Still managing Active Directory like it’s 2003? Darryl and I explain why it leaves you exposed in 2025

Reading Time: 2 minutes

Webinar

On October 15th, 2025, I will deliver a 75-minute webinar with IT GRC Forum together with Darryl Baker, Senior Solutions Architect at Netwrix.

 

About the webinar

Since Microsoft updated replication in Windows Server 2003, Active Directory has gained powerful security and management enhancements. Yet many organizations still manage it as if little has changed.

In 2025, as Windows Server 2025 rolls out, relying on outdated Active Directory practices puts your organization at risk. Microsoft is steadily enforcing stricter security defaults, while modern ransomware campaigns continue to target Active Directory as a prime entry point. Falling behind means disruption and exposure.

This webinar will share practical steps you can take immediately to modernize Active Directory management and strengthen your security posture, including:

  • Proven approaches for streamlining directory management and reducing complexity
  • How to detect and remediate common Active Directory misconfigurations before attackers exploit them
  • Practical strategies to harden Active Directory security and monitor for suspicious activity
  • Steps to align directory management with compliance and governance requirements

If you work with Active Directory, this is one session you cannot afford to miss.

 

About Darryl Baker

Darryl Baker is a Senior Solutions Architect at Netwrix and a recognized authority in Identity and Active Directory security. With over 20 years of experience in information security, systems architecture, and military leadership,

Darryl specializes in securing enterprise environments including Active Directory, Azure, and identity management platforms by identifying vulnerabilities, simulating real-world attack scenarios, and implementing customized remediation strategies.

 

Join us!

Join us on October 15th, 2025 at 1 PM EDT / 7 PM CEST for this free webinar.
Register here.

 

About IT GRC Forum

The goal of IT GRC Forum is to help industry stakeholders, government regulators, and end-users better understand and manage the increasingly complex Governance, Risk Management and Compliance (GRC) landscape across the organization. IT GRC Forum aims to empower the GRC community by providing the most current educational resources and a user friendly forum for collaboration with peers.

 

About Netwrix

Netwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

Posted on October 2, 2025 by Sander Berkouwer in Active Directory, Community, Microsoft MVP, Personal

0  

Microsoft Entra ID applications: Why Ignoring Them Could Cost You

Reading Time: 5 minutes

Sympathy for the Devil (Nicolas Cage)

At NT Conference in Slovenia last week, I presented my five do’s and don’ts for managing Microsoft Entra ID applications. In just 45 minutes, I saw lightbulb moments across the audience as we explored how every Entra ID integration will eventually become an application. What surprised me most was how strongly the audience reacted to this reality, showing just how urgent this topic has become for IT and identity admins worldwide.

 

A Primer on Entra ID Applications

When Azure Active Directory first stepped into the light, it was focused on adoption and integration. From the start, it came with a model that solved the age-old problem around service accounts that we inherited from NT4 and Windows Server Active Directory: how not to abuse user accounts as service accounts.

Enterprise applications and application registrations were Microsoft’s magical mystical answer to this problem. However, without Azure AD – now Entra ID – being a part of any official Microsoft course or exam, the model never really took off.

 

How Exchange made applications take off

That changed when Microsoft Exchange Online dropped support for the legacy POP and IMAP protocols. Independent software vendors (ISVs) flocked to Entra ID applications to be able to read and write mailbox contents in a modern fashion. Overnight, a lot of legacy communications suddenly stopped and were converted to OAuth2 machine-to-machine authentication based on Entra ID applications.

Fast forward to 2025, and we’re seeing even more ISVs adopt the application framework, which offers granular API permissions, if you configure it right, extensive logging, and multi-tenancy features. Entra ID applications provide the perfect authentication for non-human identities (NHIs).

Some organizations have adapted the application model in Entra ID. Others have not. It appears that knowledge has been seeded in the industry, and it is coming to fruition.

