What's new in Adaxes 2025.1

Sometimes, you must take one step back before you can leap forward. This release is the result of such a leap. We've rebuilt a lot from the ground up, making Adaxes more modern, powerful, and secure.

The web interface has been completely reimagined, bringing new capabilities and a fresh look. PowerShell 7 support is also on the table, paving the way forward to a variety of automation workflows which were previously impossible. And with deeper integrations, security improvements, and quality-of-life enhancements across the board, Adaxes is now better than ever.

Brace yourselves, this will be a long read.

New web interface

This release takes the Adaxes web interface to the next level. We have kept the original concept but added a lot of utility and convenience features for a butter-smooth user experience. Together with the updated style, it feels like a brand new application.

We won't go over the obvious visual changes – you'll notice those right away. Instead, let's focus on the features that truly enhance how you work with Adaxes.

Sidebar browsing

Navigating your managed domains is now faster than ever. The new sidebar lets you browse and manage your directory with ease, always keeping the tree in your peripheral vision.

Of course, all the browsing restrictions you have configured apply to the sidebar. Instead of displaying your entire directory, you can display business units or several organizational units that your users can browse from.

Wait, several? You read that right.

Multiple top level nodes

Adaxes now lets you configure multiple top level nodes for browsing, giving you more flexibility in how you structure your directory view. No more being tied to a single root – display your directory structure in the way that works best for you and your users.

You can restrict the top level nodes for the entire web interface, and you can granularly configure top level nodes in every action that allows users to select objects.

For details on how to configure top level nodes, have a look at this tutorial.

Undo and retry

Everyone makes mistakes, but now fixing them is effortless. After almost every action, you have an option to undo changes or retry if you encounter an error.

Whether it's erasing values from fields, accidentally clearing out your favorites, adding the wrong group members, or even deleting objects, you can always fix an honest mistake on the spot.

User-friendly captcha

We firmly believe that proving you're human shouldn't feel like a challenge. Adaxes now uses a proof-of-work-based friendly CAPTCHA, eliminating the frustration of deciphering squiggly text.

Some of you might have disabled captcha because of how intrusive it was... Well, now you can enable it back for an extra layer of brute force protection. For details on how to do it, have a look at this tutorial.

On a side note, CAPTCHA for self-service password reset now uses the same mechanism, so make sure to check your configured password self-service policies and switch it on should you need to.

Forced password self-service enrollment

You can now make password self-service enrollment mandatory to ensure users don't postpone it until they eventually forget their password. With this feature enabled, users must enroll before they can access the web interface, no way around it.

For information on how to enforce password self-service enrollment, have a look at this help article.

Convenience features

Small touches can make a big difference. There's now a snackbar that appears after every move and provides immediate feedback. The filtering capability is now everywhere – whether you're browsing the directory, executing operations, or configuring the web interface. These are only a tiny part of what was added.

Here's an overview of the new convenience features that stand out the most.

Search history

Finding what you need just got easier. Search history is now available for both quick and advanced searches, allowing you to jump back to recently searched objects or previous queries without typing anything.

Quick search with selection

The Directory root view now has an upgraded version of quick search that allows you to search across all managed domains, select multiple search results, and take action on all of them at once.

Other quick search improvements

We've expanded the list of attributes available for quick search, making it even more powerful. You can now search for users by email and proxy addresses, including secondary SMTP addresses. You can also search for groups by description.

Additionally, the quick search window is resizable, so long directory paths or large result sets fit comfortably on your screen.

Breadcrumb drop-downs

Breadcrumbs now feature drop-down menus at every level, letting you jump directly to any point in the hierarchy with a single click. And of course, filtering is built in, so you can quickly narrow down your options.

This feature isn't limited to the toolbar – it's available anywhere object paths are displayed. For example, mouseover popups.

Better mouseover popups

Speaking of the popups, they are now resizable, so you can be sure all the details fit. They are also multi-layered – hover over a group, see its members, then hover over any member to view their details, and so on, all without leaving the page.

Password strength indicator

A new indicator now provides immediate feedback for the password strength, showing whether a password meets complexity and minimum length requirements of the applicable password policy.

More column options

Columns you've added before are saved in your recent history as sets. For example, Name | Description | Department, so you can quickly switch between different layouts without manually reconfiguring them. If things get cluttered, a single click resets everything to default.

To keep your most-used columns accessible, you can also pin them to the top of your recent list ensuring your preferred layouts are always at hand.

Fully customizable logo colors

SVG logos now fully adapt to dark and light themes, letting you define totally different colors for each mode. For example, your logo can appear dark green in light mode and bright blue in dark mode, ensuring optimal visibility and style.

It requires some fiddling with CSS in your logo, but we are sure you'll manage it with the help of this tutorial.

New web interface configurator

Of course, we couldn't update the web interface without updating the configurator. Apart from the new visuals, here are the most notable features.

Better clipboard support

The configurator now has better clipboard support in lists, like visible object types or content panes. This enables you to copy and paste individual configuration items instead of sections as a whole. For example, copy a chart from the Administrator interface to Help desk.

Visual HTML editor

Certain areas of the web interface allow embedding custom HTML. Instead of manually writing HTML code, you now have a visual editor that lets you format and style text effortlessly.

There's much more to the new web interface and configurator than we could cover here. Many smaller improvements work quietly in the background, refining your experience in ways you might not immediately notice, but would definitely miss if they weren't there.

Instead of going down the rabbit hole, let's see what else we have in store.

PowerShell 7 support

We always look ahead, and the future is PowerShell 7. That's why scripts inside Adaxes are now executed using PowerShell 7, opening the door to cmdlets from PS7-only modules.

You can also connect to your Adaxes service from external PowerShell 7 scripts and execute Adaxes-specific commands alongside with the rest of the script. Just install the Adaxes PowerShell module, import it into your script using Import-Module Adaxes, and you're all set.

It might not seem like a big deal, but it really is. Behind the scenes, we put in a colossal effort to migrate a large part of Adaxes from .NET Framework to a more modern .NET 9. This not only made PowerShell 7 support possible but also brought performance improvements across the board, making everything run smoother and faster.

Updating approval requests

Approval requests just became more flexible. Object creation and modification operations sent for approval can now be edited by the approver and by Adaxes service administrators, offering greater control over the process.

The approver can fix whatever mistakes found their way into the request and approve it without the usual back and forth. Of course, all changes added by the approver are logged, so you can be sure that nothing goes unnoticed.

Managing all requests and approvers

Service administrators now have the ability to approve any request directly from the web interface. One less reason to switch back to the administration console.

The same goes for modifying the list of approvers for a particular request. If all approvers happen to be unavailable, say on vacation, you can add new ones from the web interface on the fly, ensuring operations are executed without delay.

Copy options

Now, when copying a user, you can also copy their assigned Microsoft 365 licenses. Plus, you get full control over what gets copied, with the ability to preview and modify details before finalizing.

Preview and modify also works when copying group members or group membership. Whether you're creating a new account from a template or setting up a distribution group for a new project, you can now pick and choose what to carry over.

And to keep things smooth, Adaxes automatically respects group scope restrictions, ensuring that only valid memberships are displayed and copied. No more errors in the log, no more guesswork, just a seamless way to copy group membership to the new object.

Converting mailboxes

Converting mailboxes to other types is now effortless. Regular, shared, room, and equipment mailboxes can be freely converted, right from the web interface. No more workarounds – just pick the mailbox you need and make the switch in a few clicks.

Mailbox conversion is also available as an action in business rules, scheduled tasks, and custom commands. Whether you're handling offboarding, repurposing mailboxes, or automating cleanup, a single action will do the trick.

Oh, and one more thing. The Microsoft 365 section can now be added to forms and views for room and equipment mailboxes. Some of you needed this to assign licenses to such mailboxes, and we delivered.

Improved security

Security is always a top priority, and we're constantly working to make Adaxes even more robust. This update brings tighter control over permissions and a couple of vulnerability fixes.

SMTP application authentication

Adaxes can now authenticate to Exchange Online mailboxes and send emails as an application, taking another step away from traditional username/password authentication. This means you can configure Adaxes to securely send emails from a dedicated service mailbox with minimal permissions.

If you're looking to set it up, this help article has got you covered.

Granular permissions for Entra ID

Registering an Entra ID domain or Microsoft 365 tenant used to require giving global admin rights to the Adaxes app. We never liked that, but there wasn't much we could do with existing Microsoft restrictions. Until now.

You can finally strip those high-level roles from the app and get precise with the permissions it has.

Every permission Adaxes needs is outlined in this help article, but if you don't use certain features, you can go even further and trim unnecessary permissions.

Self-service client integration

The Adaxes self-service client can now integrate with third-party credential providers. You can combine it with another provider on the same Windows logon tile, enforcing MFA of the third-party provider and keeping Adaxes self-service password reset available.

Out of the box, we support Duo Authentication for Windows Logon and PingID for Windows Login, but you can add custom settings to integrate with other providers as long as they support credential provider wrapping.

For details on how to configure third-party integration, have a look at this help article.

PingID SAML application

We're now partners with PingIdentity, and that comes with perks. Adaxes application for SAML-based single sign-on is now available in the PingIdentity application catalog. If you are an existing PingOne SSO user, you will be happy.

If you need guidance on setting up single sign-on, check out this tutorial.

No DNs in the address bar

Some of you weren't thrilled about having real distinguished names (DNs) in the browser address bar when viewing objects in the web interface. We heard you. Now, those DNs are obfuscated by unique identifiers that make no sense to the viewer.

This keeps real object locations hidden from your users while maintaining full functionality. You can paste a DN into the address bar instead of a UID, and the web interface will take you to the correct object.

Vulnerability fixes

• Fixed the vulnerability where the authentication session identifier for the web interface was passed in the request URL.
• Fixed the vulnerability in the Adaxes installer where service account credentials could be intercepted via process monitoring while Adaxes is being installed.

And more

These features cannot be categorized under a single label, but it doesn't make them less important.

Service account management

Service accounts are an integral part of every environment, and now you can manage them from the web interface. You can view, create, or modify Managed Service Accounts (MSAs), Group Managed Service Accounts (gMSAs), and Delegated Managed Service Accounts (dMSAs).

Revoking Microsoft 365 sessions

A new action allows you to instantly sign users out of Microsoft 365 on all devices. Great for enhancing your deprovisioning workflows.

You can also add a custom command with this action to the web interface, providing a failsafe button when accounts are compromised.

Editing report schedules

Need to tweak a self-scheduled report? Now you can edit its schedule, parameters, and delivery settings on the fly. No need to unschedule and start over.

New condition

Previously, you could check if a user had a Microsoft 365 license, but sometimes all you need to know is whether they have an account at all. This new condition lets you check exactly that. Simple and effective.

External forwarding addresses

Sometimes, you need to set up email forwarding to an external recipient instead of selecting someone from your organization. Now you can do it – the field supports free-form input in addition to recipient selection.

Customizable advanced parameters

The Advanced Parameters operation is now customizable. Instead of showing or hiding everything, you can control which sections are visible, tailoring the layout to your needs.

Bulk remove from groups

It is now possible to bulk-remove users from multiple groups in just a few clicks thanks to the Remove from group operation now being available in lists. Perfect for hasty on-demand access cleanup.

Creating role-assignable groups

Need to create role-assignable groups in Entra ID? Now you can. Just don't forget that this option cannot be changed after creation.

