Server Lockdown - Azure AD Connect

Hi Mark,

Thank you for the feedback. The whitelist process should have taken Azure AD Connect into account; we will look at why that has not happen in this case. 

Thank you for confirming the exceptions that you added; we will be able to update our Sophos Lockdown feed to incorporate these paths. 

Regards,

Stephen

Steven,

Thanks for reaching out. I also want to clarify something, as the ending result may still not be correct as of now.

At this point, the export/import process is showing as successful at Office 365's end, but I am still getting an operation with the status of server-stopped. This after those exceptions were added. See the below picture. Please let me know what I can try so that it runs normally.

Mark

Hi Mark,

I am not familiar with AD Connect, were you not seeing the server-stopped status prior to enabling Lockdown?

To investigate fully, it would be useful if you can open a support ticket (there is a link at the bottom right of this page); so that we can get log files from you. 

Regards,

Stephen

Stephen,

That is correct. Prior to lock down being enabled, all of those statuses for sync would run successfully. If I unlock, they will run as expected but if I lock down again, that one will now fail.

Mark

After speaking with tech support, they added in 2 additional white list entries (seen below) and all of the connector operations are now working properly, with a status of success.

C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe

C:\Program Files\Microsoft Azure AD Sync\ExtensionsCache\Extensible MA {CD2F8562-3580-4133-A1C9-F2481F7309BA}\assembly\dl3\94cd77df\006b33aa_6120d401\Microsoft.Azure.ActiveDirectory.Connector.DLL

I'm not completely sure why those entries had to be explicitly added, considering my original white list entries also had C:\Program Files\Microsoft Azure AD Sync added in. Also, I'm assuming that the actual location of the DLL file may be different for each instance, so I'd recommend checking that out for yourself and not just adding what I put here. 

Hi Mark,

Thanks for the follow up; the team are looking at this and we plan to add the relevant locations to our feed so there will be no need to manually add whitelist entries. I will ask them to check about the location of the DLL you mention.

Regards,

Stephen

We have updated our feed to include the relevant entries for Azure AD Connect. Please advise if there are any further products that you feel need to be added to our data feed.

Regards,

Stephen

We have updated our feed to include the relevant entries for Azure AD Connect. Please advise if there are any further products that you feel need to be added to our data feed.

Regards,

Stephen