 

Entra ID Applications Are Everywhere

Latest to Entra ID applications for their integrations, however, is Microsoft itself with application-based authentication in Entra Connect Sync. That’s right: even the On-premises Directory Synchronization accounts – the prime example of user accounts in Entra ID that are abused as service accounts – are going away. They are being replaced with an Enterprise Application in Entra ID. This is big news, as an expected 97% of organizations that use Active Directory have a hybrid setup with Entra ID.

Microsoft released app-based authentication as generally available in Entra Connect v2.5.76.0 on July 31st, 2025. New installations of Entra Connect of that version and future versions even default to app-based authentication.

 

The Challenge: Why Identity Admins Struggle With Entra ID Applications

Identity admins, however, struggle with their backup, monitoring, and communications solutions. They suddenly require these application registrations. I was surprised to see how many people in the audience – largely consisting of Entra admins from the region – took out their camera to take a photo of the slide that provides an overview:

Leverage Applications slide at NT Konferenca 2025

It was a little surprising to me that the attendees at my session were largely unaware of the movement in the industry to application-based authentication for cloud services.

As previously mentioned, Entra ID application integration isn’t part of the official Microsoft curriculum. But that’s not all. Over the past decade, several significant trends have emerged, casting clouds over a largely clear sky for identity administrators. In addition to Entra ID application adoption, identity admins must keep up with several other critical trends affecting Active Directory security and Microsoft Entra ID management:

  • Plan Domain Controllers upgrades more meticulously as Microsoft more strongly enforces the Windows Server support lifecycles. Windows Server 2003-based Domain Controllers no longer cut it, although many Active Directory admins still manage Active Directory like it’s 2003…
  • Perform Domain Controller updates more frequently, as Active Directory is a prime target for adversaries. Not a monthly update has gone by these past 3 years, where there wasn’t a vulnerability addressed in Active Directory Domain Services, Active Directory Certificate Services, Kerberos, Netlogon, DNS, SMB, TCP/IP, Windows Hello for Business or http.sys (used by Active Directory Federation Services). All of these represent opportunities for adversaries to gain control of the entire environment… and when Active Directory gets pwned, it’s game over for most.
  • Install and maintain all sorts of cloud-oriented software packages on and towards Domain Controllers to monitor (like the Entra Connect Health agent), report suspicious activity (like the Defender for Identity sensor), and enforce stronger password security (like the Entra Connect Password Protection agent). This software typically auto-updates, but when it doesn’t, it creates other challenges. To keep these automatic updates available, .NET Frameworks, etc., need to be kept up to date.
  • Maintain Entra from a role-based access control (RBAC) perspective, so people within the organization (as well as guests and non-human identities) can safely use Microsoft 365 services, .

It’s no wonder there is little time for admins to focus on Entra ID applications. When putting out fires consumes 70% of your time, there are only so many hours in a month to keep your knowledge and certifications up to date, which don’t even include Entra ID applications…

 

Industry Feedback: Why Entra ID Applications Are Still a Blind Spot

The common feedback I received from the audience is that it’s an apparent niche. Other words that I’ve previously come across include ‘Pandora’s Box’ and ‘Blind Spot’. John O’Neill refers to it as a ‘hot potato'.

 

The Risks of Ignoring Entra ID Application Security – Your money or your career!

It’s dangerous to ignore Entra ID applications as an Identity admin, though.

Security incidents we’ve seen over the past few years, including the successful breach of Microsoft by Midnight Blizzard, the vulnerability that was abused in Metallic and a red teamer gaining access to Microsoft’s internal troubleshooting tools all show that one tiny suboptimal setting in Entra ID applications might cost your organization a lot of money, and potentially your job.

 

How to Get Started With Entra ID Application Governance

On October 19, 2023, ENow Software launched the AppGov Score solution and community. As I mentioned, there was a massive training and resources gap from Microsoft regarding this topic. To help close that gap, we began a knowledge-sharing effort through the AppGov Score community. Sean Hurley, along with myself and other Microsoft MVPs, contributed resources to help identity admins (or anyone ‘voluntold’ to manage Entra Apps) strengthen their skills, identify risks, and implement best practices for Microsoft Entra ID application security.

