Get all your Microsoft Copilot data readiness questions answered by Netwrix and me in our upcoming panel discussion

Reading Time: 2 minutes

The wonderful people at Netwrix have asked me to join their panel discussion on Microsoft Copilot readiness. In this online webinar we plan to discuss data discovery, data classification and access control with the help of Artificial Intelligence.

 

About the webinar

With Microsoft 365 services like SharePoint, Teams, and OneDrive generating and storing vast amounts of data, how do organizations identify where sensitive information resides and who has access to it?

In our panel discussion on data discovery, data classification and access control with the help of Artificial Intelligence, we share our strategies for automatically discovering, classifying and securing sensitive data across cloud and on-premises environments,

In this panel discussion, with Adam Laub, Dirk Schrader and Ryan Oistacher from Netwrix, I’ll discuss how we leverage Microsoft Purview sensitivity labels to enable Data Loss Prevention (DLP) policies, how to gain visibility into user permissions and remediating excessive privileges and – last but not lease – how to apply the principle of Least Privilege Access to reduce risk and strengthen data protection.

 

Join us!

Join us on Tuesday April 23, 2025 at 2 PM CEST!
Register here.

Note:
These webinars are offered free of charge, thanks to the sponsoring by Netwrix. By signing up for these webinars you agree to their privacy policy.

 

About Netwrix

Netwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

1  

What’s New in Entra ID in March 2025

Reading Time: 3 minutes

Microsoft Entra

Microsoft Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for March 2025:

 

What’s Planned

Microsoft Entra Permissions Management end of sale and retirement

Service category: Other
Product capability: Permissions Management

Effective April 1, 2025, Microsoft Entra Permissions Management (MEPM) will no longer be available for sale to new Enterprise Agreement (EA) subscribers and direct Microsoft customers. Additionally, starting May 1, it will not be available for sale to new CSP organizations. Effective October 1, 2025, Microsoft will retire Microsoft Entra Permissions Management and discontinue support of this product.

Organizations that use MEPM will retain access to this product until September 30, 2025, with ongoing support for current functionalities. Microsoft has partnered with Delinea to provide an alternative solution, Privilege Control for Cloud Entitlements (PCCE), that offers similar capabilities to those provided by MEPM.

 

Download Microsoft Entra Connect Sync on the Microsoft Entra admin center

Service category: Microsoft Entra Connect
Product capability: Identity Governance

The Microsoft Entra Connect Sync .msi installation files will become available on the Microsoft Entra admin center within the Microsoft Entra Connect pane.

As part of this change, Microsoft stops uploading new installation files on the Microsoft Download Center.

 

 

 

What’s Deprecated

Upgrade Microsoft Entra Connect Sync version to avoid impact on the Sync Wizard

Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

As announced in the Microsoft Entra What's New Blog and in Microsoft 365 Center communications, customers should upgrade their connect sync versions to at least 2.4.18.0 for commercial clouds and 2.4.21.0 for non-commercial clouds before April 7, 2025. A breaking change on the Connect Sync Wizard will affect all requests that require authentication such as schema refresh, configuration of staging mode, and user sign in changes.

 

What’s New

Conditional Access reauthentication policy Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

Require reauthentication every time can be used for scenarios where organizations want to require a fresh authentication, every time a person performs specific actions like accessing sensitive applications, securing resources behind VPN, or Securing privileged role elevation in Microsoft Entra Privileged Identity Management (PIM)​.

 

Custom Attributes support for Microsoft Entra Domain Services Generally Available

Service category: Microsoft Entra Domain Services
Product capability: Microsoft Entra Domain Services

Custom Attributes for Microsoft Entra Domain Services allows organizations to use Custom Attributes in their managed domains. Legacy applications often rely on custom attributes created in the past to store information, categorize objects, or enforce fine-grained access control over resources.

Microsoft Entra Domain Services now supports custom attributes, enabling organizations to migrate their legacy applications to the Azure cloud without modification. It also provides support to synchronize custom attributes from Microsoft Entra ID, allowing organizations to benefit from Microsoft Entra ID services in the cloud.

 

Track and investigate identity activities with linkable identifiers in Microsoft Entra Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft will standardize the linkable token identifiers, and expose them in both Microsoft Entra and workflow audit logs. This allows organizations to join the logs to track, and investigate, any malicious activity. Currently linkable identifiers are available in the Microsoft Entra sign in logs, the Exchange Online audit logs, and the MSGraph Activity logs.

