Tag Archives: EntraID

Microsoft Intune Connector for Active Directory – Updated and Improved

Posted on by
Reply

The Intune Connector for Active Directory, also referred to as the Offline Domain Join (ODJ) Connector, is responsible for joining computers to an on-premises domain during the Windows Autopilot process.

This Intune Connector for Active Directory will create computer objects in a specified Organizational Unit (OU) in Active Directory during the domain join process. Unfortunately for Microsoft, it appears as though there have been some issues with setting up the connector with build 6.2501.2000.5.

Common Issues with the Intune Connector for AD version 6.2501.2000.5

According to the feedback that Microsoft received, here are some of the more common challenges that customers run into.

IssueDetails
Error “MSA account <accountName> is not valid” when signing in.This happens when the connector successfully creates the MSA but fails to retrieve the data from the domain controller. Several things could cause this, including replication delays between domain controllers in a single domain, or when the user account exists in a different domain to the connector machine. Fortunately, this issue is resolved in build 6.2504.2001.8.
Error “Failed to create a managed service account – Element not found.” 
Error “Cannot start service ODJConnectorSvc on computer ‘.’. —> System.ComponentModel.Win32Exception: The service did not start due to a logon failure” after the MSA is created.This has been observed when the service can’t run as the MSA. Several issues can cause the service to not be able to run as the MSA, including group or local policy restricting Log on as a service privileges.
Error “System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.” 

New and Improved Build

In light of everything, Microsoft released an update and build that intends to address the recent challenges. This update specifically resolves come of the client feedback and it also improves overall functionality. Users can download this new build 6.2504.2001.8 from Microsoft Intune. From this improved version, you can expect:

  • A new sign in page in the wizard that now uses WebView2, lives on Microsoft Edge, instead of the previously used WebBrowser.
  • There is resolution to the error “MSA account <accountName> is not valid” that some clients were seeing.
  • The error “Cannot start service ODJConnectorSvc on computer” is available for mitigation.
  • The error “System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred” is also available for troubleshooting and mitigation.

Updated Intune Connector

Windows Autopilot continues to use the Intune Connector for Active Directory to deploy hybrid joined Microsoft Entra devices. Going forward, Intune is looking to enhance security. It does so by updating the connector to use a Managed Service Account (MSA) instead of a SYSTEM account.

Customers will find the updated Connector available for download from within Intune. And although the legacy connector may still be available for download, it will no longer have support in late June 2025. So, before that happens, you need to plan to update the connector because this won’t happen automatically.

Updated Troubleshooting Guide

ProblemSolution
Why is the Intune Connector for Active Directory not logging in Event Viewer even though logging is enabled?The connector originally logged in the Event Viewer directly under Applications and Services Logs in a log called ODJ Connector Service. But, going forward, logging for the connector has been moved to the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService. This means that users who find the ODJ Connector Service log at the original location empty or not updating should check the new path location.
Why does uninstalling the Intune Connector for Active Directory through the Settings app not fully remove the application?Uninstalling the connector requires you to use both the Settings app and the Intune Connector for Active Directory installed executable ODJConnectorBoostrapper.exe. To uninstall the connector, run ODJConnectorBoostrapper.exe and select the Uninstall option. Make sure that the ODJConnectorBoostrapper.exe installer version matches the version of the connector you’re uninstalling.
Why is the error “The MSA account couldn’t be granted permission to create computer objects in the following OUs” occurring when installing the Intune Connector for Active Directory?Different types of failures can cause this error including: The admin installing and configuring the connector not having the required permissions. The OU specified in the Intune Connector for Active Directory ODJConnectorEnrollmentWiazard.exe.config XML configuration file doesn’t exist.   To view more information on the error and what caused it, see the ODJConnectorUI.log normally located in the following folder:   C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard
Why is the error “Cannot start service ODJConnectorSvc on computer ‘.'” occurring when setting up the Intune Connector for Active Directory?A few reasons could cause this error including the following: The domain has more than one domain controller with a replication latency policy. The MSA was created in one of the domain controllers but the search happened against another domain controller. Wait until replication completes in accordance with your policy or manually sync. Once the replication is complete, then open the connector and choose Configure MSA.A group policy is configured that doesn’t allow services to start as a non-privileged account. Check that the MSA account has Log on as a service privileges granted.
Why is the error “Microsoft Edge can’t read and write to its data directory” occurring?This error shows that the user needs read/write permissions to the listed directory.
Why did enrollments start failing when using the Intune Connector for Active Directory?Verify that the Intune Connector for Active Directory is updated to version 6.2501.2000.5 or later and that the legacy version isn’t still being used.
Why are the errors “Navigation to the webpage was canceled” or “Can’t connect securely to this page” occurring while setting up the Intune Connector for Active Directory?Different types of issues can cause this error including: The server where the admin has chosen to install and configure the Intune Connector for Active Directory lacks the required internet access or required Intune URLs aren’t allowed. The server is sending network requests via TLS 1.0 or 1.1 because PKCS Cryptography is disabled. You can fix this on the server hosting the Intune Connector for Active Directory by deleting the registry key value specified in the following command by running the command from an elevated command prompt:   reg.exe delete “HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS” /v Enabled /f