The ENow AppGov Score community features MVP-authored blogs, webinars, and a forum site for Identity admins to get their questions answered, whether they’re at the start of their journey or in the trenches. There’s always something new to learn with Entra ID applications, and for many, this journey is just beginning.

ENow has continued to evolve its free AppGov Score tool to provide a helpful starting point, along with its App Governance Accelerator solution, which provides detailed visibility, guidance, and automated remediation to strengthen the security of your organization’s application landscape, while lightening the load for identity admins.

It's time for Identity admins to embark on this journey to ensure their organization(s) remain in business and that their careers don’t get sidelined by Entra ID application misconfigurations.

Jokingly, at the end of my presentation, I asked if the attendees looked sad because I just gave them extra work for Monday. I couldn’t be more right.

There is a Chinese proverb:

"The best time to plant a tree was 20 years ago. The second-best time is now."

Please start now.

Posted on September 30, 2025 by Sander Berkouwer in Community, Entra Connect, Entra ID, Microsoft MVP, Security

0  

Get all your Microsoft Copilot data readiness questions answered by Netwrix and me in our upcoming panel discussion

Reading Time: 2 minutes

The wonderful people at Netwrix have asked me to join their panel discussion on Microsoft Copilot readiness. In this online webinar we plan to discuss data discovery, data classification and access control with the help of Artificial Intelligence.

 

About the webinar

With Microsoft 365 services like SharePoint, Teams, and OneDrive generating and storing vast amounts of data, how do organizations identify where sensitive information resides and who has access to it?

In our panel discussion on data discovery, data classification and access control with the help of Artificial Intelligence, we share our strategies for automatically discovering, classifying and securing sensitive data across cloud and on-premises environments,

In this panel discussion, with Adam Laub, Dirk Schrader and Ryan Oistacher from Netwrix, I’ll discuss how we leverage Microsoft Purview sensitivity labels to enable Data Loss Prevention (DLP) policies, how to gain visibility into user permissions and remediating excessive privileges and – last but not lease – how to apply the principle of Least Privilege Access to reduce risk and strengthen data protection.

 

Join us!

Join us on Tuesday April 23, 2025 at 2 PM CEST!
Register here.

Note:
These webinars are offered free of charge, thanks to the sponsoring by Netwrix. By signing up for these webinars you agree to their privacy policy.

 

About Netwrix

Netwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

Posted on April 11, 2025 by Sander Berkouwer in Active Directory, Community, Enterprise Security, Entra ID, Microsoft MVP, Personal, Recommended Practices

1  

What’s New in Entra ID in March 2025

Reading Time: 3 minutes

Microsoft Entra

Microsoft Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for March 2025:

 

What’s Planned

Microsoft Entra Permissions Management end of sale and retirement

Service category: Other
Product capability: Permissions Management

Effective April 1, 2025, Microsoft Entra Permissions Management (MEPM) will no longer be available for sale to new Enterprise Agreement (EA) subscribers and direct Microsoft customers. Additionally, starting May 1, it will not be available for sale to new CSP organizations. Effective October 1, 2025, Microsoft will retire Microsoft Entra Permissions Management and discontinue support of this product.

Organizations that use MEPM will retain access to this product until September 30, 2025, with ongoing support for current functionalities. Microsoft has partnered with Delinea to provide an alternative solution, Privilege Control for Cloud Entitlements (PCCE), that offers similar capabilities to those provided by MEPM.

 

Download Microsoft Entra Connect Sync on the Microsoft Entra admin center

Service category: Microsoft Entra Connect
Product capability: Identity Governance

The Microsoft Entra Connect Sync .msi installation files will become available on the Microsoft Entra admin center within the Microsoft Entra Connect pane.

As part of this change, Microsoft stops uploading new installation files on the Microsoft Download Center.

