Microsoft has introduced a pivotal security enhancement to Microsoft Entra Connect Sync, transitioning from traditional username and password authentication to a more secure, application-based authentication system. This update, available in version 2.5.3.0 and higher, signifies a substantial shift in how organizations synchronize their on-premises Active Directory with Microsoft Entra ID.
Enhanced Security via Certificate-Based Authentication
The updated system replaces the traditional Microsoft Entra Connector account, which previously relied on username and password credentials, with a more robust application identity framework. Under this new system, administrators create a single-tenant third-party application in Entra ID and utilize certificate management options for authentication credentials.
Microsoft offers three distinct certificate management approaches:
1. Managed by Microsoft Entra Connect (Recommended): This approach allows Microsoft Entra Connect to handle all aspects of certificate lifecycle management, including creation, rotation, and deletion, with certificates stored in the Current User store.
2. Bring Your Own Application (BYOA): Organizations can register their own application in Entra ID and manage the certificate lifecycle independently.
3. Bring Your Own Certificate (BYOC): Organizations can provide their own certificates for authentication, managing the certificate lifecycle themselves.
For optimal security, Microsoft strongly recommends implementing Trusted Platform Module (TPM) solutions to establish hardware-based security boundaries. When TPM is available, key service operations are performed within dedicated hardware environments, providing superior protection compared to software-only safeguards.
The system supports certificates with specific technical requirements:
– Key Length: 2048 bits
– Key Algorithm: RSA
– Key Hash Algorithm: SHA256
Verifying Current Authentication Method
Organizations can verify their current authentication method using the PowerShell cmdlet `Get-ADSyncEntraConnectorCredential`, which displays the Connector Identity Type currently in use.
Migration Process
The migration process involves several PowerShell commands, including `Add-EntraApplicationRegistration` for application registration and `Invoke-ADSyncApplicationCredentialRotation` for certificate rotation.
When using the Microsoft-managed option, the system automatically manages certificate rotation, checking for certificates due for rotation through maintenance tasks. Microsoft warns users when certificates are expiring within 150 days (Event ID 1011) and generates errors for expired certificates (Event ID 1012).
For manual certificate rotation, administrators can use the command:
“`
Invoke-ADSyncApplicationCredentialRotation -CertificateSHA256Hash
“`
Migration Requirements
The update requires Microsoft Entra Connect version 2.5.3.0 or greater, along with a Microsoft Entra account with at least Hybrid Identity Administrator role permissions. Organizations must also maintain an on-premises Active Directory Domain Services environment running Windows Server 2016 or later.
This security enhancement comes as Microsoft continues its broader modernization efforts, with the company recently mandating critical updates for Entra Connect Sync by specific deadlines. The application-based authentication feature is currently in preview, allowing organizations to test the new system before full production deployment.
