Entra.Chat

Microsoft Entra Agent ID Just Went GA Here’s What You Need to Know About Agent PermissionsIf you’ve been waiting for the dust to settle on Microsoft Entra Agent ID before diving in, the wait is over. Agent ID hit General Availability on May 1st, and in this episode of Entra Chat, Erin Greenlee, a PM in the the Entra AuthN team joins to break down one of the trickiest parts of the new model: how permissions actually work.The three-tier model you need to understandThe biggest mental shift with Agent ID is moving from the familiar single app registration model to a three-tier hierarchy. Here’s the short version:* Agent Blueprint → the template for your agent. Think of it as a souped-up app registration that lives in one tenant and defines how the agent behaves. Every agent needs one, even if you’re only ever creating a single instance.* Blueprint Principle → the identity that represents the blueprint inside each tenant it’s deployed to. This is the middle tier, and it has a superpower: permissions granted here cascade down to all current and future agent identity instances automatically.* Agent Identity → the actual running instance of the agent. This is what authenticates, what shows up in your tenant logs, and what can hold its own individual permissions on top of whatever it inherits.Required Resource Access is a hint, not a grantOne thing that trips people up early: adding permissions to the blueprint’s Required Resource Access (RRA) doesn’t actually grant anything. It’s a signal to admins adopting your agent. A polite list of “here’s what this agent will need to function.” The real grant happens later, either upfront during adoption or dynamically as the agent needs it. Expect agents to lean more on dynamic consent than traditional apps have, since agents evolve and request new permissions as tasks change.Inheritance only works if you set it upPermissions granted on the Blueprint Principle will only cascade down to agent identities if the resource app (e.g. Microsoft Graph) is explicitly marked as an inheritable resource on the blueprint. It’s an easy thing to miss, and if you skip it, your Blueprint Principle grants won’t flow through to your instances.A free tool to visualise all of thisErin built an interactive web app — using GitHub Copilot, no less — that makes all of the above click visually. It has a no-sign-in tutorial that walks you through the object relationships, a permission matrix view, and even generates the PowerShell or Graph API scripts to apply your configuration in real life. No changes are made to your tenant unless you explicitly ask it to. The source code is being open-sourced too, so you can fork and customise it if you want.Watch the full episode to see Erin walk through the tool live, including how permission inheritance works in practice and a real-world debugging scenario that inspired the whole thing.Subscribe with your favorite podcast player or watch on YouTube 👇About Erin GreenleeErin is a member of the Entra AuthN team working on AI and Agent ID at Microsoft. She previously joined Entra Chat to discuss app permissions and consent, and she loves building tools that make complex identity concepts easier to understand.LinkedIn - https://www.linkedin.com/in/eringreenlee/Sponsored by:Find App Access Gaps Before They Break WorkflowsIn Microsoft Entra ID, small visibility gaps lead to outages and delays. Expired secrets break integrations, while unclear ownership and excessive permissions slow access decisions. Teams still struggle to answer:* Which apps access Microsoft 365 data?* Is that access still justified?* Who owns it?AppGov Score helps you quickly identify these gaps. ENow App Governance Accelerator then exposes app-specific credential risks, permission issues, and ownership gaps before they disrupt operations.Start with your AppGov Score, then upgrade to a 7-day free trial to take action.🔗 Related Links* https://aka.ms/erins-agent-helper📗 Chapters01:11 Agent ID General Availability 04:14 The Agent ID Visualizer Tool 05:35 Defining the Agent Blueprint 08:06 Understanding the Blueprint Principle 10:57 Agent Identity Instances Explained 13:37 Required Resource Access (RRA) 24:07 Inheritable Permissions and Cascading 30:18 Applying Changes with ScriptsPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Maester is back with one of its biggest release since launch. In this episode, we are joined by Sam Erde, Architect at Patriot Consulting and one of Maester’s core maintainers, to walk through everything that’s landed in Maester 2.1.Since the December release, the community has shipped 540 new commits, grown the test suite from 128 to 168 tests, and added coverage across entirely new product areas. Here’s a taste of what’s covered:🤖 Securing Your AI Agents (Copilot Studio) With Microsoft’s Agent 365 going GA and organisations rapidly deploying Copilot Studio agents, Maester now includes tests based directly on Microsoft’s own recommendations for securing agents. Think orphaned agents with no owner, missing authentication on MCP connections, dormant agents, risky HTTP configurations, and agents shared too broadly. If you’re deploying agents in your tenant, these tests should be running.🔧 AI That Writes Its Own Security Tests One of the most exciting developments in this release isn’t a test, it’s a custom AI skill that writes Maester tests for you. Sam built a GitHub Copilot agent skill that understands Maester’s structure, coding conventions, and contributor guide. You describe a security check in plain English, and within minutes you get a properly structured test, helpers, and documentation. No VS Code required! You can do it straight from GitHub’s Agents tab or even the mobile app. The barrier to contributing to Maester just got a lot lower.🛡️ Defender for Endpoint Coverage Maester now includes 24 community-contributed MDE tests covering antivirus configuration, endpoint policy posture, cloud protection, behaviour monitoring, and PUA protection. Getting these tests into shape required the new AI skill to refactor months of pending work and it delivered.