Last week, Microsoft announced this quarter’s Azure Active Directory Connect (AADConnect) update. Version 1.1 (download) includes some big changes, including one that made me worry. AAD Connect now has an Automatic Upgrade feature! Given that this is the first version to include this concept, we won’t see how it works until next quarter, but I sure do hope they are careful.
Over the past few years we’ve seen several DirSync/AADSync/AADConnect versions be revoked due to bugs, which means you could wake up one morning to some terrible sync catastrophe resulting from bad sync rules or who knows what. Case in point: THIS VERSION!!! You’ll see in the comments of the announcement I linked above, several people had problems with the upgrade to the 1.1 build and Microsoft quickly released a new version 4 days ago (220.127.116.11). Nevertheless, I believe such a sync-related catastrophe is unlikely. The greater risk is letting your sync software get too out of date, which is something I see more often than I don’t. In fact, Microsoft’s sync tools have been so reliable that many organizations are probably still running the same version deployed when they first migrated to Office 365 (Though they are possibly in an unsupported scenario).
New installations of AAD Connect which use the default “Express” option will enable Automatic Upgrade for you.
I did an in-place upgrade from a prior version to 18.104.22.168 and it left Auto Upgrade in a “Suspended” state, which is not to be confused with “Disabled”. I’m not sure why we need two “not-enabled” states, but it is described in the documentation as a system-only value. It will be easier to test this when there is actually a version beyond 22.214.171.124 to upgrade to.
I think it is interesting that this product doesn’t hook into the operating system’s Automatic Update feature, as most Microsoft products do. My theory is that the Azure AD team is currently moving faster than the requisite internal coordination allows.
Disabling Automatic Upgrade
I would discourage anyone from turning off Automatic Upgrade without good cause (FUD does not count), though there may be some good causes.
For example, while Microsoft discourages us from modifying the default synchronization rules (The product has pop-ups warning you about this too), it is supported. The caveat is that upgrades sometimes redefine the default rules, overwriting your changes. In this case, the guidance states:
If you need to change the scope or the join setting in an “out-of-box” synchronization rule, document this and reapply the change after upgrading to a newer version of Azure AD Connect
As you have probably guessed, this scenario presents a problem with the idea of an automatic upgrade. Luckily for this, and perhaps other reasons, you can disable Automatic Upgrade. There are two new cmdlets for controlling the behavior:
Get-ADSyncAutoUpgrade will show you the current state, which will be Enabled, Disabled or Suspended. You can also see this by looking the AAD Connect summary page (second image above).
To disable AAD Connect’s Automatic Upgrade feature, type:
Set-ADSyncAutoUpgrade -AutoUpgradeState Disabled
Enabling Automatic Upgrade
If you need to enable the feature, type:
Set-ADSyncAutoUpgrade -AutoUpgradeState Enabled