The purpose of this topic is to ensure that the identity synchronization client you are using to synchronize objects between your on-premises Active Directory and Azure Active Directory is allowed to communicate with Microsoft data centers properly.

Summary of Action Required: ensure your network infrastructure is allowing traffic between your synchronization server and all of the URLs and/or IP address ranges listed here.

Background: At approximately 11 AM PST on May 11th, the Azure Active Directory engineering team made a server-side change in Azure Active Directory (AAD) that resulted in Identity synchronization clients (see below for a full list of clients) to send requests to Microsoft datacenters which they may not been communicating with prior to the change. This change was made to increase service-side scalability. These are not new datacenters, traffic is simply being distributed more efficiently across existing datacenters.

The AAD team reverted the server-side change within ~ 26 hours @ 1pm PST on May 12th. In an effort to determine whether this change caused problems for customers, Microsoft reviewed service logs to identify customers who met the following criteria:

  1. Successfully synchronized changes 24 hours before the server-side change was made
  2. Failed to synchronize any changes during the 26 hour period when the server-side change was enabled
  3. Resumed successful synchronizing changes during the 24 hours after the server-side change was reverted

Based on this server-side telemetry analysis, the Azure Active Directory team believes that your company meets this criteria and may experience synchronization failures in the future that will prevent newly created objects and changes to existing objects including passwords changes/resets (if PasswordHashSync and/or PasswordWriteBack is being used) when the server-side optimization is re-enabled. Note: if you have multiple environments, such as Staging and Production, it is possible only a single one of these was affected.

Microsoft will be re-enabling this change on Wednesday July 15th at 2:00 PM PST.
To avoid outages in the future, please work with your network team and/or Identity sync administrator to do the following:

  1. Ensure that you are using a supported sync client produced by Microsoft. Supported sync clients include:
    1. The Windows Azure Active Directory Synchronization Tool
    2. Forefront Identity Manager with the Azure Active Directory Connector (or O365 Connector)
    3. Azure Active Directory Sync Services
    4. Azure Active Directory Connect 
       Note
      Third-party sync clients that call the Microsoft Identity synchronization server-side endpoint are not supported.
  2. Determine whether network firewalls have been configured such that computers running Microsoft sync clients can connect to AAD endpoints in Microsoft data centers using specific, hard-coded IP addresses
  3. Use DNS domain-based exceptions by specifically allowing name resolution and connectivity to *.microsoftonline.com. If this sort of DNS exception cannot be used, all of the IP addresses and ranges in the following article should be added to any allow list relevant for your environment: URLs and IP address ranges - portal and identity.
    We strongly recommend using DNS name-based exceptions over hardcoded IP-based exceptions, as IP addresses may change over time.