🔑 Azure DevOps Security (37+ New Tests) With AI-generated code accelerating supply chain risks, securing your DevOps pipeline has never been more critical. Maester 2.1 ships with 37+ new Azure DevOps tests, checking OAuth config, PAT token policies, external guest access, collection admin hygiene, and more.🔗 Linked Identity Checks for Privileged Accounts A new test surfaces a common blind spot: privileged admin accounts that remain active after their linked standard user account is disabled. If someone leaves your organisation and their cloud admin account stays enabled, Maester will now catch it.📋 CIS Benchmark Refresh & Conditional Access Improvements Community contributor Morten has refreshed the CIS benchmark tests to reflect the latest changes, plus improved the logic behind several conditional access policy checks — including automated tracking of Entra ID roles used in XSPM and commercial access quality checks.There’s a lot more covered in the full episode, including multi-tenant reporting updates, the new dev container for contributors, a surprisingly entertaining story about two AI models dissing each other’s code reviews, and a teaser for what’s coming in the next release.👉 Listen to the full episode for the deep dives, the war stories behind getting community PRs across the line, and Merill and Sam’s take on where AI fits into the future of security testing.Subscribe with your favorite podcast player or watch on YouTube 👇About Sam ErdeSam is an Architect at Patriot Consulting who focuses on performing security assessments, securing and deploying Microsoft 365, and writing PowerShell. He has been a critical pillar for the Maester community over the last year, helping heavily refactor the codebase and streamlining community contributions.LinkedIn - https://www.linkedin.com/in/samerde/Sponsored by:Would you bet your reputation on your current Microsoft 365 security posture?Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.You could assume it’s fine.Or you could run the Microsoft 365 Security Posture Check.It’s free.It runs locally.And no, it doesn’t send your tenant data back to us.We’ll even help you set it up.🔗 Related Links* What’s new in Maester 2.1.0 - https://maester.dev/blog/whats-new-since-maester-2-0📗 Chapters00:00 Intro05:49 Securing Copilot Studio & AI Agents08:53 The Challenge with Defender for Endpoint Tests013:39 Using AI to Automate Writing Security Tests22:30 Dev Containers for Easy Contributions24:58 New Azure DevOps Security Checks31:02 Multi-Tenant Reporting & Xbox’s Secret37:00 Active Directory Tests & The Future of Hybrid43:00 The Long-Term Vision for Maester54:48 CIS Benchmarks & Linked Identity TestsPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Identity Governance is often treated as a “nice-to-have” compliance checkbox, but as ID Governance expert Sandra Saluti reveals, it is actually the foundation of a secure, scalable environment. In this technical deep dive, we move past the marketing slides to discuss some of the common real-world “gotchas” that break Entra ID deployments.In this episode, you will learn:* The Golden Rule of Automation: Why you must stop using “presentation data” (like UPNs or Email addresses) as your anchor. We explain why the Object ID is the only immutable truth for your automation.* The “Marriage Bug”: A cautionary tale of how a simple name change can break hybrid joins and lead to accidental laptop wipes and how to prevent it.* The “Unsexy” Side of Governance: Why the most important part of your job isn’t writing PowerShell, but interviewing HR and stakeholders to map out process flow diagrams before you ever touch the portal.* Closing the “Rehire Gap”: How to solve the common crisis where contractors lose access for 48 hours during a renewal because of lifecycle synchronization delays.* Directory Extensions vs. Exchange Attributes: Technical advice on where to store your identity metadata for the most reliable governance.Sponsored by:Entra ID Gaps That Cause OutagesIn Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.Teams are left asking:* Which applications can access Microsoft 365 data?* Is that access still appropriate?* Who owns the app?Unclear answers stall reviews, weaken accountability, and slow delivery.ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.Subscribe with your favorite podcast player or watch on YouTube 👇About Sandra SalutiSandra Saluti is a consultant at Epical working with Microsoft Entra ID and identity governance. She helps organisations design secure and practical identity solutions with a focus on governance, access management, and Zero Trust.LinkedIn - https://www.linkedin.com/in/sandra-saluti-6866a686/🔗 Related Links* Sandra’s Blog - https://agderinthe.cloud/author/sandra/ 📗 Chapters00:00 Welcome to Entra Chat 03:18 Explaining Identity Governance 08:51 Handling Late Hires and Rehires 11:25 Using Directory Extensions Effectively 18:50 Stop Targeting UPNs for Automation 25:18 Managing Chaos with Guest Access Reviews 30:56 Deciding Who Approves App Access 33:51 Replacing Nested Groups with Access Packages 39:29 Closing Thoughts and CommunityPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Microsoft Entra security is evolving and the way organizations think about identity protection needs to evolve with it. In this episode, I’m joined by Sean Metcalf, one of the foremost identity security experts in the industry, whose work has helped shape how many organizations approach securing both Active Directory and Microsoft Entra.Sean shares the hardening steps many teams still overlook, and why advances in AI are making it easier for both defenders and attackers to work faster than ever before. From MFA and application controls to protecting privileged accounts and reducing unnecessary exposure, this conversation offers a practical look at where strong identity security starts and why getting the fundamentals right matters more than ever.Subscribe with your favorite podcast player or watch on YouTube 👇About Sean MetcalfSean Metcalf is the Identity Security Architect at TrustedSec and a renowned expert in Microsoft identity security. He holds the rare Certified