 

Limit creation or promotion of multitenant apps Public Preview

Service category: Directory Management
Product capability: Developer Experience

Microsoft added a new feature to the App Management Policy Framework that allows restriction on creation or promotion of multitenant applications, providing admins with greater control over their app environments.

Admins can now configure tenant default or custom app policy using the new audiences restriction to block new app creation if the signInAudience value provided in the app isn't permitted by the policy. In addition, existing apps can be restricted from changing their signInAudience if the target value isn't permitted by the policy.

These policy changes are applied during app creation or update operations, offering control over application deployment and usage.

 

Conditional Access Per-Policy Reporting Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access Per-Policy Reporting enables admins to easily evaluate the impact of enabled and report-only Conditional Access policies on their organization, without using Log Analytics. This feature surfaces a graph for each policy in the Microsoft Entra Admin Center, visualizing the policy’s impact on the tenant’s past sign-ins.

 

What’s Changed

New Microsoft-managed Conditional Access policies designed to limit device code flow and legacy authentication flows Generally Available

Service category: Conditional Access
Product capability: Access Control

As part of our ongoing commitment to enhance security and protect organizations from evolving cyber threats, Microsoft is rolling out two new Microsoft-managed Conditional Access policies designed to limit device code flow and legacy authentication flows. These policies are aligned to the secure by default principle of Microsoft’s broader Secure Future Initiative, which aims to provide robust security measures to safeguard organizations by default.

0  

Join Raymond and me at the RDW Techday!

Reading Time: 2 minutes

Speaking

As hosts of the IT Bros podcast, Raymond Comvalius and I have interesting discussions with many of the listeners that we meet outside of our recording studio. When Edmond, one of our devoted listeners, asked us to divulge on authentication methods and Microsoft accounts vs work or school accounts, the idea to speak on the technology day from his employer was born…

 

About the RDW Tech Day

The RDW Techday is a one-day event for employees of the RDW and participants from the Northern Cooperation (Samenwerking Noord). This year’s Techday is organized on Wednesday April 16, 2025 at the Van der Valk Hotel Groningen-Hoogkerk.

 

About our sessions

Raymond and I will present to 60-minute sessions:

Entra ID Applications: Five Do’s and Don’ts for this potential blind spot

Wednesday April 16, 2025, 11:15 AM – 12:15 PM, Security Track

Microsoft offers application integration features in Entra for single-tenant applications, multi-tenant applications and workload identities. Just like every other feature in Entra, management, governance, and security for applications require a certain level of attention.

Unfortunately, application governance is not part of the official Microsoft curriculum, nor any of the Microsoft Entra SKUs or IAM solutions. For most Entra admins this is a huge and potentially dangerous blind spot. In this session, we provide better optics around the situation and our real-world insights, as experienced with Entra ID application governance.

Sprinkled throughout the session will be valuable tips and tricks specifically designed to keep Microsoft Entra Enterprise Applications and Application Registrations in check, making this is a MUST attend session for all Entra admins!

Are you ready for Entra Connect Cloud Sync!? Do you mean; Is Cloud Sync ready for me?

Wednesday April 16, 2025, 2:15 PM – 3:15 PM, Security Track

Yes, you heard it right: Microsoft only invests in Entra Connect Cloud Sync as the synchronization tool between Active Directory and Entra ID. Already, some synchronization features are only available when an organization adopts Cloud Sync. This leaves Forefront Identity Manager, Microsoft Identity Manager and Entra Connect Sync admins in the cold.

Is today the right day to adopt Entra Connect Cloud Sync? Find out as we explore the installation, configuration, scalability, supportability and migration options and limits. They help you to make the right choices, so your synchronization efforts don’t come to a grinding halt in the next coming years.

As an Entra admin, attend this session when you want to take your hybrid identity to the next level without burning bridges.

 

Join us!

Join us!

Participation is free of charge, but don't wait too long to register because the number of participants in the Techday is limited. When registering, you can choose from the sessions offered. There is a maximum number of participants for the workshops.

During the event, photos will be taken for internal use. Don't want to be visible in the photo? Then ask for the special lanyard when you get your badge at the beginning of the RDW TechDay. This makes it visible that you don't want to be photographed.

See you on April 16 for RDW Techday 2025!

1  

Join Tomislav Fuckar, the Bosnian Microsoft Community and me in Konjic!

Reading Time: 2 minutes

Garden City Konjic

I’m happy to announce that I will co-present a technical session with Tomislav Fuckar at the Microsoft Community BiH Konferencia in Konjic, Bosnia and Herzogivina.