Pre-installation Requirements for Intune Connector

Before carrying out the installation, you need to verify that you meet all the requirements for the Intune Connector for Active Directory:

  • The connector will work best when installed on a computer running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
  • The server hosting the Intune Connector for Active Directory must have access to the Internet and Active Directory.
  • Multiple connectors can install in a domain, as this will increase scale and availability. Each connector must be able to create computer objects in the domain that it supports.
  • The administrator carrying out the installation must be a local administrator on the server where the Intune Connector for Active Directory is installing.
  • For the updated Connector, installation will require an account with the following domain rights:
  • Required – Create msDs-ManagedServiceAccount objects in the Managed Service Accounts container
  • Optional – Modify permissions in OUs in Active Directory – if the administrator installing the updated Intune Connector for Active Directory doesn’t have this right, additional configuration steps by an administrator who has these rights may be essential.

Installation Process

Internet Explorer Enhanced Security Configuration

The change to using WebView2 that comes with build 6.2504.2001.8 means that turning off the Internet Explorer Enhanced Security Configuration setting in Windows Server is no longer necessary. So, as long as you have version 6.2504.2001.8 or later of the connector installed, you should not run into problems with the Internet Explorer Enhanced Security Configuration setting.

DOWNLOADING THE CONNECTOR

To install the new connector in your environment, you can download it from the Intune admin center as follows:

  • Sign into the Intune admin center on the server where you want to install the connector.
  • Select Devices in the Home screen.
  • Select Windows in the Devices | Overview screen, under By platform.
  • Select Enrollment in the Windows | Windows devices screen, under Device onboarding.
  • Select Intune Connector for Active Directory in the Windows | Windows enrollment screen, under Windows Autopilot.
  • Select Add in the Intune Connector for Active Directory screen.
  • In the Add connector window that opens, under Configuring the Intune Connector for Active Directory, select Download the on-premises Intune Connector for Active Directory. The link downloads a file called “ODJConnectorBootstrapper.exe.”

INSTALLING THE CONNECTOR ON THE SERVER

  • Sign into the the server where you want to install the connector using an account that has local administrator rights.
  • Before you can install the updated Intune Connector for Active Directory, you need to first uninstall the legacy connector.
  • Open the downloaded “ODJConnectorBootstrapper.exe.” file to launch the Intune Connector for Active Directory Setup install.
  • Go through the Intune Connector for Active Directory Setup install.
  • When installation is complete, tick the checkbox Launch Intune Connector for Active Directory.