 

 

 

What’s Deprecated

Upgrade Microsoft Entra Connect Sync version to avoid impact on the Sync Wizard

Service category: Microsoft Entra Connect
Product capability: Microsoft Entra Connect

As announced in the Microsoft Entra What's New Blog and in Microsoft 365 Center communications, customers should upgrade their connect sync versions to at least 2.4.18.0 for commercial clouds and 2.4.21.0 for non-commercial clouds before April 7, 2025. A breaking change on the Connect Sync Wizard will affect all requests that require authentication such as schema refresh, configuration of staging mode, and user sign in changes.

 

What’s New

Conditional Access reauthentication policy Generally Available

Service category: Conditional Access
Product capability: Identity Security & Protection

Require reauthentication every time can be used for scenarios where organizations want to require a fresh authentication, every time a person performs specific actions like accessing sensitive applications, securing resources behind VPN, or Securing privileged role elevation in Microsoft Entra Privileged Identity Management (PIM)​.

 

Custom Attributes support for Microsoft Entra Domain Services Generally Available

Service category: Microsoft Entra Domain Services
Product capability: Microsoft Entra Domain Services

Custom Attributes for Microsoft Entra Domain Services allows organizations to use Custom Attributes in their managed domains. Legacy applications often rely on custom attributes created in the past to store information, categorize objects, or enforce fine-grained access control over resources.

Microsoft Entra Domain Services now supports custom attributes, enabling organizations to migrate their legacy applications to the Azure cloud without modification. It also provides support to synchronize custom attributes from Microsoft Entra ID, allowing organizations to benefit from Microsoft Entra ID services in the cloud.

 

Track and investigate identity activities with linkable identifiers in Microsoft Entra Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft will standardize the linkable token identifiers, and expose them in both Microsoft Entra and workflow audit logs. This allows organizations to join the logs to track, and investigate, any malicious activity. Currently linkable identifiers are available in the Microsoft Entra sign in logs, the Exchange Online audit logs, and the MSGraph Activity logs.

 

Limit creation or promotion of multitenant apps Public Preview

Service category: Directory Management
Product capability: Developer Experience

Microsoft added a new feature to the App Management Policy Framework that allows restriction on creation or promotion of multitenant applications, providing admins with greater control over their app environments.

Admins can now configure tenant default or custom app policy using the new audiences restriction to block new app creation if the signInAudience value provided in the app isn't permitted by the policy. In addition, existing apps can be restricted from changing their signInAudience if the target value isn't permitted by the policy.

These policy changes are applied during app creation or update operations, offering control over application deployment and usage.

 

Conditional Access Per-Policy Reporting Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Conditional Access Per-Policy Reporting enables admins to easily evaluate the impact of enabled and report-only Conditional Access policies on their organization, without using Log Analytics. This feature surfaces a graph for each policy in the Microsoft Entra Admin Center, visualizing the policy’s impact on the tenant’s past sign-ins.

 

What’s Changed

New Microsoft-managed Conditional Access policies designed to limit device code flow and legacy authentication flows Generally Available

Service category: Conditional Access
Product capability: Access Control

As part of our ongoing commitment to enhance security and protect organizations from evolving cyber threats, Microsoft is rolling out two new Microsoft-managed Conditional Access policies designed to limit device code flow and legacy authentication flows. These policies are aligned to the secure by default principle of Microsoft’s broader Secure Future Initiative, which aims to provide robust security measures to safeguard organizations by default.

Posted on April 4, 2025 by Sander Berkouwer in Entra Connect, Entra ID, What's New

0  

Join Raymond and me at the RDW Techday!

Reading Time: 2 minutes

Speaking

As hosts of the IT Bros podcast, Raymond Comvalius and I have interesting discussions with many of the listeners that we meet outside of our recording studio. When Edmond, one of our devoted listeners, asked us to divulge on authentication methods and Microsoft accounts vs work or school accounts, the idea to speak on the technology day from his employer was born…

 

About the RDW Tech Day

The RDW Techday is a one-day event for employees of the RDW and participants from the Northern Cooperation (Samenwerking Noord). This year’s Techday is organized on Wednesday April 16, 2025 at the Van der Valk Hotel Groningen-Hoogkerk.

