Microsoft Entra on justinverstijnen.nl

Get notifications when Entra ID break glass admins are used

Sun, 08 Mar 2026 00:00:00 +0000

The alert solution described

The solution we will configure looks like this:

Log Analytics Workspace
Set diagnostic settings for Entra ID sign in logs to write to Log Analytics
Set query to find successful or non-succesful sign in attempts (based on your needs)
Set Azure Monitor alert to alert admins of the attempts taking place
After all this we will test this to test if this works as excpected

Here we use all the features inside Azure only, and no 3rd party solutions.

How to properly secure Break Glass Accounts in your Entra ID

Sun, 01 Mar 2026 00:00:00 +0000

List of recommendations

The list of recommendations which I will describe further:

Have at least 2 accounts
Have the accounts cloud only -> not synced from Active Directory
Use the .onmicrosoft.com domain and no license
Exclude from all Conditional Access policies
Do not use licenses on Administrator accounts
Passwords must be at least 64 and max 256 characters
Avoid “break glass admin” or any tip to a high privileged account
Register FIDO2 key for the account
Setup Monitoring for login alerts
Test the accounts twice per year

1: Have at least 2 accounts with Global Administrator permissions

Very important to have at least 2 accounts (with a maximum of 4) with Global Administrator permissions. Most of the time, we will limit the amount of privileges but we need to have at least 2 accounts with those permissions.

Solved - ADSync service stopped (Entra Connect Sync)

Mon, 06 Oct 2025 00:00:00 +0000

Sometimes, the ADSync service stops without further notice. You will see that the service has been stopped in the Services panel:

In this guide I will explain how I solved this problem using a simple PowerShell script.

The Check ADSync script

The PowerShell script that fixes this problem is on my GitHub page:

Download script from GitHub

The script simply checks if the service is running, if this is the case the script will be terminated. If the service is not running, the service will be started.

Match AD users using Entra Connect Sync and MSGraph

Mon, 18 Aug 2025 00:00:00 +0000

The difference between soft and hard matching

Most of the time the system itself will match the users automatically using soft-matching. Here the service will be matching users in both Entra ID and Active Directory by using known attributes like UserPrincipalName and ProxyAddresses.

In some cases, especially when you use different Active Directory and Entra ID domains, we need to give the final tip to Entra ID to match and AD user to an Entra ID users. We will tell Entra ID what the GUID of the on-premises user is by getting that value and encode it into Base64. Then we pass Entra ID this value so it understands what local user to link with what cloud user. This process is called “hard-matching”, as we have to do this by hand or by scripting.

Implement Certificate-based authentication for Entra ID scripts

Sun, 13 Jul 2025 00:00:00 +0000

Requirements

Around 20 minutes of your time
An Entra ID environment if you want to test this
A prepared Entra ID app registration
A server or workstation running Windows to do the connection to Entra ID
Some basic knowledge about Entra ID and certificates

How does these certificates work?

Certificate based authentication means that we can authenticate ourselves to Entra ID using a certificate instead of user credentials or a password in plain text. When using some automated scripts it needs permissions to perform its actions but this means storing some sort of authentication. We don’t want to store our credentials on the server as this decreases our security and a potential risk of compromise.

Audit your Entra ID user role assignments

Tue, 01 Jul 2025 00:00:00 +0000

Requirements

Microsoft Graph PowerShell module
Entra P2 or Governance license for PIM
- Only required for fetching PIM specific data. Script can run without licenses.

Entra ID User role assignments script

To start off with the fast pass, my script can be downloaded here from my Github page:

Download script from GitHub

Using the Entra ID User role assignments script

I have already downloaded the script, and have it ready to execute:

Audit your privileged Entra ID applications

Wed, 25 Jun 2025 00:00:00 +0000

Entra ID Privileged Applications report script

To start off with the fast pass, my script can be downloaded here from my Github page:

Download script from GitHub

This script can be used to get a report of all high privileged applications across the tenant. Go to this section for instructions of how to use the script and the output.

What are Enterprise Applications?

Enterprise Applications in Entra ID are the applications which will be registered when users need them. Somethimes, it can be for a add-on of Outlook or Teams, but other times this can be to enable Single Sign On to 3rd party applications.

The Zero Trust-model

Mon, 25 Nov 2024 00:00:00 +0000

The Zero Trust model is a security model to enhance your security posture by using 3 basic principles, and segmenting aspects of your IT environment into pillars.

The 3 primary principles are:

Verify Explicitly
Least privileged access
Assume Breach

At first, those terms seem very unclear to me. To further clarify the principles, i have added some practice examples to further understand what they mean:


Principle	Outcomes
Verify Explicity	Ensure people are really who they say they are Audit every login attempt from specific users Audit login attempts Block access from non-approved countries
Least privileged access	Assign users only the permissions they need, not more Assign only the roles when they need them using PIM Use custom roles when default roles expose too much permissions
Assume breach	At every level, think about possible breaches Segment your network Password-based authentication only is too weak

The model is the best illustrated like this:

How to solve DeletingCloudOnlyObjectNotAllowed error Entra Connect Sync

Mon, 30 Sep 2024 00:00:00 +0000

Now and then we come across a problem with Entra Connect Sync which states “DeletingCloudOnlyObjectNotAllowed”. This error looks like this:

This error will be shown if opening the Syncronization Service and email messages of this error will aso be sent to your tenant’s technical contact.

In this guide, I will explain the cause of this problem and the options to solve the issue.

Cause of this problem

The cause of this problem is mostly an object that is first created cloud-only and then created in Active Directory, or a user that was synced previously but is deselected or deleted. Entra Connect Sync will not match the users correctly, and a the ImmutableId of the user in Entra still exists. In short; it still wants to sync a user that not exists.

Dynamic group for access to Windows 365

Fri, 01 Dec 2023 00:00:00 +0000

Requirements

Azure AD/Entra ID/Microsoft Graph Powershell module
- https://learn.microsoft.com/nl-nl/powershell/module/azuread/?view=azureadps-2.0
10 minutes of your time

What are Dynamic Groups?

The Dynamic Groups feature of Microsoft Entra is a great tool for auto-managing members of a group based on a single rule or collection of rules. Some examples of using dynamic groups:

Group for all users with the department “Office”
Group for all users with or without a specific attribute
Group for all users with a specific license assigned

Dynamic group don’t need any manual assignment or un-assignment. Instead of that, members will be automatically added based on the rules. Great feature for automation purposes!