Monday, July 03, 2017

Vulnerability in Azure AD Connect !!!

After the End of Support for DirSync and Azure AD Sync this April and having a tight deadline that Azure AD will stop accepting connections from DirSync and Azure AD Sync after December 31, 2017. Most Organisations already upgraded to Azure AD Connect.


If your Organization is upgraded to AzureAD Connect you get more enhanced features bundled with the product, and if you are customer using "Password WriteBack" feature you need to aware about the new Security vulnerability identified recently and fix it promptly before your environment gets impacted.

Microsoft released the new security advisory to inform customers that a new version of Azure Active Directory (AD) Connect is available that addresses an Important security vulnerability.

The update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts.

The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

More information is available in the Security Advisory Article : Microsoft Security Advisory 4033453 - Vulnerability in Azure AD Connect Could Allow Elevation of Privilege

Review the article and validate whether your environment is impacted and perform the Remediation steps promptly, Even if your Organization is not impacted Microsoft recommends Organisations to use the latest version of Azure AD Connect.

If you cannot perform the upgrade right now, follow the Mitigation steps provided in the article to fix the issue.

If you are planning for an upgrade to the latest version (1.1.553.0) of Azure AD Connect, and you are using OU-based filtering be sure to review the below release history article and perform the outlined steps as the upgrade does not carry forward OU filtering settings if not set correctly during the upgrade process.

Review here: Azure AD Connect: Version release history - 1.1.553.0

Update: 

A New version of Azure AD Connect (1.1.557.0) is now released, Review the documentation below

Review here: Azure AD Connect: Version release history - 1.1.557.0

Note: This build is not available to customers through the Azure AD Connect Auto Upgrade feature.So you need to perform a manual install.

To know more about Auto Upgrade feature review the below Excellent Blog post from MVP Jeff Guillet

Understanding Auto-Upgrade Options in Azure AD Connect

Update:

A New version of Azure AD Connect (1.1.614.0) is now released with some great features that includes support for a new installation mode called Use Existing Database. This installation mode allows customers to install Azure AD Connect that specifies an existing ADSync database

Review here: Install Azure AD Connect using an existing ADSync database

Stay tuned for more updates...

No comments:

Post a Comment