 

About our sessions

Raymond and I will present to 60-minute sessions:

Entra ID Applications: Five Do’s and Don’ts for this potential blind spot

Wednesday April 16, 2025, 11:15 AM – 12:15 PM, Security Track

Microsoft offers application integration features in Entra for single-tenant applications, multi-tenant applications and workload identities. Just like every other feature in Entra, management, governance, and security for applications require a certain level of attention.

Unfortunately, application governance is not part of the official Microsoft curriculum, nor any of the Microsoft Entra SKUs or IAM solutions. For most Entra admins this is a huge and potentially dangerous blind spot. In this session, we provide better optics around the situation and our real-world insights, as experienced with Entra ID application governance.

Sprinkled throughout the session will be valuable tips and tricks specifically designed to keep Microsoft Entra Enterprise Applications and Application Registrations in check, making this is a MUST attend session for all Entra admins!

Are you ready for Entra Connect Cloud Sync!? Do you mean; Is Cloud Sync ready for me?

Wednesday April 16, 2025, 2:15 PM – 3:15 PM, Security Track

Yes, you heard it right: Microsoft only invests in Entra Connect Cloud Sync as the synchronization tool between Active Directory and Entra ID. Already, some synchronization features are only available when an organization adopts Cloud Sync. This leaves Forefront Identity Manager, Microsoft Identity Manager and Entra Connect Sync admins in the cold.

Is today the right day to adopt Entra Connect Cloud Sync? Find out as we explore the installation, configuration, scalability, supportability and migration options and limits. They help you to make the right choices, so your synchronization efforts don’t come to a grinding halt in the next coming years.

As an Entra admin, attend this session when you want to take your hybrid identity to the next level without burning bridges.

 

Join us!

Join us!

Participation is free of charge, but don't wait too long to register because the number of participants in the Techday is limited. When registering, you can choose from the sessions offered. There is a maximum number of participants for the workshops.

During the event, photos will be taken for internal use. Don't want to be visible in the photo? Then ask for the special lanyard when you get your badge at the beginning of the RDW TechDay. This makes it visible that you don't want to be photographed.

See you on April 16 for RDW Techday 2025!

Posted on April 3, 2025 by Sander Berkouwer in Community, Microsoft MVP, Personal

1  

Join Tomislav Fuckar, the Bosnian Microsoft Community and me in Konjic!

Reading Time: 2 minutes

Garden City Konjic

I’m happy to announce that I will co-present a technical session with Tomislav Fuckar at the Microsoft Community BiH Konferencia in Konjic, Bosnia and Herzogivina.

When Tomislav Fučkar asked me how to get started presenting at events like this one, I offered him to co-present one of the sessions that I was preparing for this calendar year. Luckily, the event organization picked our session.

About MS Community BiH Konferencia

This year’s 12th Microsoft Community BiH Konferencija event is a 2-day event, hosted at the Grden City hotel in Konjic, Bosnia and Herzogivina, on Monday April 14th, 2025, and Tuesday April 15th, 2025.

Monday April 14th is reserved for technical workshops from several local community heroes:

  • Nenad Trajkovski: A project in crisis and how to get out of it
  • Ahmad Najjar: Power Automate Jump Start: Where Automation Meets AI
  • Tomislav Lulic: Copilot for Microsoft 365 – how to prepare the environment and how to prompt

Tuesday April 15th is the conference day. It is the main day, with inspirational lectures, demonstrations of real solutions, networking with colleagues and IT professionals, and exclusive sessions with Microsoft experts like Adis Jugo, Mustafa Toroman, Damir Dizdarevic, Jelena Miodragovic and Vladimir Stefanović.

About our session

Tomislav and I will present a 45-minute session on:

Authentication Methods in Depth

Tuesday April 15, 2025, Room 2, 9:30 AM – 10:15 AM

All multi-factor authentication is more secure than single-factor authentication, but some multi-factor authentication methods are more secure than others.

We share our experiences rolling out multi-factor authentication in large organizations, how most of the people in these organizations don’t even experience multi-factor authentication as typical fidgety multi-factor authentication, and how we use the built-in features in Microsoft Entra to nudge people to use the most secure – even phishing-resistant – authentication options.