Master in Active Directory certification and has spoken at major security conferences including Black Hat, DEF CON, and BlueHat on how to defend cloud and hybrid environments.LinkedIn - https://www.linkedin.com/in/seanmmetcalf/🔗 Related Links* Securing Entra ID Administration: Tier 0 - https://trustedsec.com/blog/securing-entra-id-administration-tier-0* Managing Privileged Roles in Microsoft Entra ID: A Pragmatic Approach - https://trustedsec.com/blog/managing-privileged-roles-in-microsoft-entra-id-a-pragmatic-approach* Improve Entra ID Security More Quickly - https://adsecurity.org/?p=4825* Microsoft Graph Skill - https://graph.pm📗 Chapters00:04:05 AI and the Evolution of Attacks00:06:42 The Importance of Hardening Fundamentals00:12:03 Securing Entra ID Quickly00:16:24 Protecting Tokens with VBS and TPM00:19:58 Restricting Consent and Guest Users00:23:40 Managing Rogue Tenants00:27:36 Cloud Admin Workstation Strategies00:34:14 Delegated Admin Privileges00:44:32 The Danger of Application Permissions00:57:06 Artemis Mission TriviaPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

If you can’t immediately name your break glass accounts and the last time you tested them → you’re already at risk.In this episode of Entra Chat, Microsoft MVP Per Torben walks through the conditional access mistakes he sees even large enterprises making, and the practical framework he actually uses with customers.You’ll learn how to set up emergency access accounts the right way, why your CA policies should be built more like a firewall than a checklist, and the one naming convention that makes managing dozens of policies actually manageable.🎧 Hit play, your tenant will thank you.Sponsored by:Entra ID Gaps That Cause OutagesIn Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.Teams are left asking:* Which applications can access Microsoft 365 data?* Is that access still appropriate?* Who owns the app?Unclear answers stall reviews, weaken accountability, and slow delivery.ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.Subscribe with your favorite podcast player or watch on YouTube 👇About Per TorbenPer Torben is a Senior Architect at Crayon and a Microsoft MVP for Identity and Access. Based in Norway, he frequently writes highly-read posts featured on Entra.News and runs the collaborative tech blog “Agder in the Cloud”.LinkedIn - https://www.linkedin.com/in/pertorbensorensen/🔗 Related Links* Agder in the Cloud - https://agderinthe.cloud* I.D.E.A. for creating/configuring break-glass accounts* GitHub - https://github.com/Per-Torben/I.D.E.A.* Blog - https://agderinthe.cloud/2026/01/06/introducing-i-d-e-a-and-i-d-e-a-001/* Protected actions: https://agderinthe.cloud/2025/02/12/protected-actions-adding-extra-guards-to-your-entra-id-gate/* Conditional Access hardeing (series): https://agderinthe.cloud/2024/12/05/how-to-fix-the-fundamental-flaw-in-conditional-access-part-1-introduction-and-coverage-gapsCA geo filter (series): https://agderinthe.cloud/2025/11/06/diving-into-geo-filter-with-entra-conditional-access-part-1* Entra Backup - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/backup-restore📗 Chapters06:22 The importance of Break Glass accounts09:02 Securing emergency access with FIDO2 and RMAUs18:10 Configuring Conditional Access: The “Block by Default” strategy27:26 Managing scope and preventing accidental lockouts29:31 Persona-based naming conventions for CA policies35:38 Grouping settings and avoiding bloated policies41:54 Handling exceptions and travel access with Access Packages44:55 The flaw in Protected Actions for Conditional Access53:38 Using the new Entra Backup feature for quick restoresPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Microsoft just dropped a massive wave of features for Entra, and the rules of Tenant Governance have officially changed. Join us as we talk to three world-class MVPs about their hands-on experience with the new Entra Backup and Recovery and Tenant Governance features.Our Microsoft MVP guests Nathan McNulty, Ru Campbell, and Thomas Naunheim break down the most exciting new features in Microsoft Entra.In this episode, we explore:* The “Shadow Tenant” Problem: One org found 700+ Entra tenants they didn’t know they had.* Version Control for Admins: Why “Difference Reports” are a total game-changer for troubleshooting.* Recovery Safeguards: How to protect your tenant from accidental deletions and “sneaky” background changes.* Backup & Recovery: The truth about Entra Backup vs. Third-Party ISV tools.Subscribe with your favorite podcast player or watch on YouTube 👇About The GuestsNathan, Ru, and Thomas are highly experienced MVPs specializing in identity security, governance, and Microsoft Entra.Nathan McNulty - LinkedIn - https://www.linkedin.com/in/nathanmcnulty/Ru Campbell - LinkedIn - https://www.linkedin.com/in/rlcam/Thomas Naunheim LinkedIn - https://www.linkedin.com/in/thomasnaunheim/🔗 Related Links* Microsoft Entra Backup and Recovery Documentation - https://learn.microsoft.com/en-us/entra/backup/overview* Microsoft Entra Tenant Governance - https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview* Synced Passkeys - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-passkeys-fido2* Microsoft Work IQ CLI (Public Preview) - https://learn.microsoft.com/en-us/microsoft-365/copilot/extensibility/workiq-overview* Playwright https://playwright.dev/* Entra Auth Tracer (Chrome Extension) - https://github.com/darrenjrobinson/EntraAuthTracer* Unified Risk Score - https://learn.microsoft.com/en-us/defender-xdr/investigate-users#risk-score-tab-preview📗 Chapters00:00 Intro to New Entra Features02:04 Entra Backup and Recovery Deep Dive10:41 Difference Reports Explained15:54 Intro to Tenant Governance23:34 Managing Multi-Tenant Organizations33:31 Conditional Access Optimization Agent36:55 The Great Passkey Debate47:22 Retirements: SP-less Auth & ACS for SharePoint48:46 Unified Risk Score in Defender52:38 MVP Tips of the WeekPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Emilien Socchi, Cloud Security Research Engineer at Storebrand, joins us to discuss CA Insight and AZTier.Two open-source