SIGNING IN With Intune Connector

  •  Select Sign In in the Intune Connector for Active Directory window, under the Enrollment tab.
  •  Sign in with the Microsoft Entra ID credentials of an Intune admin role under the Sign In tab. Also note that the user account needs to have an assigned Intune license.
  •  With the sign in process done:
  • A “The Intune Connector for Active Directory successfully enrolled” confirmation window appears. Click OK to close the window.
  •  An “A Managed Service Account with name “<MSA_name>” was successfully set up” confirmation window appears. The name of the MSA has the format “msaODJ#####” with the ##### representing 5 random characters. Notate the name of the MSA created, and then click OK to close the window.
  •  The Enrollment tab shows Intune Connector for Active Directory as officially “enrolled.” The Sign In button will also be gray and Configure Managed Service Account will show as enabled.
  •  Close the Intune Connector for Active Directory window.

VERIFICATION

Once authentication finishes, the Intune Connector for Active Directory will finish installation. After the completion of installation, you can verify that the connector is active by following the steps below:

  •  Head over to the Microsoft Intune admin center if it’s still open. From there, close the Add connector window if it’s still there. Alternatively, if the Microsoft Intune admin center isn’t still open:
  • Sign into the Intune admin center.
  • Select Devices in the Home screen.
  • Select Windows in the Devices | Overview screen, under By platform.
  • Select Enrollment in the Windows | Windows devices screen, under Device onboarding.
  • Select Intune Connector for Active Directory in the Windows | Windows enrollment screen, under Windows Autopilot.
  • In the Intune Connector for Active Directory page:
  • Confirm that the server displays under Connector name and shows as Active under Status.
  • Don’t forget to verify that the version is greater than or equal to 6.2501.2000.5 for the updated Connector.

If you don’t see the server displayed, select Refresh or head away from the page before going back to the Intune Connector for Active Directory page. Once the connector installs, it will start logging in the Event Viewer under the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService.

Wrap Up

The previous version of the Microsoft Intune Connector for Active Directory presented several issues for many customers. And as one would expect, these issues reduced the efficiency of the connector and negatively impacted functionality.

Fortunately, with build 6.2504.2001.8, Microsoft is taking heed of the feedback from its clients to make the necessary adjustments. Going forward, clients can look forward to leveraging a connector with better functionality and significantly less issues. And if you do run into any problems, Microsoft provides updates the troubleshooting guide.

The Go-To Guide for Setting Up SFTP Access with Azure Blob Storage and Microsoft Entra ID

Posted on by
1

Introduction

In today’s business environment, securely exchanging data with external partners is essential. Azure Blob Storage with native SFTP support offers a scalable, secure solution, while Microsoft Entra ID provides robust identity management. Together, these tools help organizations share data with external users while ensuring security and compliance.

This go-to guide will walk you through configuring Azure Blob Storage for SFTP, managing user access with Entra ID, and showcase three real-world use cases—payment reconciliation, logistics data sharing, and healthcare data exchange.

Why Use Azure Blob Storage with SFTP and Entra ID?

Azure Blob Storage with native SFTP support simplifies secure file transfers without the need for third-party SFTP servers. Integrating Microsoft Entra ID enhances security by enforcing multi-factor authentication (MFA), conditional access, and role-based access control (RBAC).

Benefits at a Glance

  • Scalable and Cost-Effective: Pay only for the storage you use.
  • Secure File Transfer: Use the SFTP protocol for encrypted data transfer.
  • Centralized Access Management: Use Entra ID to control and monitor external access.
  • Automation and Integration: Seamless integration with tools like Azure Logic Apps and Power Automate.

Step 1: Setting Up Azure Blob Storage with SFTP Support

Follow these steps to set up Azure Blob Storage for SFTP access.

