Azure Active Directory Sync Version Release History
Updated: July 22, 2015
This topic will be archived soon.
There is a new product called “Azure Active Directory Connect” that replaces AADSync and DirSync.
Azure AD Connect incorporates the components and functionality previously released as Dirsync and AAD Sync.
At some point in the future, support for Dirsync and AAD Sync will end.
These tools are no longer being updated individually with feature improvements, and all future improvements will be included in updates to Azure AD Connect.
The Windows Azure Active Directory team regularly updates Azure AD Sync with new features and functionality. Not all additions are applicable to all audiences.
This article is designed to help you keep track of the versions that have been released, and to understand whether you need to update to the newest version or not.
- AAD Sync requires now the .Net framework version 4.5.1 to be installed.
- Password writeback from Azure AD is failing with a servicebus connectivity error.
Fixed issues and improvements:
The ADDS connector does not process deletes correctly if the recycle bin is enabled and there are multiple domains in the forest.
The performance of import operations has been improved for the Azure Active Directory connector.
When a group has exceeded the membership limit (by default, the limit is set to 50k objects), the group was deleted in Azure Active Directory. The new behavior is that the group will remain, an error is thrown and no new membership changes will be exported.
A new object cannot be provisioned if a staged delete with the same DN is already present in the connector space.
Some objects are market for being synchronized during a delta sync although there is no change staged on the object.
Forcing a password sync also removes the preferred DC list.
CSExportAnalyzer has problems with some objects states.
- A join can now connect to “ANY” object type in the MV.
- Improved import performance.
Password Sync honors the cloudFiltered attribute used by attribute filtering. Filtered objects will no longer be in scope for password synchronization.
In rare situations where the topology had very many domain controllers, password sync doesn’t work.
“Stopped-server” when importing from the Azure AD Connector after device management has been enabled in Azure AD/Intune.
Joining Foreign Security Principals (FSPs) from multiple domains in same forest causes an ambiguous-join error.
It is now supported to do password synchronization with attribute based filtering. For more details, see Password synchronization with filtering.
The attribute msDS-ExternalDirectoryObjectID is written back to AD. This adds support for Office 365 applications using OAuth2 to access both, Online and On-Premises mailboxes in a Hybrid Exchange Deployment.
Fixed upgrade issues:
A newer version of the sign-in assistant is available on the server
A custom installation path was used to install Azure AD Sync
An invalid custom join criterion blocks the upgrade
Fixed the templates for Office Pro Plus
Fixed installation issues caused by user names that start with a dash
Fixed losing the sourceAnchor setting when running the installation wizard a second time
Fixed ETW tracing for password synchronization
This build adds the following features:
Password synchronization from multiple on-premise AD to AAD
Localized installation UI to all Windows Server languages
Upgrading from AADSync 1.0 GA
If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box Synchronization Rules. After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modified are duplicated. For each modified Sync Rule do the following:
Locate the Sync Rule you have modified and take a note of the changes.
Delete the Sync Rule.
Locate the new Sync Rule created by Azure AD Sync and re-apply the changes.
Permissions for the AD account
The AD account must be granted additional permissions to be able to read the password hashes from AD. The permissions to grant are named “Replicating Directory Changes” and “Replicating Directory Changes All”.
Both permissions are required to be able to read the password hashes.