When Tomislav Fučkar asked me how to get started presenting at events like this one, I offered him to co-present one of the sessions that I was preparing for this calendar year. Luckily, the event organization picked our session.

About MS Community BiH Konferencia

This year’s 12th Microsoft Community BiH Konferencija event is a 2-day event, hosted at the Grden City hotel in Konjic, Bosnia and Herzogivina, on Monday April 14th, 2025, and Tuesday April 15th, 2025.

Monday April 14th is reserved for technical workshops from several local community heroes:

  • Nenad Trajkovski: A project in crisis and how to get out of it
  • Ahmad Najjar: Power Automate Jump Start: Where Automation Meets AI
  • Tomislav Lulic: Copilot for Microsoft 365 – how to prepare the environment and how to prompt

Tuesday April 15th is the conference day. It is the main day, with inspirational lectures, demonstrations of real solutions, networking with colleagues and IT professionals, and exclusive sessions with Microsoft experts like Adis Jugo, Mustafa Toroman, Damir Dizdarevic, Jelena Miodragovic and Vladimir Stefanović.

About our session

Tomislav and I will present a 45-minute session on:

Authentication Methods in Depth

Tuesday April 15, 2025, Room 2, 9:30 AM – 10:15 AM

All multi-factor authentication is more secure than single-factor authentication, but some multi-factor authentication methods are more secure than others.

We share our experiences rolling out multi-factor authentication in large organizations, how most of the people in these organizations don’t even experience multi-factor authentication as typical fidgety multi-factor authentication, and how we use the built-in features in Microsoft Entra to nudge people to use the most secure – even phishing-resistant – authentication options.

Join us!

Join us to secure your Entra future!

The agenda and registration fees at affordable prices are available at konferencija.mscommunity.ba/

See you in Konjic!

0  

VMware Tools v 12.5.1 fixes an authentication bypass vulnerability (VMSA-2025-0005, CVE-2025-22230, CVSv3 7.8)

Reading Time: 2 minutes

This week, VMware introduced a new version of its VMware Tools for Windows. The reason for this release is an authentication bypass vulnerability.

 

About VMware Tools

VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guest Operating Systems.

Although the guest operating system can run without VMware Tools, many VMware features are not available until you install VMware Tools. For example, if you do not have VMware Tools installed in your virtual machine, you cannot use the shutdown or restart options from the toolbar. You can only use the power options. VMware Tools manage time synchronization on VMware vSphere and may offer quiescence for backups.

About the vulnerability

An authentication bypass vulnerability in VMware Tools for Windows was privately reported to VMware. This vulnerability is known as CVE-2025-22230. An attacker with non-administrative privileges in the Windows guest Operating System on which VMware Tools is installed may gain the ability to perform certain high-privilege operations within that virtual machine.

 

Upgrading VMware Tools

To remediate CVE-2025-22230 install VMware Tools version 12.5.1, or a later version of the VMware Tools, on x64 versions of Windows. Install VMware Tools version 12.4.6 for 32bit Windows versions.

According to the VMware Tools 12.5.1 Release Notes, version 12.5.1 also incorporates a fix for the Elevation of Privilege vulnerability in Visual C++, tracked as CVE-2024-43590 and a fix for an issue in VMware Tools version 12.5.0 that caused some OpenGL applications to stop responding.

Follow these steps to upgrade VMware Tools on Windows Server-based guest Operating Systems in your vSphere environment:

  • Sign in to vCenter Server.
  • In the Inventory > Hosts and Clusters view, select the host, cluster, or datacenter and click the Virtual Machines tab.
  • Select the Windows Server-based virtual machines you want to upgrade VMware Tools on. Use Ctrl or Shift to select multiple virtual machines.
  • Right-click the selected virtual machine(s) and select Guest from the context menu. Then, click Install/Upgrade VMware Tools.
  • Complete the wizard.

 

Concluding

The authentication bypass vulnerability in VMware Tools makes it apparent to upgrade VMware Tools on all Windows and Windows Server installations that are essential to the organization. This includes (read-only) Domain Controllers and Remote Desktop servers.