1.1 Create an Azure Storage Account

  1. Sign in to the Azure Portal.
  2. Go to Create a Resource and select Storage Account.
  3. Configure the storage account:
    • Subscription and Resource Group: Choose your existing or create new ones.
    • Storage Account Name: Must be globally unique.
    • Region: Select the region closest to your users.
    • Performance: Choose Standard for general use or Premium for high-performance workloads.
    • Replication: Choose Locally Redundant Storage (LRS) or Geo-Redundant Storage (GRS) based on your redundancy needs.
  4. Under the Advanced tab, enable SFTP Support (Preview).
  5. Click Review + Create, then Create the storage account.

Step 2: Configuring SFTP Access for External Partners

  1. Navigate to your newly created storage account.
  2. Under Data Transfer, select SFTP Settings.
  3. Click Add Local User to create an SFTP user:
    • Username: Use a descriptive name like partner1.
    • Authentication: Choose SSH Key-based authentication for enhanced security.
    • Home Directory: Assign a specific container (e.g., /transactions).
    • Permissions: Grant appropriate permissions (Read, Write, List).
  4. Generate an SSH Key if you don’t have one:
    • Use ssh-keygen (Linux/Mac) or PuTTYgen (Windows).
  5. Save the configuration and take note of the SFTP endpoint.

Step 3: Integrating Microsoft Entra ID for Access Control

To ensure only authorized users access your SFTP service, use Microsoft Entra ID to manage identity and access.

3.1 Conditional Access Policies

  1. Go to the Azure AD Portal.
  2. Create a new Conditional Access Policy to enforce MFA and restrict access based on location.

3.2 Role-Based Access Control (RBAC)

Assign roles to external users to limit their access to only the relevant Azure Blob containers.

Step 4: Real-World Use Cases

Case 1: Payment Reconciliation – Mastercard Data Exchange

A retail company needs to securely exchange Mastercard transaction data with an external payment processor for daily reconciliation.

Workflow:

  1. The payment processor uploads transaction data to the SFTP endpoint.
  2. Azure Blob Storage receives and stores the files.
  3. Business Central or an ERP system processes the data for reporting and reconciliation.

Security Measures:

  • Use MFA and Conditional Access for external user authentication.
  • Configure audit logging to monitor access and activity.

Case 2: Logistics Data Sharing – Real-Time Inventory Updates

A manufacturing company needs to share real-time inventory data with its logistics partner.

Workflow:

  1. The logistics partner downloads inventory files and uploads shipping updates to the SFTP server.
  2. An Azure Function processes these updates and integrates them into the company’s ERP.

Security Measures:

  • RBAC ensures the logistics partner only accesses relevant files.
  • Data encryption protects information in transit and at rest.

Case 3: Healthcare Data Exchange – Secure File Transfers with External ClinicsA hospital exchanges patient data with external clinics, ensuring compliance with GDPR and HIPAA regulations.

Workflow:

  1. Clinics upload test results and patient data to the hospital’s SFTP endpoint.
  2. An Azure Logic App validates and integrates the data into the hospital’s EMR system.
  3. Doctors receive automatic notifications for new updates.

Security Measures:

  • Conditional Access restricts access by IP and enforces MFA.
  • Data masking during processing protects sensitive information.

Step 5: Automating Data Processing

Azure Logic Apps

Automate file processing with Logic Apps to trigger workflows when a file is uploaded.

Azure Functions

Run custom code to process files and integrate them with external systems.

Power Automate

Create simple automation workflows for notifications and approvals.

Step 6: Security Best Practices

  1. Enforce Multi-Factor Authentication for all external users.
  2. Use Conditional Access Policies to limit access by device and location.
  3. Encrypt Data at Rest and in Transit.
  4. Rotate SSH Keys Regularly.
  5. Audit and Monitor Access Logs for unusual activity.

Conclusion

Azure Blob Storage with SFTP support and Microsoft Entra ID provides a powerful and secure platform for exchanging data with external partners. Whether you are exchanging financial data, inventory files, or healthcare records, this setup ensures security, compliance, and scalability.

By following this step-by-step guide and using the real-world use cases as inspiration, you can create a secure, reliable solution for your organization’s external data exchange needs.

Further Reading: