Azure AD Connect — Automatic Upgrade

Is your Azure AD Connect installation running the latest version? It should be and it just got a lot easier!

Keeping systems up to date and patched is a crucial part of security. Just recently we saw a password writeback vulnerability in Azure AD Connect which was patched in June 2017. Hopefully you are already aware of the vulnerability and upgraded your Azure AD Connect to version 1.1.553.0 or later. For more details you can read Microsofts Security Advisory and a comment from James Cowling.

The automatic upgrade feature

The automatic upgrade feature for Azure AD Connect was introduced in February 2016 with version 1.1.105.0. Unfortunately, the feature was limited to express settings installations. The majority of installations require custom settings and therefore the automatic upgrade feature was not commonly used.

With version 1.1.561.0 the automatic Upgrade feature has been expanded to support customers with the following configurations (Released July 23 2017):

• The installation is not an Express settings or a DirSync upgrade.
• You have enabled the device writeback feature.
• You have enabled the group writeback feature.
• You have more than 100,000 objects in the metaverse.
• You are connecting to more than one forest. Express setup only connects to one forest.
• The AD Connector account is not the default MSOL_ account anymore.
• The server is set to be in staging mode.
• You have enabled the user writeback feature.

Upgrade options

In general Azure AD Connect provides three options for upgrades:

• Automatic upgrade
• In-place upgrade
• Swing migration

Assuming you could not use automatic upgrades so far you will find details for in-place upgrade and swing migration on Microsoft Docs.

Confirming automatic upgrade

Once you upgrade to the latest version 1.1.561.0 and your configuration fits the expanded criteria for the automatic upgrade feature it will be enabled by default if you upgraded from version 1.1.105.0 and after. The following PowerShell commands will be helpful:

Get-ADSyncAutoUpgrade
Set-ADSyncAutoUpgrade -AutoUpgradeState Enabled
Set-ADSyncAutoUpgrade -AutoUpgradeState Disabled

If the automatic upgrade feature cannot be enabled or continues to stay in the “Suspended” state you will have to check event logs (Microsoft Docs troubleshooting guide).

Limitations

Automatic upgrade is using Azure AD Connect Health for the upgrade infrastructure. For automatic upgrade to work, make sure you have opened the URLs in your proxy server for Azure AD Connect Health as documented in Office 365 URLs and IP address ranges. (Source)

Not all released versions are pushed via automatic upgrade. If a version is excluded this will be noted in the version history.

The majority of other limitations should be gone with the latest release. However, the documentation is not really clear and I could not test all variations so far. The table below provides a overview, I will try to clarify the assumptions and update the Microsoft Docs documentation via GitHub.