tools Emilien built to find gaps in Conditional Access policies and categorize Azure/Entra roles based on attack paths. Learn how CA Insight evaluates 250 million sign-in combinations offline in minutes instead of days, why the What If API doesn't scale, and how AZTier helps defenders and pen testers understand privilege escalation risks across Entra ID, Azure, and Microsoft Graph.Together, these projects help security teams move from reactive log monitoring to a proactive defense strategy.What’s Breaking and Slowing Your Entra ID Environment?In Microsoft Entra ID, the same visibility gaps cause two problems:* Things break* Work slows downExpired client secrets disrupt integrations. Certificates lapse and authentication fails. New apps appear with excessive permissions and no clear ownership. At the same time, teams struggle to answer basic questions, which applications have access to Microsoft 365 data, whether that access is still required, and who is responsible for it.When answers are not immediate, reviews stall and projects slow down.ENow App Governance Accelerator Credential Guard helps identify expiring credentials and expose permission and ownership gaps.For organizations under 10,000 users, pricing ranges from $3,500 to $9,500 annually through March 31, 2026.Subscribe with your favorite podcast player or watch on YouTube 👇About Emilien SocchiEmilien Socchi is a Cloud Security Research Engineer at Storebrand (Oslo, Norway) focusing on the proactive discovery of security issues. With an extensive background in application and cloud penetration testing, Emilien has published practical research and tooling used by defenders. He also maintains several open‑source projects, including Azure administrative tiering models and Entra ID role‑monitoring utilities.LinkedIn - https://www.linkedin.com/in/emilien-socchi🔗 Related Links* CA Insight- https://github.com/emiliensocchi/entra-ca-insight* Azure Administrative Tiering (AzTier) - https://aztier.com* AzTier Source: https://github.com/emiliensocchi/azure-tiering* AzTier Deployer - https://github.com/emiliensocchi/aztier-deployer📗 Chapters00:00 The Story Behind CA Insights16:52 Why the ‘What If’ API Doesn’t Scale 21:09 Building an Offline Evaluation Engine 45:22 Deep Dive into AZTier: A Red Team Perspective Podcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Darren Robinson, Identity and Zero Trust Strategy and Architecture Capability Lead at Increment, shares his extensive experience in identity governance and administration.In this episode Merill sits down with Darren “Doc” Robinson – Microsoft MVP since 2017, former SailPoint Ambassador and one of Australia’s most experienced identity architects.Darren takes us on a 25+ year journey from Novell networks to modern Microsoft Entra ID, reveals why he’s building custom ECMA2 connectors, and shares the exact PowerShell tools he just open-sourced (Granfeldt uplift, ECMA2 Host Tools, Provision On-Demand module).We also compare Entra ID Governance vs SailPoint and dive into his latest obsession: MCPs for Entra News and personal AI agents.Whether you’re migrating legacy apps or levelling up your IGA strategy, this episode is pure gold.Sponsored by CoreView:Would you bet your reputation on your current Microsoft 365 security posture?Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.You could assume it’s fine.Or you could run the Microsoft 365 Security Posture Check.It’s free.It runs locally.And no, it doesn’t send your tenant data back to us.We’ll even help you set it up.Subscribe with your favorite podcast player or watch on YouTube 👇About Darren RobinsonDarren is highly accomplished in digital identity and cybersecurity specialising in Identity & Access Management for over three decades. Darren is renowned for driving Digital Identity innovation, building global offerings, and leading high-impact teams to deliver cutting-edge solutions that enhance security posture, operational efficiency, and business value.🔗 Related Links* Blog: https://blog.darrenjrobinson.com* GitHub: https://github.com/darrenjrobinson* LinkedIn: https://www.linkedin.com/in/darrenjrobinson/In this episode…1. Understanding the “Metaverse”The foundation of Microsoft’s identity strategy dates back to the acquisition of Zoomit in 2000. This introduced the Metaverse—not a VR world, but a “hologram” or central representation of a user that exists across multiple systems like SQL databases and LDAP directories. By correlating these identities into one object, organizations can maintain consistency across a fragmented environment.2. The Modern Bridge: ECMA and SCIMAs organizations move to the cloud, the “heavy” sync engines like MIM (Microsoft Identity Manager) are being replaced by Entra Cloud Sync. The modern approach uses:* A Light Shim: A small on-premises component that acts as a member of the domain.* SCIM Instructions: The Entra provisioning service sends instructions via the SCIM protocol to this shim.* ECMA Connectors: The Extensible Connector Management Agent (ECMA) translates these cloud instructions into a language legacy on-prem apps can understand, such as SQL or Oracle updates.3. Scaling with PowerShell 7One of the biggest hurdles in legacy identity management was performance. Darren Robinson recently uplifted the popular Granfeldt PowerShell Management Agent to support PowerShell 7. This update allows for:* 64-bit Processing: Handling larger datasets with ease.* Parallelism: Sending multiple identity updates in parallel rather than waiting for individual “gets,” significantly speeding up sync times.4. Managing the “Cache”A common pain point for administrators is the lack of visibility into the ECMA host cache. To solve this, Darren developed a new module that allows practitioners to programmatically query the cache, back up configurations, and document every connector and parameter in the system.Key Takeaway: Whether you are migrating from legacy solutions like Novell or managing a complex hybrid Entra environment, the goal remains the same: automated, secure, and visible identity lifecycles.