Microsoft Entra on justinverstijnen.nl

Get notifications when Entra ID break glass admins are used

Sun, 08 Mar 2026 00:00:00 +0000

As we want to secure our Break Glass Accounts as good as possible, we cloud want to get alerts when break glass admins are used to login. Maybe they are used on a daily basis, or are being attacked. When we configure notifications, we instantly know when the accounts are being used and can check why a login has taken place.

In this guide we will configure this without Microsoft Sentinel. If you already have a Sentinel workspace, the recommended action is to configure it there and to configure a automation rule/playbook.

How to properly secure Break Glass Accounts in your Entra ID

Sun, 01 Mar 2026 00:00:00 +0000

In our environment, we will do everything to secure it as much as possible. We give users only the permissions they need and only at given times, we enable Conditional Access to limit access to our data as much as possible.

But we also create Break Glass administrator accounts as our last resort, a method to login if everything else doesn’t work. Security wise, this sounds against all rules but we prefer a account to login in emergency situations over a complete tenant lockout.

Solved - ADSync service stopped (Entra Connect Sync)

Mon, 06 Oct 2025 00:00:00 +0000

Sometimes, the ADSync service stops without further notice. You will see that the service has been stopped in the Services panel:

In this guide I will explain how I solved this problem using a simple PowerShell script.

The Check ADSync script

The PowerShell script that fixes this problem is on my GitHub page:

Download PowerShell script

The script simply checks if the service is running, if this is the case the script will be terminated. If the service is not running, the service will be started.

Match AD users using Entra Connect Sync and MSGraph

Mon, 18 Aug 2025 00:00:00 +0000

Sometimes, it is necessary to match an existing local Active Directory (AD) user through Entra Connect with an existing Entra ID user (formerly known as Azure AD). This process ensures that the account in both environments is aligned and maintains the same underlying configurations and settings across systems.

What is soft-matching?

Most of the time the system itself will match the users automatically using soft-matching. Here the service will be matching users in both Entra ID and Active Directory by using known attributes like UserPrincipalName and ProxyAddresses.

Implement Certificate-based authentication for Entra ID scripts

Sun, 13 Jul 2025 00:00:00 +0000

When using Entra ID, we can automate a lot of different tasks. We can use a script processing server for this task but doing that normally means we have to save credentials or secrets in our scripts. Something we don’t want.

Today I will show how to implement certificate-based authentication for App Registrations instead of using a client secret (which still feels like a password).

Requirements

Around 20 minutes of your time
An Entra ID environment if you want to test this
A prepared Entra ID app registration
A server or workstation running Windows to do the connection to Entra ID
Some basic knowledge about Entra ID and certificates

How does these certificates work?

Certificate based authentication means that we can authenticate ourselves to Entra ID using a certificate instead of user credentials or a password in plain text. When using some automated scripts it needs permissions to perform its actions but this means storing some sort of authentication. We don’t want to store our credentials on the server as this decreases our security and a potential risk of compromise.

Audit your Entra ID user role assignments

Tue, 01 Jul 2025 00:00:00 +0000

Today I have a relatively short blog post. I have created a script that exports all Entra ID user role assignments with Microsoft Graph. This can come in handy when auditing your users, but then realizing the portals doesn’t always show you the information in the most efficient way.

Therefore, I have created a script that only gets all Entra ID role assignments to users of every role and exports it to a nice and readable CSV file.

Audit your privileged Entra ID applications

Wed, 25 Jun 2025 00:00:00 +0000

In Microsoft Entra ID it’s possible to create App registrations and Enterprise applications who can get high privileges if not managed and monitored regularly. We do our best with Identities to be secure, with security processes like MFA, access reviews and such, but most of the companies don’t care that much about the Enterprise applications.

In this post, I will try to convince you that this is as much as important as identities. For helping you to solve this I built a PowerShell script to get a complete overview of all the applications and their permissions.

The Zero Trust-model

Mon, 25 Nov 2024 00:00:00 +0000

The Zero Trust model is a security model to enhance your security posture by using 3 basic principles, and segmenting aspects of your IT environment into pillars.

The 3 primary principles are:

Verify Explicitly
Least privileged access
Assume Breach

At first, those terms seem very unclear to me. To further clarify the principles, i have added some practice examples to further understand what they mean:


Principle	Outcomes
Verify Explicity	Ensure people are really who they say they are Audit every login attempt from specific users Audit login attempts Block access from non-approved countries
Least privileged access	Assign users only the permissions they need, not more Assign only the roles when they need them using PIM Use custom roles when default roles expose too much permissions
Assume breach	At every level, think about possible breaches Segment your network Password-based authentication only is too weak

The model is the best illustrated like this:

How to solve DeletingCloudOnlyObjectNotAllowed error Entra Connect Sync

Mon, 30 Sep 2024 00:00:00 +0000

Now and then we come across a problem with Entra Connect Sync which states “DeletingCloudOnlyObjectNotAllowed”. This error looks like this:

This error will be shown if opening the Syncronization Service and email messages of this error will aso be sent to your tenant’s technical contact.

In this guide, I will explain the cause of this problem and the options to solve the issue.

Cause of this problem

The cause of this problem is mostly an object that is first created cloud-only and then created in Active Directory, or a user that was synced previously but is deselected or deleted. Entra Connect Sync will not match the users correctly, and a the ImmutableId of the user in Entra still exists. In short; it still wants to sync a user that not exists.

Dynamic group for access to Windows 365

Fri, 01 Dec 2023 00:00:00 +0000

When using Windows 365 in your organization, the deployment is very easy to do. When it comes to adding more users to the service, it can be much manual clicks to reach your goal. My advice is to leverage the Dynamic Group feature of Microsoft Entra.

Requirements

Azure AD/Entra ID/Microsoft Graph Powershell module
- https://learn.microsoft.com/nl-nl/powershell/module/azuread/?view=azureadps-2.0
10 minutes of your time

What are Dynamic Groups?

The Dynamic Groups feature of Microsoft Entra is a great tool for auto-managing members of a group based on a single rule or collection of rules. Some examples of using dynamic groups: