Notes from the lab: Migrating Azure AD Connect and then we cannot sync

This is a quick blog post regarding my own Azure AD Connect migration and a nasty error after trying to connect again for an initial connection and synchronisation.

A little insight in my environment, I already had the latest version running of Azure AD Connect namely 2.1.16.0 on my Windows Server 2019. See Azure AD Connect: Version release history – Microsoft Entra | Microsoft Docs

So, I spun up a new Windows Server 2022 and installed the Azure AD Connect role on it, imported my configuration file like described here How to import and export Azure AD Connect configuration settings – Microsoft Entra | Microsoft Docs

And then I got below error when trying to configure my new server:

The error put me onto the blog of Azure AD Connect – Unable to validate credentials due to an unexpected error. – .matrixpost.net but the issue mentioned wasn’t my issue, my GA account doesn’t have any expiry set and the logon was working everywhere else. The point to note is that I have only modern authentication enabled and MFA with number matching enabled in my tenant. So afterwards running the installation in context with /InteractiveAuth did resolve the issue. Afterwards closing, rebooting etc. never gave the error again and al logins are still providing the popup of modern and MFA prompt.

Strange thing is that I’ve had this enabled for a very long time now. Seems that in the latest versions perhaps there are some changes regarding the modern auth popup.

Hope it helps!

Notes from the field: Configuring AFAS Online with Azure

I have a quick win for those who are also in the process of migrating an ADFS configured AFAS Online setup to Azure Active Directory. I’ve already had an support call with them and besides the point they don’t support any troubleshooting IDP setups they did their best which in turn got me to sharing this.

So down to the point, the following article describes the SSO needed part for AFAS Online: https://help.afas.nl/help/EN/SE/plv2_Config_SSO.htm

The parts that need to be adjusted are at the endpoint part, they refer to the federation metadata document which is not the one you need. This needs to be the OpenID Connect metadata document listed at the endpoints. Microsoft now defaults to the /v2.0/ part. (On a side note there might be some situations you will want to use the v1 document which is not listed anymore as an endpoint to copy, to use this just delete the /v2.0/ part and the old version will be used)

The final part is the configuration adjustment in AFAS Online, there when you fill in all the values the documentation states that “Scopes” is an optional field which in turn isn’t. I’ve only got it to work with this filled with email and the same at the claim part.

If you don’t fill out the scopes section it will error out with missing claim “upn” if that is the one you chose or “email”

Hope it helps!

Notes from the field: vIDM and o365 modern authentication delay

Just a quick win blog to mention and give a heads-up that when you are in the process of configuring vIDM and o365 you might encounter native clients prompting for authentication and a big ass delay when you flip over the authentication and the requested domain from managed to federated with vIDM. This might be up to eight hours!!! Thanks to the #community #vExpert that I got this answer quite fast because I recalled that Laurens van Duijn put something similar in the vExpert Slack group mentioning that he saw this kind of behavior.

So in summary, do it on a Friday and inform your users.

Big shout out to Laurens van Duijn and be sure to follow him on twitter and his blog

Twitter: @LaurensvanDuijn

Blog: https://vdr.one/