New built-in report

Ever needed to quickly find out who approved changing the user's department? The new Requests for operations on a specific object report makes it easy to track recent requests, saving you time digging through logs.

Breaking changes

We try to avoid making changes that break existing functionality, but sometimes it is unavoidable. Please review these carefully.

REST API update

Our REST API has been updated, and while most things stay the same, a few requests work a little differently. If your scripts rely on the affected requests, you will need to update them.

• Syntax for modifying Microsoft 365 properties when creating or updating objects has changed. Check out the updated examples in the Create directory object and Update directory object articles.
• The endpoint for executing custom commands has also been updated. Here's the link to the updated Execute custom command article.

Self-service client on macOS

The self-service client on macOS might stop working after upgrading Adaxes to the latest version.

• Adaxes self-service client no longer supports macOS 10 Catalina. All self-service clients installed on such operating systems will stop working.
• While macOS 11 Big Sur is still supported, the currently installed self-service clients will stop working. You will need to download the latest version of the self-service client and update it on all affected systems.
• Self-service clients on macOS 12 Monterey and above will continue working as is.

PowerShell 5.1-only modules

Adaxes now runs scripts using PowerShell 7. If any of your scripts rely on modules that only support PowerShell 5.1, you'll need to modify such scripts to run that code in a separate PowerShell 5.1 session or process.

End of support for Exchange 2013

To ensure compatibility and security, Adaxes no longer supports Exchange 2013 environments.

Various improvements and bug fixes

• You can now edit email addresses of Microsoft 365 groups after creation.
• Web interface configurator now automatically signs the user out after 30 minutes of inactivity.
• Now, the Send email notification action doesn't wait until the user's Exchange mailbox is ready if the recipient address specified in the action doesn't include value references.
• Added a mechanism that allows Adaxes service to fall back to the default mode if SSL is set to always for a managed domain, but is not configured in that domain.
• Added translations for all home page charts in the built-in web interface configurations.
• The Password field can no longer be added to the View form in the web interface. It is impossible to view user passwords, so what's the point.
• Now, unmanaged accounts cannot use self-service password reset, just like it was meant to be.
• Fixed the issue that prevented form submission when creating users in Entra domains if the Country property was marked as required.
• Fixed the Maximum request length exceeded error that prevented adding large files to the Photo predefined field in web interface actions.
• Fixed the A value for the attribute was not in the acceptable range of values error that caused by excessively long About me values in SharePoint user profiles.
• Fixed criteria equality comparison in scripts. Now, the Equals method properly returns true if criteria are identical.
• Fixed the The specified directory property was not set error that could sometimes appear in the event log when resetting passwords for user accounts whose password never expires.
• Fixed a couple of issues with property patterns related to restricting allowed values of the Can be joined to domain by property.
• Fixed the bug that made it impossible to delete or modify Entra objects whose names contained \0ADEL.
• Now, Adaxes records the correct description for the approval operation when an object was created with warnings due to some property values not being set. Previously, the description displayed Approve operation: N/A.
• It is now possible to import scripts into the script editor from text files encoded as UTF-8 with BOM.
• Adaxes administration console no longer crashes after clicking Edit on the toolbar while in the process of renaming an object in the tree.
• Fixed a visual bug in the administration console where the Telephone Number other field would partly cover the Office field in the properties pane.
• Fixed a visual issue where the Microsoft 365 group item would be displayed twice in the action parameters of the Create directory object action.
• Fixed the An attempt was made to add an object to the directory with a name that is already in use error that occurred after manually renaming a Microsoft 365 license in Adaxes backend and then adding another license with the original name.

Update 1

---

This update includes stability improvements and important bug fixes.