Further reading

VMware Tools v 11.3 fixes a Denial of Service vulnerability (VMSA-2021-0011)
KnowledgeBase: VMware Tools Quiescence corrupts Active Directory backups
VMware vSphere 7.0 Update 1 introduces an interface for advanced time configuration
Managing Active Directory Time Synchronization on VMware vSphere
Installing and upgrading VMware Tools in vSphere (2004754)

0  

From the field: Three gotchas when migrating applications from AD FS to Entra

Reading Time: 3 minutes

From the field

As a professional, I like to prepare my projects to avoid any hick-ups during stressful moments. From reading up on the relevant Microsoft Docs, implementing a staging environment to define run and rollback changes to triple-checking my assumptions.

Recently, I have been involved in several projects for decommissioning Active Directory Federation Services (AD FS). Staged roll-out is a feature that helps migrating the user population from AD FS to managed authentication granularly. Other federated applications, services and platforms don't offer this kind of functionality and require the entire population be changed from authenticating to AD FS to authenticating to Entra. This cutover moment can be stressful. A lot of things can go wrong. Therefore, I'm sharing three gotchas when migrating applications from AD FS to Entra.

 

1. Applications may use a federated protocol that is not available in Entra

Some AD FS implementations have a lot of applications, and sometimes these applications use legacy protocols. It's not a problem when an application uses WS-Fed, SAML 1.0, or SAML 1.1 anymore, as these legacy protocols and versions are all supported by Entra. However, one particular federation protocol was never implemented in Entra: Shibboleth. This protocol was – and still is – primarily used for multilateral federation between universities and research facilities.

Microsoft offers three solutions for organizations:

  1. Microsoft Entra ID with Cirrus Bridge
  2. Microsoft Entra ID with Shibboleth as a SAML proxy
  3. Microsoft Entra ID with AD FS and Shibboleth

All these solutions respect Shibboleth as the federation protocol in use, but also all result in the AD FS implementation or other on-premises functionality is maintained. Mostly, the purpose of an AD FS migration project is to decommission on-premises functionality… Therefore, migrating to Entra External ID may be the best long-term solution, but this is going to take some time to architect, implement and perfect… while AD FS keeps running all the while…

 

2. Applications may use an outdated attribute for Name ID

When you've been working with Entra, you've become very familiar with the userPrincipalName attribute as the sign-in account towards most Entra-connected applications, services and platforms. When the primary user email address and userPrincipalName attributes match, people in your organization only need to remember one sign-in name.

However, in the early days of AD FS, the userPrincipalName wasn't as widely used as the globally unique user name it is considered to be today. In older Active Directory environments, it's even possible to spot accounts with empty userPrincipalName attributes. These environments rely on other attributes. The sAMAccountName attribute is typically used in these environments. Yes, in the Active Directory tooling, this attribute is referred to as the pre-Windows 2000 user name

These outdated configurations in AD FS may prove cumbersome during the migration from AD FS to Entra, as the default application settings for multi-tenant applications configure the userPrincipalName as the sign-in attribute.

From a user perspective, nothing seems wrong, as AD FS performs its single sign-on magic with Active Directory in the same way. However, in the back-end of the AD FS-integrated application, service or platform, records for user accounts would have settings, profiles, permissions and history linked to a user table with sAMAccountName values. Oftentimes, the sAMAccountName attribute is then appended with the organization's public DNS domain name.

When not addressing this issue, switching the Name ID attribute from sAMAccountName (in Entra user.onpremisessamaccountname) to userPrincipalName (in Entra: user.userprincipalname) through these default settings would create all new users in the back-end, typically without the right settings, permissions, etc.

To avoid this, the back-end of the AD FS-integrated application should be converted from using the sAMAccountName attribute as the Name ID to using the userPrincipalName attribute. Depending on the vendor and contracts, this could easily add months to your AD FS migration project…

Avoid this situation by going through the claims issuance rules of AD FS-integrated applications, services and platforms and make sure these don't issue the sAMAccountName as the Name ID.

 

3. User assignment does not support group nesting

In Entra, it is a recommended practice to toggle the User assignment required setting for enterprise applications to Yes. This ensures that only people with user accounts that are members of a specific group have access to the functionality by configuring specific groups to have access.

However, the User assignment required setting and the groups that are added cannot be nested groups. In AD FS, group nesting was never a problem in claims issuance rules, so group nesting may suddenly become an issue when migrating an application, service and/or platform from AD FS to Entra.

The only thing that can be done is flattening the group memberships by adding the specific members of a sub group to the primary group. This takes time, so it's inconvenient to be confronted with during the actual application migration. Address this issue before migrating the application, service or platform from AD FS to Entra.

0  

What’s New in Entra ID in February 2025

Reading Time: 3 minutes

Microsoft Entra

Microsoft Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for February 2025:

 

Whats New

Authentication methods migration wizard Generally Available

Service category: MFA
Product capability: User Authentication

The authentication methods migration guide in the Microsoft Entra Admin Center lets admins automatically migrate method management from the legacy MFA and SSPR policies to the converged authentication methods policy. In 2023, Microsoft announced that the ability to manage authentication methods in the legacy MFA and SSPR policies would be retired in September 2025. Until now, organizations had to manually migrate methods themselves by using the migration toggle in the converged policy.

Now, admins can migrate in just a few selections by using the migration guide. The guide evaluates what the organization currently has enabled in both legacy policies, and generates a recommended converged policy configuration for you to review and edit as needed. From there, admins confirm the configuration, and the platform sets it up and marks the migration as complete.

 

Granular Microsoft Graph permissions for Lifecycle workflows Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Governance

Now new, lesser privileged permissions can be used for managing specific read and write actions in Lifecycle workflows scenarios. The following granular permissions were introduced in Microsoft Graph:

  • LifecycleWorkflows-Workflow.ReadBasic.All
  • LifecycleWorkflows-Workflow.Read.All
  • LifecycleWorkflows-Workflow.ReadWrite.All
  • LifecycleWorkflows-Workflow.Activate
  • LifecycleWorkflows-Reports.Read.All
  • LifecycleWorkflows-CustomExt.Read.All
  • LifecycleWorkflows-CustomExt.ReadWrite.All

 

Enhanced user management in Admin Center Public Preview

Service category: User Management
Product capability: User Management

Admins are now able to multi-select and edit user accounts at once through the Microsoft Entra admin center. With this new capability, admins can bulk edit user account properties, add user accounts to groups, edit account status, and more. This user experience enhancement significantly improves efficiency for user account management tasks in the Microsoft Entra admin center.

 

QR code authentication, a simple and fast authentication method for Frontline Workers Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft is thrilled to announce public preview of QR code authentication in Microsoft Entra ID, providing an efficient and simple authentication method for frontline workers.

You'll see a new authentication method QR code in Microsoft Entra ID Authentication method Policies. Admins can enable and add QR code for frontline workers via Microsoft Entra ID, My Staff, or Microsoft Graph APIs. All user accounts in the tenant see a new link Sign in with QR code on navigating to https://login.microsoftonline.com > Sign-in options > Sign in to an organization page. This new link is visible only on mobile devices running Androi, iOS or iPadOS. Users can use this authentication method only if admins add and provide a QR code to them. QR code authentication is also available in BlueFletch and Jamf. MHS QR code auth support will be generally available by early March.

 

External Authentication Methods support for system preferred MFA Public Preview

Support for external authentication methods as a supported method begins rolling out at the beginning of March 2025. When this is live in a tenant where system preferred is enabled and user accounts are in scope of an external authentication methods policy, these people will be prompted for their external authentication method if their most secure registered method is Microsoft Authenticator notification. External Authentication Method will appear as third in the list of most secure methods. If the person has a Temporary Access Pass (TAP) or Passkey (FIDO2) device registered, they'll be prompted for those. In addition, people in the scope of an external authentication methods policy will have the ability to delete all registered second factor methods from their account, even if the method being deleted is specified as the default sign in method or is system preferred.

 

Custom SAML/WS-Fed External Identity Provider Support in Microsoft Entra External ID Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

By setting up federation with a custom-configured identity provider that supports the SAML 2.0 or WS-Fed protocol, admins enable people to sign up and sign in to applications, systems and services using existing accounts from the federated external provider.

This feature also includes domain-based federation, so a person who enters an email address on the sign-in page that matches a predefined domain in any of the external identity providers will be redirected to authenticate with that identity provider.

 

 

0  

Happy 25th Birthday, Active Directory!

Reading Time: < 1 minute

25 year birthday cake

Today, The DirTeam.com / ActiveDir.org Weblogs are celebrating the 25-year anniversary of Active Directory Domain Services as a released product.

 

Windows 2000 Server

The introduction of Active Directory to the world was part of the release of Windows 2000 Server on February 17, 2000.

0  

How to get the redirected URI for a go.microsoft.com/fwlink address

Reading Time: 2 minutes

Will you look at that!

In today’s Zero Trust networking scenarios, many organizations opt to only allow specific web locations to be accessible to their systems. This is problematic with addresses that act as redirect locations to actual web locations, because the actual web location needs to be allowlisted in the firewall to be accessible.

