Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.
Microsoft Security Advisory 4033453 – Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,
The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.
Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.
- If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
- If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
- It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.
Last week marks the end of support for the legacy synchronization tools which are used to connect on-premises Active Directory to Office 365 and Azure AD. Specifically Windows Azure Active Directory Sync (DirSync) and Azure AD Sync are the tools which are transitioning out of support at this time. Note also that version 1.0 of Azure Active Directory (AAD Connect) is also transitioning of support. The tools were previously marked as depreciated in April 2016.
The replacement for the older synchronization tools is Azure Active Directory Connect 1.1. Customers must have this version of AAD Connect deployed. This is the tool which is being actively maintained, and receives updates and fixes.
Azure AD will no longer accept communications from the unsupported tools as of December 31st 2017.
If you do need to upgrade, the relevant documentation is below:
Upgrade from DirSync
Upgrade from Azure AD Sync
Active Directory Synchronization (DirSync) Deprecation
Action Required by: April 4, 2017
Details: We will be removing the Windows Azure Active Directory Synchronization feature from Office 365, beginning April 4, 2017. You are receiving this message because our reporting indicates your organization is using Windows Azure Active Directory Synchronization. When this change is implemented, administrators will no longer be able to synchronize their Active Directories. Instead of using Windows Azure Active Directory Synchronization, use Azure Active Directory Connect.
Message Center: MC45036 – We are removing Windows Azure Active Directory Synchronization from Office 365
Posted: April 13, 2016
Additional Information: Upgrade Windows Azure Active Directory Sync (“DirSync”) and Azure Active Directory Sync (“Azure AD Sync”)