Share via

Assistance Required with Azure AD Connect Upgrade Issue

Pradhyuman 45 Reputation points
2025-05-31T08:11:53.74+00:00

Hi,

We are currently using an older version of Azure AD Connect (v2.2.8.0) in our hybrid environment. Since we rarely make changes to the synchronization configuration, we haven't accessed Azure AD Connect in a long time. However, upon opening it recently, we were prompted to upgrade.

We attempted the upgrade but encountered an error after entering Global Admin credentials. We have verified that TLS 1.2 is enabled on the server.

Could you please assist us in resolving this issue? Any help would be appreciated.

Thank you.Screenshot 2025-05-31 132811

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Jerald Felix 2,180 Reputation points
    2025-05-31T16:50:51.92+00:00

    Hi Pradhyuman,

    The upgrade wizard fails after the Global Admin sign-in when it can’t establish a TLS 1.2 session with the Microsoft Entra endpoints. ✔️TLS 1.2 must be forced for .NET as well as the OS, and the box has to meet the new 2.4.x prerequisites.

    1 | Quick health check

    Item Required for 2.4.x How to verify / fix
    Windows build Server 2016 or later with all cumulative patches winver → If the host is 2012 R2, either upgrade the OS or do a swing-migration to a new server.
    Windows build Server 2016 or later with all cumulative patches winver → If the host is 2012 R2, either upgrade the OS or do a swing-migration to a new server.
    .NET Framework 4.8 Control Panel ➜ Programs; install if missing.
    TLS 1.2 registry SystemDefaultTlsVersions=1 and SchUseStrongCrypto=1 under both 32- & 64-bit .NET keys Run the script below, then reboot.
    Root CAs / cipher suites Current Windows Update chain & suites that include TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (or similar) certmgr.msc + Get-TlsCipherSuite.
    Outbound 443 To login.microsoftonline.com, *.aadconnecthealth.azure.com, graph.windows.net, etc. Test-NetConnection login.microsoftonline.com -Port 443.
    Global admin account No legacy MFA prompt inside wizard Use a break-glass GA exempted by a temporary CA policy, or choose “Use a different sign-in method” to open the device-code flow.

    PowerShell to force TLS 1.2

    $paths = @(
  'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319',
  'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
)
foreach ($p in $paths) {
  New-ItemProperty -Path $p -Name SystemDefaultTlsVersions -Value 1 -PropertyType DWord -Force
  New-ItemProperty -Path $p -Name SchUseStrongCrypto     -Value 1 -PropertyType DWord -Force
}
Write-Host 'Registry updated – reboot the server before retrying.'

    2 | Upgrade paths

    🔹 In-place (simplest)

    1. Back up the current configuration:"%ProgramFiles%\Microsoft Azure AD Sync\Bin\AzureADConnect.exe" /exportconfig.

    Install the latest MSI (2.4.20.0 as of May 2025). The wizard detects the existing installation and upgrades it.

    Re-enable scheduled sync if the wizard turned it off (Set-ADSyncScheduler -SyncCycleEnabled $true).

    Works well if • the server is already on Server 2016/2019/2022, and • you have fewer than ~100 k objects (to keep the outage short).

    🔹 Swing migration (Microsoft-recommended for older hosts)

    Build a fresh Server 2019/2022 VM, join it to the domain, install .NET 4.8.

    Install Entra Connect 2.4.x in staging mode; at the “Import settings” page, point to the .json you exported.

    Let it run a full sync preview; compare Metaverse counts.

    Flip roles: Disable staging on the new box (makes it primary) and enable staging on the old box.

    Decommission the old 2.2.8.0 instance when you’re happy.

    How-to: Microsoft Entra Connect upgrade guide

    3 | Why you should move off 2.2.8.0 anyway

    • Version 2.2.8.0 (released 11 Oct 2023) reaches end of support on 12 Dec 2024.

    After 30 Apr 2025 the wizard on pre-2.4.18 builds can’t authenticate at all, even for simple config changes.

    2.4.x contains critical fixes for the sync service account permissions and the TLS hard-enforcement announced in April 2025.

    4 | If the wizard still fails

    Look in Event Viewer → Application for DirectorySynchronization or AADConnect errors.

    %ProgramData%\AADConnect\AADConnectUpgrade.log and %localappdata%\AADConnect\*.log show the exact stack trace.

    Post the first exception line here (strip tenant IDs) if you need more help.

    Give the registry edits a try, reboot, and rerun the MSI. 9 times out of 10 the sign-in step succeeds once .NET is locked to TLS 1.2. Let us know how it goes!

    Please don’t forget to click Accept answer if this helped; it will help others facing the same upgrade hurdle.

    Best Regards,

    Jerald Felix

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.