Web interface

• The web interface now automatically sets the top level nodes for the signed in user according to their permissions to view objects, unless the web interface top level configuration is even more restrictive.
• Improved web interface sign-in performance for users who are members of many groups.
• Fixed a bug where domains with uppercase letters were not shown in the web interface.
• Fixed an issue where the object selection dialog appeared empty if the user had permissions only for specific object types.
• Fixed an issue where the Add button was missing in the Member of section if the user had permissions only for specific object types.
• Fixed an issue where the home page content would sometimes get stuck updating after signing out and immediately signing in as a different user.
• Fixed an issue where synchronized on-premises users with online mailboxes could be added only to Microsoft 365 and security groups.
• Fixed an issue with missing logical operators in criteria for the Username and sAMAccountName properties.
• Fixed the Failed to get any of the web interface top level nodes error that occurred when users didn't have the permissions to view the top level node object.
• Fixed the Failed to get any of the web interface top level nodes. You don't have the permission to view properties of your account error that occurred when signing in as an unmanaged account if the top level node included value references.
• Fixed a bug where a web interface action would not show for a user unless they had the permissions to view the top level node configured in the object selection parameters of that action.
• Fixed the Unsuitable object error that made it impossible to copy/paste domain objects between input fields.
• Fixed an issue where the entire user view was not displayed if the Microsoft 365 properties section was present and the tenant's client secret was invalid or had expired.
• Fixed an issue where new user accounts created via Copy were not added to cloud-only groups in hybrid environments.
• Fixed a bug where groups and members from another forest were unavailable for selection when removing group members.
• Fixed a bug that prevented setting or changing the username if the domain part didn't meet property pattern constraints intended only for the local part.
• Fixed a bug where the User must change password at next logon flag could not be set if it was predefined in a property pattern and account options were missing from the user creation form.
• Fixed an issue where dialogs in the web interface closed unexpectedly in Mozilla Firefox.
• Fixed several visual bugs with the directory object picker custom command parameter.
• Fixed several visual bugs with the Exchange auto-reply editor on mobile devices.

Restoring from backups

• Fixed the Failed to import configuration objects to the backend. The directory service is unavailable error that occured when restoring configuration from backups which contained objects with large binary property values.
• Fixed the Object reference not set to an instance of an object error that prevented Adaxes from restoring backups with web interface configurations missing the adm-BuiltinObjectGuid value.
• Fixed the The operation is not allowed in the web interface error that could occur when executing web interface actions after restoring configuration from some backups.
• Fixed the Error 'Cannot read properties of null (reading 'value')' error that could occur when executing web interface actions after restoring configuration from some backups.
• Fixed the issue where detailed operation information was missing in some approval requests after restoring configuration from a backup.
• Fixed the An item with the same key has already been added error that could occur in quick search after restoring configuration from some backups.

Other

• Now, PowerShell client sessions to the Adaxes service are automatically closed after 5 minutes of inactivity.
• It is now possible to copy and paste configuration objects (e.g. business rules) between different Adaxes administration console windows.
• Fixed the The 'userAccountControl' property cannot be found in the cache error that prevented web interface sign in if the Adaxes service administrator account didn't have native permissions to read its userAccountControl property.
• Fixed the The user name or password is incorrect error that made it impossible to log in to the Adaxes service with an account from another domain if the Adaxes service was installed on a computer running Windows Server 2025.
• Fixed an issue in the mechanism for automatic web interface selection based on redirection rules.
• Fixed the System.OutOfMemoryException error that occurred when deleting objects with a very large number of group memberships.
• Fixed the Could not load file or assembly 'Microsoft.Identity.Client' error that could occur in some cases when importing the Microsoft Teams PowerShell module.
• Fixed the 'Method not found: 'Void Microsoft.Identity.Client.ITokenCache.Deserialize(Byte[])'.' error that occurred when connecting from Adaxes to Microsoft Teams using the Microsoft Teams PowerShell module.
• The Mobile devices field in the Exchange section configuration no longer requires the Mobile (ActiveSync) or OWA for devices fields to be enabled.
• The Unified Messaging option is no longer available in the Exchange section configuration for Entra users.