Join us!

Join us to secure your Entra future!

The agenda and registration fees at affordable prices are available at konferencija.mscommunity.ba/

See you in Konjic!

Posted on April 2, 2025 by Sander Berkouwer in Community, Microsoft MVP, Personal

0  

VMware Tools v 12.5.1 fixes an authentication bypass vulnerability (VMSA-2025-0005, CVE-2025-22230, CVSv3 7.8)

Reading Time: 2 minutes

This week, VMware introduced a new version of its VMware Tools for Windows. The reason for this release is an authentication bypass vulnerability.

 

About VMware Tools

VMware Tools is a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guest Operating Systems.

Although the guest operating system can run without VMware Tools, many VMware features are not available until you install VMware Tools. For example, if you do not have VMware Tools installed in your virtual machine, you cannot use the shutdown or restart options from the toolbar. You can only use the power options. VMware Tools manage time synchronization on VMware vSphere and may offer quiescence for backups.

About the vulnerability

An authentication bypass vulnerability in VMware Tools for Windows was privately reported to VMware. This vulnerability is known as CVE-2025-22230. An attacker with non-administrative privileges in the Windows guest Operating System on which VMware Tools is installed may gain the ability to perform certain high-privilege operations within that virtual machine.

 

Upgrading VMware Tools

To remediate CVE-2025-22230 install VMware Tools version 12.5.1, or a later version of the VMware Tools, on x64 versions of Windows. Install VMware Tools version 12.4.6 for 32bit Windows versions.

According to the VMware Tools 12.5.1 Release Notes, version 12.5.1 also incorporates a fix for the Elevation of Privilege vulnerability in Visual C++, tracked as CVE-2024-43590 and a fix for an issue in VMware Tools version 12.5.0 that caused some OpenGL applications to stop responding.

Follow these steps to upgrade VMware Tools on Windows Server-based guest Operating Systems in your vSphere environment:

  • Sign in to vCenter Server.
  • In the Inventory > Hosts and Clusters view, select the host, cluster, or datacenter and click the Virtual Machines tab.
  • Select the Windows Server-based virtual machines you want to upgrade VMware Tools on. Use Ctrl or Shift to select multiple virtual machines.
  • Right-click the selected virtual machine(s) and select Guest from the context menu. Then, click Install/Upgrade VMware Tools.
  • Complete the wizard.

 

Concluding

The authentication bypass vulnerability in VMware Tools makes it apparent to upgrade VMware Tools on all Windows and Windows Server installations that are essential to the organization. This includes (read-only) Domain Controllers and Remote Desktop servers.

Further reading

VMware Tools v 11.3 fixes a Denial of Service vulnerability (VMSA-2021-0011)
KnowledgeBase: VMware Tools Quiescence corrupts Active Directory backups
VMware vSphere 7.0 Update 1 introduces an interface for advanced time configuration
Managing Active Directory Time Synchronization on VMware vSphere
Installing and upgrading VMware Tools in vSphere (2004754)

Posted on March 28, 2025 by Sander Berkouwer in Security Updates, VMware, VMware vExpert

0  

From the field: Three gotchas when migrating applications from AD FS to Entra

Reading Time: 3 minutes

From the field

As a professional, I like to prepare my projects to avoid any hick-ups during stressful moments. From reading up on the relevant Microsoft Docs, implementing a staging environment to define run and rollback changes to triple-checking my assumptions.

Recently, I have been involved in several projects for decommissioning Active Directory Federation Services (AD FS). Staged roll-out is a feature that helps migrating the user population from AD FS to managed authentication granularly. Other federated applications, services and platforms don't offer this kind of functionality and require the entire population be changed from authenticating to AD FS to authenticating to Entra. This cutover moment can be stressful. A lot of things can go wrong. Therefore, I'm sharing three gotchas when migrating applications from AD FS to Entra.

