Sometimes, you hit error messages that are just too vague to troubleshoot. I like these kinds of situations. I’ve hit errors before and their origins were always interesting.

Let’s see what’s happening today causing the error ‘AADSTS9090561 The endpoint only accepts POST requests. Received a GET request’ when signing in.

The situation

An organization is actively decommissioning Active Directory Federation Services (AD FS). Today, all employees sign in using the organization’s AD FS implementation but are scheduled to sign in using a managed solution, based on Microsoft Entra ID and password hash synchronization (PHS).

In Entra Connect Sync, Password Hash Synchronization was enabled quite a while ago. During regular checks throughout the project, no errors were detected in Entra Connect Sync Health or in Entra Connect Sync’s Synchronization Manager interface.

The Staged Rollout feature in Entra was enabled. A specific group was added to the feature. During the project, accounts would be added to the group to switch their sign-in method from AD FS to PHS.

The issue

After the first account is added to the group for Staged Rollout, the person can no longer sign in with the account. The error message is:

AADSTS9090561 The endpoint only accepts POST requests. Received a GET request

The cause

When troubleshooting, we checked Entra Connect Sync’s Synchronization Manager interface. Here, we found that all accounts in scope for synchronization were facing permissions issues.

When troubleshooting these issues, it appeared that Entra Connect Sync’s Active Directory connector account had been stripped of all permissions in Active Directory. Its permissions were reduced to the default membership of Domain users.

This resulted in the inability of Entra Connect Sync to perform Password Hash Sync, as the Active Directory connector account requires the Replicate Directory Changes and Replicate Directory Changes All permissions for that purpose.

The solution

On the Windows Server installation with Entra Connect Sync, we used the cmdlets in the ADSyncConfig PowerShell module to provide the appropriate permissions and secure the account:

$useraccount = 'CN=AD Connector account,CN=users,DC=domain,DC=tld'

Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1'

Set-ADSyncBasicReadPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncRestrictedPermissions -ADConnectorAccountDN $useraccount

Set-ADSyncRestrictedPermissions -ADConnectorAccountDN $useraccount

Alternatively, you can use the fine-grained approach to delegate permissions laid out here, or use Michael Waterman's PowerShell alternative to it.

Concluding

Apparently, someone has been helping the project by cleaning up the permissions for Entra Connect Sync’s Active Directory connector account. Unfortunately, this change was too early and we had to reverse it…