📗 Chapters00:00 Intro02:22 The Evolution of Directory Services and Synchronization08:05 Understanding Sync Engines and the Metaverse14:45 Modern Identity Provisioning with Entra17:39 Developing Custom PowerShell ECMA Connectors20:53 Automating Provisioning with New PowerShell Modules28:53 The Current Landscape of Identity Governance31:37 Solving the Disconnected Apps Challenge35:46 Exploring Model Context Protocol (MCP)45:34 Leveraging Local AI and LLMs for Identity TasksPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Richard Hicks wrote the book on DirectAccess. Then he wrote the one on Always On VPN. Now he’s here to tell you it’s time to move on from both (and other legacy VPNs). Over the last two years, Richard has helped numerous enterprise customers navigate the shift from legacy VPN to Microsoft Entra Private Access, and he’s collected some hard-learnt lessons along the way that most migration guides won’t tell you.In this episode, Richard - enterprise security consultant and early Entra Private Access insider - breaks down why traditional VPN is fundamentally broken for today’s threat landscape, how Entra Private Access works under the hood, and the exact crawl-walk-run playbook he uses to migrate enterprise customers without disruption. Plus: his hot take on the Microsoft E7 announcement and why it just changed the pricing conversation forever.In this episode you’ll learn:* Why your VPN tunnel is a security liability — and how a single compromised device can expose your entire corporate network* How Entra Private Access works differently to traditional VPN, and why that architectural shift matters for security* The “Quick Access” migration strategy that lets you get off legacy VPN fast, without locking everything down on day one* How to deploy the Global Secure Access client alongside your existing VPN — so you can migrate field-based workers without a single disconnection* What most teams get wrong about the Entra Private Network Connector — and the scaling pitfalls that catch enterprises off guard* Why Conditional Access knowledge, not connectivity, is the real key to a successful zero trust migration* The current limitations of Entra Private Access and how to plan around them* We also discuss the new ‘E7’ which includes Entra Private AccessSubscribe with your favorite podcast player or watch on YouTube 👇About Richard HicksRichard Hicks is the founder and principal consultant at Richard M. Hicks Consulting, Inc. A Microsoft Most Valuable Professional (MVP) with more than 30 years of experience implementing secure remote access and public key infrastructure (PKI) solutions, he is a widely recognized enterprise mobility and security infrastructure expert sought after by organizations worldwide. His mission is to help companies provide visibility, control, and assurance for their field-based users and devices, ensuring the highest level of security and productivity for today’s highly mobile workforce.LinkedIn - https://www.linkedin.com/in/richardhicks/🔗 Related Links* Richard’s Blog - https://directaccess.richardhicks.com/* Richard M. Hicks Consulting, Inc - https://www.richardhicks.com/* https://directaccess.richardhicks.com/always-on-vpn-vs-entra-private-access/📗 Chapters00:00 Intro 01:10 The History of Direct Access and Always On VPN 05:59 Transitioning to Zero Trust and Entra Private Access 11:34 Seamless Side-by-Side VPN Migration 17:37 Using Quick Access to Kickstart Zero Trust 23:43 Changing Mindsets: Identity over IP Addresses 27:55 The New Zero Trust Network Assessment Tool 29:17 Avoiding Pitfalls with the Entra Private Network Connector 33:11 Feature Wishlist: IPv6 and Process Binding 38:46 Hot Takes on the New Entra E7 SuitePodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

I am back home in Melbourne today, and joining me are Nathan McNulty from Alaska and Daniel Bradley from the UK as we dive into all the massive Entra updates that dropped last month. We are breaking down the controversial shift to syncable passkeys , why your Conditional Access policies might suddenly start blocking apps , and the absolute necessity of moving privileged accounts away from on-prem AD. We’re also geeking out over some incredible new Global Secure Access (GSA) features and how AI is completely transforming the way we work with Graph API. You won’t want to miss the under-the-radar changes that could impact your tenant’s security architecture overnight.Here’s a quick overview of all the topics we covered in this episode (links below).Sponsored by:Scan, Score, and Secure Your Applications in EntraApplication identities represent one of the largest attack surfaces in Entra and are often among the least consistently governed. AppGov Score helps IT and Security teams understand where risk exists. The 24-check assessment evaluates Entra ID application integrations against Microsoft-recommended governance practices, analyzing:* App registrations and enterprise apps for excessive permissions* Expired or unmanaged secrets* Ownerless apps* Risky consent grants, and* Privileged service principalsResults are delivered as a clear, defensible risk score with actionable findings. No scripts. No manual inventory. Just a fast, read-only scan that reveals app sprawl, identity misconfigurations, and blast radius so you can prioritize remediation and strengthen your security posture with confidence.Subscribe with your favorite podcast player or watch on YouTube 👇About Nathan McNultySenior Security Solutions Architect at Patriot Consulting and Microsoft MVP in security. Nathan is the practice lead for identity and has extensive experience with endpoint deployments and everything Entra.LinkedIn - https://www.linkedin.com/in/nathanmcnulty/About Daniel BradleySenior Solution Architect for CDW down in the UK and an MVP in Identity Security and M365 for Graph API. Daniel specializes in pre-sales, mergers, acquisitions, and the highly technical migration space.LinkedIn - https://www.linkedin.com/in/danielbradley2/🔗 Related Links* Entra What's New - https://learn.microsoft.com/en-us/entra/fundamentals/whats-new* Upcoming Conditional Access change: Improved enforcement for policies with resource