 

1. Applications may use a federated protocol that is not available in Entra

Some AD FS implementations have a lot of applications, and sometimes these applications use legacy protocols. It's not a problem when an application uses WS-Fed, SAML 1.0, or SAML 1.1 anymore, as these legacy protocols and versions are all supported by Entra. However, one particular federation protocol was never implemented in Entra: Shibboleth. This protocol was – and still is – primarily used for multilateral federation between universities and research facilities.

Microsoft offers three solutions for organizations:

  1. Microsoft Entra ID with Cirrus Bridge
  2. Microsoft Entra ID with Shibboleth as a SAML proxy
  3. Microsoft Entra ID with AD FS and Shibboleth

All these solutions respect Shibboleth as the federation protocol in use, but also all result in the AD FS implementation or other on-premises functionality is maintained. Mostly, the purpose of an AD FS migration project is to decommission on-premises functionality… Therefore, migrating to Entra External ID may be the best long-term solution, but this is going to take some time to architect, implement and perfect… while AD FS keeps running all the while…

 

2. Applications may use an outdated attribute for Name ID

When you've been working with Entra, you've become very familiar with the userPrincipalName attribute as the sign-in account towards most Entra-connected applications, services and platforms. When the primary user email address and userPrincipalName attributes match, people in your organization only need to remember one sign-in name.

However, in the early days of AD FS, the userPrincipalName wasn't as widely used as the globally unique user name it is considered to be today. In older Active Directory environments, it's even possible to spot accounts with empty userPrincipalName attributes. These environments rely on other attributes. The sAMAccountName attribute is typically used in these environments. Yes, in the Active Directory tooling, this attribute is referred to as the pre-Windows 2000 user name

These outdated configurations in AD FS may prove cumbersome during the migration from AD FS to Entra, as the default application settings for multi-tenant applications configure the userPrincipalName as the sign-in attribute.

From a user perspective, nothing seems wrong, as AD FS performs its single sign-on magic with Active Directory in the same way. However, in the back-end of the AD FS-integrated application, service or platform, records for user accounts would have settings, profiles, permissions and history linked to a user table with sAMAccountName values. Oftentimes, the sAMAccountName attribute is then appended with the organization's public DNS domain name.

When not addressing this issue, switching the Name ID attribute from sAMAccountName (in Entra user.onpremisessamaccountname) to userPrincipalName (in Entra: user.userprincipalname) through these default settings would create all new users in the back-end, typically without the right settings, permissions, etc.

To avoid this, the back-end of the AD FS-integrated application should be converted from using the sAMAccountName attribute as the Name ID to using the userPrincipalName attribute. Depending on the vendor and contracts, this could easily add months to your AD FS migration project…

Avoid this situation by going through the claims issuance rules of AD FS-integrated applications, services and platforms and make sure these don't issue the sAMAccountName as the Name ID.

 

3. User assignment does not support group nesting

In Entra, it is a recommended practice to toggle the User assignment required setting for enterprise applications to Yes. This ensures that only people with user accounts that are members of a specific group have access to the functionality by configuring specific groups to have access.

However, the User assignment required setting and the groups that are added cannot be nested groups. In AD FS, group nesting was never a problem in claims issuance rules, so group nesting may suddenly become an issue when migrating an application, service and/or platform from AD FS to Entra.

The only thing that can be done is flattening the group memberships by adding the specific members of a sub group to the primary group. This takes time, so it's inconvenient to be confronted with during the actual application migration. Address this issue before migrating the application, service or platform from AD FS to Entra.

Posted on March 17, 2025 by Sander Berkouwer in Active Directory Federation Services, Entra ID

0  

What’s New in Entra ID in February 2025

Reading Time: 3 minutes

Microsoft Entra

Microsoft Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and in the Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for February 2025:

 

Whats New

Authentication methods migration wizard Generally Available

Service category: MFA
Product capability: User Authentication

The authentication methods migration guide in the Microsoft Entra Admin Center lets admins automatically migrate method management from the legacy MFA and SSPR policies to the converged authentication methods policy. In 2023, Microsoft announced that the ability to manage authentication methods in the legacy MFA and SSPR policies would be retired in September 2025. Until now, organizations had to manually migrate methods themselves by using the migration toggle in the converged policy.

