AD Bridge 25.2 release notes
December 1, 2025
Agent: 25.2.0.1000
Windows: 25.2.0.110
Supported upgrades: 23.1, 23.2, 23.3, 24.1, 24.2, 25.1.0
🆕 New features
Linux
Improved Linux workstation experience with Entra ID
We’ve enhanced the Linux workstation login experience by integrating Microsoft Entra ID, making identity management simpler and more secure. This improvement supports the growing adoption of Entra ID bridging on Linux desktops, enabling organizations to unify access across platforms and strengthen compliance.
Tenantjoin: Endpoint key renewal
A new configuration option allows administrators to define the lifespan of an app secret, enabling automated renewal workflows. When the secret approaches expiration, a renewal process is triggered by a script, which can be customized by administrators to align with their preferred tooling or operational practices. More information can be found in the new config option MachineSecretLifespan.
For more information, see Lsass OAuth provider.
Windows
Allow Entra ID user to enter their secret
BeyondTrust Bridge can request new secrets for the Entra ID user but this requires Application Administrator rights. To better support delegated rights, we added the option to add a secret provided to the Entra ID user administrator via the Entra ID Status page.
For more information, see First time deployment with Entra ID.
🛠️ Issues resolved
Linux
| Description | Resolution |
|---|---|
| Entra ID user lookup fails after upgrading on Ubuntu system. | Now running id returns user details as expected. |
| Install ssh not checking architecture. | Installer check was limited to 64-bit as there is a concern with updating the pam files with modules that are not bit compatible. This update also allows for system with 32-bit ssh binaries where the module is supported. |
| Deb13: The passwd command does not work for AD user. Debian 13 rejects backslashes in domain-qualified usernames (for example, testqa\testjoin) | Maintainer will not be supporting backslashes. - The alternate is to use the passwd binary supplied in /opt/pbis/bin/passwd - The passwd works with short IDs or UPN. - Link to bug logged with maintainer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118274 |
| When you set AssumeDefaultTenant to false, the user can login without the UPN. | AssumeDefaultTenant now works as expected so when set to false, only fully qualified usernames succeed. |
| When DomainManagerIgnoreAllTrusts is set to true, you cannot login with a local user and an AD user of the domain you are joined to. | When used on a child domain, you must add the parent domain to the DomainManagerIncludeTrustsList, and local users to the user-ignore file to all. |
| Tenantjoin-cli: Warn user that mode flags are not supported from a joined state when used. | Switching modes after joining can cause identity changes, which may lead to issues. A note has been added to clarify this behavior. |
| When logging on, authorization notice text is too long. | The text displays correctly. |
| RHEL 9: Unable to log on to RHEL 9 via the GUI. | Can log on as expected as an AD user from an RHEL computer. |
Windows
| Description | Resolution |
|---|---|
| Deleting a secret from Entra ID App registration breaks user session. | Added some new checks to make sure the secret is valid. If the secret is removed from the disk or from Entra ID, Beyondtrust Bridge requests a new one to restore the connection. |