 

Common scenarios

A common scenario is an isolated networking environment with highly sensitive resources, whose systems need to be able to access specific web resources. This can be:

  • Updating and upgrading vendor-specific appliances
  • Downloading vendor-specific ISO files to an internal VMware datastore
  • (regularly) validating licenses in use with vendors

 

My scenario

The scenario I recently encountered was having to download a Windows Server 2025 trial ISO file to use in Azure VMware Solution from a Windows 365 device located on a dedicated network. The network and its systems process sensitive data. The organization has a Microsoft-first, cloud-first approach.

Of course, I knew how to navigate a browser to Windows Server 2025’s download page on Microsoft’s Evaluation Center website, but the links here are all https://go.microsoft.com/fwlink?linkid=… redirect URIs…

Obviously, adding go.microsoft.com for HTTPS in the Azure Firewall does not provide the ability to download the ISO. The actual URI where the *.iso file is located would still not be accessible, because that wouldn’t be allow-listed. We need to allow-list the actual URI to this purpose.

 

Locating the redirect URI

Here’s how to locate the actual URI. I’m using PowerShell to do this, as it is available on every device within this organization.

This is the line of PowerShell I used for the Windows Server 2025 ISO EN-US:

(Invoke-WebRequest -uri "https://go.microsoft.com/fwlink/?linkid=2293312&clcid=0x409&culture=en-us&country=us" -MaximumRedirection 0 -ErrorAction SilentlyContinue).RawContent

The output of this line of PowerShell provides the redirected URI for Location.

The *iso file was located on software-static.download.prss.microsoft.com.

I added go.microsoft.com and this URI to the allow-list for HTTPS for the Azure Firewall, after which I could download the *.iso file and upload it to the datastore of the Azure VMware Solution.

 

Concluding

Sometimes, one Windows built-in tool doesn’t provide the information we need (Microsoft Edge), but another one does (Microsoft PowerShell). 👍

1  

From the field: You receive error ‘AADSTS9090561 The endpoint only accepts POST requests. Received a GET request’ when signing in

Reading Time: 2 minutes

From the field

Sometimes, you hit error messages that are just too vague to troubleshoot. I like these kinds of situations. I’ve hit errors before and their origins were always interesting.

Let’s see what’s happening today causing the error ‘AADSTS9090561 The endpoint only accepts POST requests. Received a GET request’ when signing in.

 

The situation

An organization is actively decommissioning Active Directory Federation Services (AD FS). Today, all employees sign in using the organization’s AD FS implementation but are scheduled to sign in using a managed solution, based on Microsoft Entra ID and password hash synchronization (PHS).

In Entra Connect Sync, Password Hash Synchronization was enabled quite a while ago. During regular checks throughout the project, no errors were detected in Entra Connect Sync Health or in Entra Connect Sync’s Synchronization Manager interface.

The Staged Rollout feature in Entra was enabled. A specific group was added to the feature. During the project, accounts would be added to the group to switch their sign-in method from AD FS to PHS.

 

The issue

After the first account is added to the group for Staged Rollout, the person can no longer sign in with the account. The error message is:

AADSTS9090561 The endpoint only accepts POST requests. Received a GET request

 

The cause

When troubleshooting, we checked Entra Connect Sync’s Synchronization Manager interface. Here, we found that all accounts in scope for synchronization were facing permissions issues.

When troubleshooting these issues, it appeared that Entra Connect Sync’s Active Directory connector account had been stripped of all permissions in Active Directory. Its permissions were reduced to the default membership of Domain users.

This resulted in the inability of Entra Connect Sync to perform Password Hash Sync, as the Active Directory connector account requires the Replicate Directory Changes and Replicate Directory Changes All permissions for that purpose.

 

The solution

On the Windows Server installation with Entra Connect Sync, we used the cmdlets in the ADSyncConfig PowerShell module to provide the appropriate permissions and secure the account:

$useraccount = 'CN=AD Connector account,CN=users,DC=domain,DC=tld'

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1'

Set-ADSyncBasicReadPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncRestrictedPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncRestrictedPermissions -ADConnectorAccountDN $useraccount

 

Alternatively, you can use the fine-grained approach to delegate permissions laid out here, or use Michael Waterman's PowerShell alternative to it.

 

Concluding

Apparently, someone has been helping the project by cleaning up the permissions for Entra Connect Sync’s Active Directory connector account. Unfortunately, this change was too early and we had to reverse it…

0