exclusions - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/upcoming-conditional-access-change-improved-enforcement-for-policies-with-resour/4488925* XDRInternals - https://github.com/MSCloudInternals/XDRInternals* Passkey Login - https://github.com/nathanmcnulty/nathanmcnulty/blob/main/Entra/passkeys/PasskeyLogin.ps1* Graph PM - https://graph.pm📗 Chapters03:01 Syncable Passkeys & Registration Changes18:10 Conditional Access Policy Updates26:35 Blocking Hard Match for Privileged Roles35:42 External Authentication Methods GA43:04 Lifecycle Workflows & Admin Units48:01 Global Secure Access (GSA) BYOD Preview53:06 New My Account Portal & Authenticator Updates58:43 AI Skills & Automating Graph APIPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Hey folks, I have to start with a massive shout-out to Morten Knudsen and his entire team at Experts Live Denmark where I’m just returning from. Organizing an event for over 1,200+ attendees is no small feat, and they pulled it off with incredible energy and precision. It was easily one of the most impressive community gatherings I’ve been a part of.Amidst that massive crowd, I had the privilege of co-leading a deep-dive Identity Masterclass alongside four exceptional Microsoft MVPs: Jan Vidar Elven, Pim Jacobs, Thomas Naunheim, and Klaus Bierschenk.We weren’t sure what to expect, but the response was overwhelming. We had over 120 dedicated attendees who stayed with us for the full 7-hour session - diving deep into the weeds of Entra ID, governance, privileged access, Agent ID and more. Instead of theory-heavy slides, we built a practical, end-to-end governance story.Because we believe this knowledge should be accessible, we are now giving away the labs for free so everyone can skill up, learn, and implement these patterns in their own environments.Here’s the core of what we covered, and what you will learn in this podcast walk through of the labs and what you can try out yourself today!Links to GitHub repo and YouTube video below.Sponsored by:If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy?Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity.And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachatSo, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”.1️⃣ Inbound Provisioning: Start with a Source of TruthMost identity problems start with one issue:There is no clean, authoritative identity source.We demonstrated how to use Inbound Provisioning in Entra to:* Accept identity payloads via Microsoft Graph* Create users in a disabled state* Capture attributes like hire date, leave date, department* Treat HR (or another system) as the lifecycle authorityWhy this mattersIf identities are manually created:* Joiners are inconsistent* Leavers are missed* Privileged accounts become orphanedInbound provisioning allows you to:* Standardize creation* Attach lifecycle automation immediately* Reduce manual admin overheadKey concept:Provision first. Enable later. Automate everything in between.2️⃣ Lifecycle Workflows: Automate Joiner / Mover / LeaverOnce a user is provisioned, lifecycle workflows take over.We implemented:* Pre-hire workflow* Day-one onboarding workflow* Post-onboarding actionsTriggers included:* Employee hire date* Creation time* Group membership* Attribute changesReal-world onboarding pattern* Account is created disabled* Workflow enables the account at the correct time* Temporary Access Pass (TAP) is generated* TAP is sent securely* Access is assigned automaticallyThis reduces:* Manual enablement* Helpdesk load* Security gapsDesign principle:Automation should enforce timing — not people.3️⃣ Privileged Account Design: Separate the IdentitiesWe had a strong opinion in the session:Admin accounts should be separate and cloud-only.Why?* Syncing privileged accounts from on-prem introduces risk* HR systems should not directly control privileged identities* Governance features work best with cloud-native identitiesWe explored three creation patterns:* Inbound provisioning for privileged accounts* Access Packages (with auto-assignment or request model)* Lifecycle workflows + custom Logic AppsEach has trade-offs.What matters most:Privileged identities must be:* Separately authenticated* Phishing-resistant (FIDO2 or passkeys)* Independently governed* Linked for offboarding4️⃣ Linking Identities for InvestigationOne challenge in Entra:There’s no native “this person owns these 3 accounts” view.We explored identity linking in Microsoft Defender XDR, where:* Multiple accounts can be associated to one identity* Incident investigations become clearer* Privileged activity can be correlated with user contextThis becomes critical during:* Compromise investigations* Insider threat analysis* Lateral movement trackingSecurity takeaway:If you can’t correlate identities, you can’t fully investigate them.5️⃣ Backup & Restore: The Truth About EntraThere is no traditional backup system in Entra.Instead, you have:* Soft-delete (with recycle bin)* Hard-delete (irreversible)* API-based recovery* Configuration export strategiesWe discussed:* Protecting deleted items with Protected Actions* Using Conditional Access to restrict destructive operations* Exporting configuration JSON regularly* Monitoring configuration driftReality:If you aren’t exporting your tenant configuration, recovery becomes manual and painful.Governance is not just about creation — it’s about resilience.6️⃣ Protected Actions + Conditional AccessA powerful but underused feature:Protected Actions.You can require Conditional Access enforcement before allowing:* Hard deletes* Sensitive configuration changesExample:* Only allow permanent deletion from a compliant device* Only allow from a trusted location* Require phishing-resistant authenticationEven Global Admins must pass policy.Security mindset shift:Admin role ≠ unlimited ability.7️⃣ Agent ID & Blueprints: The Future of Identity for AIWe also explored Agent ID — one of the newer capabilities in Entra.Why not just use a service principal?Because agents:* Need stronger guardrails* Must support per-user instances* Require conditional access enforcement* Must be auditable at scaleBlueprints allow:* A parent definition of permissions* Individual agent instances per user* Centralized governance over many agentsAs AI agents scale, identity must scale securely with them.Forward-looking insight:Agent governance will soon be as important as user governance.8️⃣ Design Philosophy Behind the LabThe entire masterclass was built around one principle:Identity is a lifecycle, not a login.We covered:Provision → Enable → Assign → Elevate → Monitor → Protect → Offboard → RecoverIf any step is manual, inconsistent, or undocumented — risk increases.The labs give you a complete pattern you can implement in your own tenant.