installed on Windows 2012 versions, and extended support for both Windows Server 2012 and 2012 R2 will end on October 10, 2023. Therefore, it is strongly advised to upgrade to Windows Server 2019 or newer – the most recent version of the Windows operating system.

• Windows Server 2019
  To find out more information on the Windows Server 2019 click here. For guidance on how to upgrade from older Server versions to the newer 2019 Server click here.
• Windows Server 2022
  Microsoft have recently released Windows Server 2022 (September 1, 2021). For more information on the Windows Server 2022 edition, click here. Organisations can make their decision based on compatibilities, and preference – but an upgrade is required nonetheless, and upgrading to either 2019 or 2022 is strongly advised.

PowerShell 5.0
PowerShell 5.0 is a new prerequisite for Azure Active Directory (AD) Connect V2.0. To run Windows PowerShell 5.0, WMF 5.1 (Windows Management Framework) will need to be installed. For users already using Server versions such as Windows Server 2016 or newer, you will not need to act, as PowerShell 5.0 is already part of the Server.

Do we need to upgrade from V1.0 to V2.0?

Yes.

Azure Active Directory (AD) Connect and components of V1.0 are to be deprecated and retired on and prior to August 30, 2022. This will mean that the version will no longer be in operational order, and Microsoft will no longer be able to provide support. Most organisations currently run Azure AD Connect on Microsoft Server 2012 or Microsoft Server 2012 RS, V2.0 however will no longer support these versions. V2.0 will only support Microsoft Server 2016 or newer. Organisations must begin to plan their move to the new version of AAD Connect, as they switch to newer servers and carry out other prerequisites.

What will happen if you don’t upgrade?

Until components are deprecated, organisations will not see any direct impact and Azure AD Connect will carry on working. Prior to deprecations, organisations must make sure components and protocols are no longer in use by EOL. Services may unexpectedly stop working and impact the operations, functions, and security of an organisation if precaution is not taken.

Notable dates of V1.0 component deprecations:

• TLS 1.0/1.1 – January (TBC), 2022
• ADAL –  December 2022
• SQL Server 2012 LocalDB – July 12, 2022

Most notably, when ADAL goes out of support (December 2022) authentication may stop working, which will have a consequential effect and block Azure AD Connect from being in full functional operation.

We therefore strongly advised to upgrade to V2.0 before June 2022.

Will the upgrade to V2.0 uninstall SQL 2012 components?

The upgrade to V2.0 will not affect, nor remove any SQL 2012 components from Servers. If there are components you no longer require, you can follow the installations instructions published on Microsoft.

Is the upgrade automatic?

Not at this moment in time.

Organisations and IT departments must note that despite being enrolled and enabling auto upgrades for Azure AD connect, V2.0 is not available for auto upgrade.

Remember: prior to upgrading from V1.0 to V2.0 migrating from ADAL to MSAL is required, alongside upgrading Servers from 2012 to 2019 or newer.

When should we upgrade?

It is advised to upgrade as soon as possible. This is because certain components will be deprecated at an earlier date – SQL, ADAL, TLS 1.0, and TLS 1.1 – which may stop working unexpectedly and directly affect the operations and functions of organisations. Azure Active Directory (AD) Connect V1.0 and component versions will be retired following August 30, 2022. Microsoft have stated that they will “continue to support older versions”. However, it may prove difficult to provide good and effective support when other components drop out of support earlier.

What is the process for upgrading?

Before initiating the official download of AADConnect V2.0, you must first ensure that you meet the prerequisites. This includes Servers being upgraded to Microsoft Server 2016 or newer, as well as upgrading to TLS 2.1, and from ADAL to MSAL (see above for details on how). Once all servers and components are upgraded, depending on the size and number of servers and object, organisations can choose from two upgrading processes.

1. In-place upgrade
2. Swing migration

In-place upgrade

In-place upgrades work for moving Azure AD Connect from its current version to the latest version. This method is preferred if you are utilising a singular server and hold less than 100,000 objects. An in-place upgrade ensures new configurations are applied to all existing objects. Typically, this choice of upgrade can take several hours – this all depends on the number of objects in scope.

