Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.
Microsoft Security Advisory 4033453 – Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,
The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.
Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.
- If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
- If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
- It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.
Last week marks the end of support for the legacy synchronization tools which are used to connect on-premises Active Directory to Office 365 and Azure AD. Specifically Windows Azure Active Directory Sync (DirSync) and Azure AD Sync are the tools which are transitioning out of support at this time. Note also that version 1.0 of Azure Active Directory (AAD Connect) is also transitioning of support. The tools were previously marked as depreciated in April 2016.
The replacement for the older synchronization tools is Azure Active Directory Connect 1.1. Customers must have this version of AAD Connect deployed. This is the tool which is being actively maintained, and receives updates and fixes.
Azure AD will no longer accept communications from the unsupported tools as of December 31st 2017.
If you do need to upgrade, the relevant documentation is below:
Upgrade from DirSync
Upgrade from Azure AD Sync
On April 6 i was attending the Dutch Skype for Business user groups event at Microsoft Netherlands. Especially for those present in the Netherlands, we will explain the new telephony capabilities Netherlands in Office 365 (PSTN calling).
17: 30-18: 00 Registration
18:00 to 18:30 Skype for Business Online developments in the Netherlands (van Houttum, MVP)
18:30 to 18:45 Welcome and Key Note Session
18:45 to 19:10 Session 1 (Nordic)
Cloud PBX – Options (AA CQ CCE and more) (Lasse Nordvik Wedo, MVP), support from (Stale Hansen, MVP)
19:10 to 19:35 Session 2 (Germany)
Online Dial Pans with CloudPBX (Thomas Poett, MVP)
19: 35- 20:00 Session 3 (UK)
Trusted Server API SfB (Tom Morgen and Ben Lee, MVPs)
8:00 p.m. to 20:15 BREAK
20:15 to 20:40 Session 4 (Benelux)
Teams in O365 (Johan Delimon, MVP) with support from (van Houttum, MVP)
20:40 to 21:05 Session 5 (Italy)
Hybrid Skype4B Best Practice for Cloud PBX with PSTN Connectivity (Alessandro Appiani, MVP)
If you want to look the session back: https://join-emea.broadcast.skype.com/skype4b-ug.de/9dab4d2cc4074a25b7ab83ddbfe57821/nl-NL/
Active Directory Synchronization (DirSync) Deprecation
Action Required by: April 4, 2017
Details: We will be removing the Windows Azure Active Directory Synchronization feature from Office 365, beginning April 4, 2017. You are receiving this message because our reporting indicates your organization is using Windows Azure Active Directory Synchronization. When this change is implemented, administrators will no longer be able to synchronize their Active Directories. Instead of using Windows Azure Active Directory Synchronization, use Azure Active Directory Connect.
Message Center: MC45036 – We are removing Windows Azure Active Directory Synchronization from Office 365
Posted: April 13, 2016
Additional Information: Upgrade Windows Azure Active Directory Sync (“DirSync”) and Azure Active Directory Sync (“Azure AD Sync”)
Action Required by: October 31, 2017 at 5:59 PM UTC
Details: On October 31st, 2017, Exchange Online mailboxes in Office 365 will require connections from Outlook for Windows use MAPI over HTTP, our new method of connectivity and transport between Outlook for Windows and Exchange. In May of 2014, Microsoft introduced MAPI over HTTP as a replacement for RPC over HTTP. RPC over HTTP was a legacy connection protocol that is being deprecated from Exchange Online. Beginning October 31, 2017, Outlook for Windows clients using RPC over HTTP will be unable to access their Exchange Online mailbox. The necessary action depends on the version of Outlook in use in your organization. If you are using Outlook 2007 or earlier, you need to upgrade. Outlook 2007 does not contain support for the MAPI/HTTP protocol. We encourage you to update to the Office 365 ProPlus subscription, or access Outlook via the web browser (which is included in your current subscription plan). Outlook 2010-2016 customers will need to ensure their version of Outlook for Windows is set up to support MAPI/HTTP. At a minimum, you should ensure you have installed the December 2015 update. Lastly, ensure your Outlook clients are not using a registry key to block MAPI/HTTP.
Message Center: MC85988 – Potential service disruption for Outlook for Windows users
Posted: November 16, 2016
Additional Information: KB3201590: RPC over HTTP deprecated in Office 365 on October 31, 2017
On ADFS page you get error: 00000000-0000-0000-0d00-0080000000e1
Event viewer: Event 364 Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request.
Get-AdfsProperties | select EnableIdPInitiatedSignonPage
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
If you’re a customer who uses Azure Active Directory Connect, you’ll want to know that Microsoft just released version 1.1.343.0, which adds support for Windows Server 2016 and SQL Server 2016 and fixes some bugs.
– Added support for installing Azure AD Connect on Windows Server 2016 standard or better.
– Added support for using SQL Server 2016 as the remote database for Azure AD Connect.
– Added support for managing AD FS 2016 using Azure AD Connect.
– Sometimes, installing Azure AD Connect fails because it is unable to create a local service account whose password meets the level of complexity specified by the organization’s password policy.
– Fixed an issue where join rules are not re-evaluated when an object in the connector space simultaneously becomes out-of-scope for one join rule and become in-scope for another. This can happen if you have two or more join rules whose join conditions are mutually exclusive.
– Fixed an issue where inbound synchronization rules (from Azure AD) which do not contain join rules are not processed if they have lower precedence values than those containing join rules.
There are two different versions of the Office Deployment Tool available – one for Office 2013 and a different one for Office 2016. Each Office Deployment Tool works only with that specific version of Office. You can download them from the Microsoft Download Center by using the following links:
<Add SourcePath=”d:\2016\” OfficeClientEdition=”32″ Branch=”Current”>
<Language ID=”en-us” />
<Language ID=”nl-nl” />
<Language ID=”en-us” />
<Language ID=”nl-nl” />
<!– <Updates Enabled=”TRUE” Branch=”Current” /> –>
<Display Level=”Full” AcceptEULA=”TRUE” />
<Logging Name=”OfficeSetup.txt” Path=”%temp%” />
<Property Name=”AUTOACTIVATE” Value=”1″ />
D:\2016\setup.exe /download d:\2016\configuration.xml
Install / Configure Office 365 (2016)
D:\2016\setup.exe /configure d:\2016\configuration.xml