🎯 What You Should Do Next* Watch/listen to the full podcast where we walk you through the labs.* Go try out the labs at github.com/IdentityMan/MasterclassELDK26 in your own tenant.Subscribe with your favorite podcast player or watch on YouTube 👇About us* Jan Vidar Elven, Security MVP - https://www.linkedin.com/in/janvidarelven* Pim Jacobs, Security MVP - https://www.linkedin.com/in/pimjacobs89* Thomas Naunheim, Security MVP - https://www.linkedin.com/in/thomasnaunheim* Klaus Bierschenk, Security MVP - https://www.linkedin.com/in/klabier🔗 Related Links* https://github.com/IdentityMan/MasterclassELDK26* https://discord.entra.news* https://on.action1.com/entrachat📗 Chapters00:00 Intro 00:50 Open Sourcing the Entra Lab 03:42 Entra ID Inbound Provisioning 08:05 Lifecycle Workflows and Governance 10:57 Securing Privileged Admin Accounts 16:21 Offboarding and Linked Identities 19:51 Sponsor: ActionOne 21:02 Entra ID Backup, Restore & Protected Actions 26:08 Exploring Agent ID and Blueprints 30:28 How to Access the Open Source LabPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

What does it take to migrate 40,000 devices to a cloud-native environment in a massive, complex enterprise? For most IT leaders, the prospect of moving away from 20 years of legacy infrastructure is enough to cause a sleepless night.In our latest episode of Entra Chat, we sat down with enterprise veterans Michael Brunker and Prem Kothandapani to deconstruct their recent, massive rollout. They successfully converted nearly 40,000 devices from on-premises Active Directory to Entra Joined in just nine to ten months—all with a lean team of 10–15 people.Here are the high-stakes lessons they learned from the trenches of modern management.The “Nuclear Option”: Cleaning Up 20 Years of GPO DebtOne of the most controversial decisions the team made was what they called the “nuclear option” regarding Group Policy Objects (GPOs). Instead of porting over decades of legacy policies that no one fully understood, they chose to start from scratch.By building a new security baseline from the ground up in Intune, they ensured the new environment was clean, modern, and free from the “stale” configurations that often plague legacy estates.Killing the “VPN Tax”For the end user, the primary driver for this migration was a radically improved experience. In a cloud-native world, the dependency on legacy VPN technology disappears.* Work from Anywhere: Users can sign on and get access without the friction of starting a VPN or worrying about office cabling.* Security at the Edge: Moving to Entra ID shrinks the attack surface by removing devices as a direct entry point to your core on-prem Active Directory.Sponsored by:If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy?Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity.And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachatSo, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”.The “Gnarly” Problems: What Breaks First?Success wasn’t just about the big picture; it was about mastering the “fundamental basic building blocks”. Michael and Prem highlighted several technical hurdles that can derail a migration if not handled early:* The Proxy Trap: Many organizations fail to update their proxy server allow-lists with the specific Microsoft URLs required for cloud authentication.* App Authentication: Moving from Kerberos-based device auth to OAuth and modern cloud flows requires rigorous testing across different “personas,” such as front line workers versus corporate office users.The Secret to Scaling: Small Teams, Big StrategyPerhaps the most surprising takeaway was that a project of this scale didn’t require an army. By focusing on a “small team” of highly skilled engineers and dedicated communications experts, they maintained momentum and avoided “stop-start” migration fatigue.Want to hear the full technical breakdown, including how they handled zero-downtime requirements for front line workers?Subscribe with your favorite podcast player or watch on YouTube 👇About Michael BrunkerMichael Brunker has approaching 40 years in the IT industry and has operated as an enterprise architect across major organizations like BP, Woodside, and Telstra. LinkedIn - https://www.linkedin.com/in/michaelbrunker/About Prem KothandapaniPrem Kothandapani is an EndPoint Architect with over 14 years of experience in endpoint computing and major migrations, having worked at NBN, Australian Unity, and Telstra.LinkedIn - https://www.linkedin.com/in/premnath-kothandapani-41744153/📗 Chapters00:00 Cloud-Native Device Management 02:58 The True Cost of Legacy Infrastructure 07:47 Moving to Modern Management 11:13 The Blueprint for a 40,000 Device Migration 20:07 Handling Complex App Dependencies 28:07 Crafting a Seamless User Migration Experience 33:28 Automating with Graph API and Autopilot 43:09 Avoiding the Co-Management Trap 55:01 The New Starter Experience 57:24 Migration Velocity and Lessons LearnedPodcast Apps🎙️ Entra.Chat - https://entra.chat 🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx 👔 LinkedIn → linkedin.com/in/merill 🐤 Twitter → twitter.com/merill 🕺 TikTok → tiktok.com/@merillf 🦋 Bluesky → bsky.app/profile/merill.net 🐘 Mastodon → infosec.exchange/@merill 🧵 Threads → threads.net/@merillf 🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