Step-by-step process for in-place upgrade from V1.x to V2.0

1. Download the V2.0 of Microsoft Azure Active Directory Connect
2. Run the installer of V2.0 of Azure AD Connect, once the installer starts simply select ‘Upgrade’
3. Make your way to Azure PIM (Privileged Identity Management) to assign this role to the service account – ‘Manage: Azure AD Roles’ > ‘Assign: Assign Eligibility’
4. Click ‘Add assignments’ > ‘Search role’ and search for ‘Hybrid Identity Administrator’ > ‘Select member(s)’ > search for and select your servers account > ‘Next’
5. Make account active – Settings > ‘Assignment type’ > Active > click ‘Assign’
6. Sign-in to Azure AD Connect via the installer box, ‘Connect to Azure AD’
7.  Select ‘Upgrade’

It has also been mentioned by Microsoft, that during in-place upgrades, following the changes that are introduced, synchronisation activities may be required. To defer these activities, you can refer to Microsoft’s technical documentation here.

For more detail and understanding on how to conduct an in-place upgrade, please refer to Microsoft’s Azure AD Connect: Upgrade from a previous version to the latest.

Swing migration

A swing migration is advised for the following scenarios:

1. If you have complex deployment
2. If you have many objects
3. If you require an upgrade to the latest Windows Server

In these cases, an in-place upgrade on the live system is impractical and can prove problematic. Depending on the size and complexities this process can take several days. To conduct a swing migration, you will require two servers – one active and one standing (think of the standing like a dummy version). Your active server is responsible for active productivities, whilst the standing server is where the new release and configuration(s) are prepared.

Once the standing server is ready, this server will be switched to active. The previously active server, holding the outdated configurations, can then be switched to, and can be upgraded. For a complete step-by-step of upgrading to V2.0 through swing migration, please refer to Microsoft’s Azure AD Connect: Upgrade from a previous version to the latest.

Is there help and support available for upgrading to V2.0?

As Microsoft Partners, and Cloud technology experts, Shaping Cloud are more than capable (and happy) to help your organisation make this transition from V1.x to V2.0 of Microsoft’s Azure Active Directory (AD) Connect.

If your organisation greatly anticipates the move, but lacks the understanding, knowledge, or expertise in migrating, upgrading, and updating servers, components and deploying the new and improved version, contact our sales team today sales@shapingcloud.com.

More information on the Microsoft 365 Identity and AD models available. There are currently three models’ available Traditional AD DS, Azure AD, and Azure AD Connect or Cloud sync also known as Hybrid Identity.

On-premises based: Traditional AD DS

Traditional Active Directory (AD) Domain Services (DS) is a great option for managing traditional on-premises infrastructure and applications. Traditional AD records all your users, Servers and PCs, authenticating and governing sign-ins and what and what not users are allowed to do and access.

For more detail on the features of AD DS please refer to Microsoft’s Active Directory Domain Services overview.

Cloud based: Azure AD

Azure Active Directory (AAD) is a management service of identity and access created by Microsoft. It allows employees of an organisation to sign-in and access internal and external resources. Azure AD is great for managing user access to all cloud applications. Azure AD can be used along with AD DS, or singularly for a complete cloud-based environment.

For more detail on the specifics that Azure AD has to offer, please refer to Microsoft’s ‘What is Azure Active Directory?’.

Hybrid: Azure AD Connect or Cloud sync

Microsoft’s Azure AD Connect, and Cloud sync synchronises identities to the cloud in a consistent, on-going manor. This option is the most common for enterprises making the move from on-premises to cloud. In simple terms, Azure AD Connect checks for changes in the AD DS and forwards those changes to Azure AD. Synchronisation can be filtered to determine which accounts are synced. With this Hybrid approach, the on-premises AD DS is authoritative – meaning that administrative tasks are to be performed on-premises and then synced to Azure AD.

For more information on the qualities of this Hybrid approach, click here.

If your organisation is thinking of switching your, or adopting a new hybrid ID and Access approach, and are unsure where to start, please contact us today.