Now, admins can migrate in just a few selections by using the migration guide. The guide evaluates what the organization currently has enabled in both legacy policies, and generates a recommended converged policy configuration for you to review and edit as needed. From there, admins confirm the configuration, and the platform sets it up and marks the migration as complete.

 

Granular Microsoft Graph permissions for Lifecycle workflows Generally Available

Service category: Lifecycle Workflows
Product capability: Identity Governance

Now new, lesser privileged permissions can be used for managing specific read and write actions in Lifecycle workflows scenarios. The following granular permissions were introduced in Microsoft Graph:

  • LifecycleWorkflows-Workflow.ReadBasic.All
  • LifecycleWorkflows-Workflow.Read.All
  • LifecycleWorkflows-Workflow.ReadWrite.All
  • LifecycleWorkflows-Workflow.Activate
  • LifecycleWorkflows-Reports.Read.All
  • LifecycleWorkflows-CustomExt.Read.All
  • LifecycleWorkflows-CustomExt.ReadWrite.All

 

Enhanced user management in Admin Center Public Preview

Service category: User Management
Product capability: User Management

Admins are now able to multi-select and edit user accounts at once through the Microsoft Entra admin center. With this new capability, admins can bulk edit user account properties, add user accounts to groups, edit account status, and more. This user experience enhancement significantly improves efficiency for user account management tasks in the Microsoft Entra admin center.

 

QR code authentication, a simple and fast authentication method for Frontline Workers Public Preview

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft is thrilled to announce public preview of QR code authentication in Microsoft Entra ID, providing an efficient and simple authentication method for frontline workers.

You'll see a new authentication method QR code in Microsoft Entra ID Authentication method Policies. Admins can enable and add QR code for frontline workers via Microsoft Entra ID, My Staff, or Microsoft Graph APIs. All user accounts in the tenant see a new link Sign in with QR code on navigating to https://login.microsoftonline.com > Sign-in options > Sign in to an organization page. This new link is visible only on mobile devices running Androi, iOS or iPadOS. Users can use this authentication method only if admins add and provide a QR code to them. QR code authentication is also available in BlueFletch and Jamf. MHS QR code auth support will be generally available by early March.

 

External Authentication Methods support for system preferred MFA Public Preview

Support for external authentication methods as a supported method begins rolling out at the beginning of March 2025. When this is live in a tenant where system preferred is enabled and user accounts are in scope of an external authentication methods policy, these people will be prompted for their external authentication method if their most secure registered method is Microsoft Authenticator notification. External Authentication Method will appear as third in the list of most secure methods. If the person has a Temporary Access Pass (TAP) or Passkey (FIDO2) device registered, they'll be prompted for those. In addition, people in the scope of an external authentication methods policy will have the ability to delete all registered second factor methods from their account, even if the method being deleted is specified as the default sign in method or is system preferred.

 

Custom SAML/WS-Fed External Identity Provider Support in Microsoft Entra External ID Public Preview

Service category: B2C – Consumer Identity Management
Product capability: B2B/B2C

By setting up federation with a custom-configured identity provider that supports the SAML 2.0 or WS-Fed protocol, admins enable people to sign up and sign in to applications, systems and services using existing accounts from the federated external provider.

This feature also includes domain-based federation, so a person who enters an email address on the sign-in page that matches a predefined domain in any of the external identity providers will be redirected to authenticate with that identity provider.

 

 

Posted on March 7, 2025 by Sander Berkouwer in Entra ID, What's New

0  

Happy 25th Birthday, Active Directory!

Reading Time: < 1 minute

25 year birthday cake

Today, The DirTeam.com / ActiveDir.org Weblogs are celebrating the 25-year anniversary of Active Directory Domain Services as a released product.

 

Windows 2000 Server

The introduction of Active Directory to the world was part of the release of Windows 2000 Server on February 17, 2000.

Posted on February 17, 2025 by Sander Berkouwer in Active Directory, Community

0