March 2026 is shaping up to be one of the most important months for Microsoft Entra ID administrators in recent memory.Microsoft is automatically enabling passkey profiles in Entra ID, and if you don’t configure them yourself, your tenant will be migrated with default settings.In this episode of Entra Chat, I sat down with Microsoft Security MVPs Daniel Bradley and Ewelina Paskowska to break down what this really means for Microsoft 365 administrators.But passkeys aren’t the only story this month.1️⃣ Passkey Profiles Are Becoming the DefaultStarting March 2026:* Passkey profiles will be auto-enabled* Tenants that haven’t configured profiles will be migrated* Registration campaigns will shift from Authenticator-first to passkey-firstThis is a major shift toward phishing-resistant authentication.You’ll now be able to:* Separate hardware-backed vs synced passkeys* Apply granular group-based controls* Enforce stronger authentication for privileged users2️⃣ Source of Authority Conversion Is Finally GAFor years, admins used messy delete-and-restore hacks to convert synced users to cloud-only.Now it’s officially supported.You can convert individual users from on-premises authority to cloud-managed — without breaking hybrid entirely.Why this matters:* Easier M&A transitions* Full access to Entra ID Governance features* Cleaner lifecycle management* Reduced dependency on legacy infrastructureFor hybrid environments moving toward cloud-first identity, this is huge.Sponsored by:If you are a systems administrator managing endpoints every day, you’ve probably postponed patching at least once — not because you forgot… But because you didn’t feel like gambling with uptime. Meanwhile, the backlog grows, vulnerabilities pile up, and patching stays stuck in manual mode.Action1  fixes that.Action1 is a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps — all from one place, no VPN needed. Curious how easy it is to start? You can use it on your first 200 endpoints, for free, forever, with no functional limits. It’s not a disguised free trial. No credit card required, no hidden limits, no tricks.All you have to do is visit on.action1.com/entrachat and get started today.So, if you’re looking to automate patching at scale and get weeks— even months—of your time back, go to on.action1.com/entrachat and sign up for patching—that—just—works.3️⃣ App Registration Deactivation (A Quietly Powerful Feature)Microsoft added the ability to deactivate app registrations.Instead of deleting an app (and losing configuration), you can now:* Immediately stop token issuance* Preserve metadata and permissions* Investigate safely* Re-enable without rebuildingFor incident response scenarios — especially in multi-tenant or MSP environments — this is a big step forward.4️⃣ Conditional Access Behavior ChangesThere’s also a change impacting tenants with Conditional Access policies targeting “All resources” but excluding certain apps.Previously, certain minimal-scope apps could bypass enforcement under specific conditions.That loophole is closing.Admins should:* Review message center notifications* Audit legacy apps* Validate MFA handling before rolloutAs always with identity changes: being proactive is critical.5️⃣ Sync Security Hardening (Hard Match Protection)Microsoft is adding additional validation to protect against malicious hard matching scenarios in hybrid environments.This reduces the risk of identity takeover via manipulated on-prem objects.It’s automatic — but important to understand if you manage hybrid identity or MSP transitions.Watch the full episode for the deep technical breakdown and real-world implications.Subscribe with your favorite podcast player or watch on YouTube 👇About Daniel BradleyDaniel is a Senior Solution Architect for CDW and Microsoft MVP in Identity & Graph API. He is a avid writer who enjoys investigating new features and building practical tools to share with the community through his blog. He also is one of the moderators for the r/entra subreddit.* Website: https://ourcloudnetwork.com* LinkedIn: https://www.linkedin.com/in/danielbradley2* X: https://x.com/DanielatOCNAbout Ewelina PaczkowskaEwelina is a Solution Architect at Theatscape and a Microsoft Security MVP. She is a content creator and speaker who enjoys breaking down complex solutions into clear, practical guidance. Ewelina is also an organiser of the Microsoft 365 Security & Compliance user group and the creator behind Welka’s World, where she shares insights and real-world knowledge around Microsoft security and compliance.* Website: https://welkasworld.com* LinkedIn: https://www.linkedin.com/in/ewelinapaczkowska* X: https://x.com/WelkasWorld🔗 Related Links* MC1221452 - Microsoft Entra ID: Auto-enabling passkey profiles - https://mc.merill.net/message/MC1221452* Ability to convert Source of Authority of synced on-prem AD users to cloud users is now available - https://learn.microsoft.com/en-us/entra/identity/hybrid/user-source-of-authority-overview* Service Principal creation audit logs for alerting & monitoring - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/understand-service-principal-creation-with-new-audit-log-properties* Deactivate an app registration - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/deactivate-app-registration* MC1223829 - Upcoming Conditional Access change: Improved enforcement for policies with resource exclusions - https://mc.merill.net/message/MC1223829* Microsoft Entra Connect security hardening to prevent user account takeover - https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#general-availability---microsoft-entra-connect-security-hardening-to-prevent-user-account-takeover📗 Chapters06:16 Converting Source of Authority to Cloud 15:37 Auto-Enabling Passkey Profiles 24:33 Deactivating App Registrations 31:56 Conditional Access for Excluded Apps 38:48 Sync Jacking Protection 41:45 Unified Tenant Configuration Management 46:31 Service Principal Creation LogsPodcast Apps🎙️ Entra.Chat → https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Governance in Microsoft 365 has always been hard. Not because the tools didn’t exist, but because scale, complexity, and change made consistency almost impossible. As tenants grow, so do the challenges of configuration drift, manual admin changes, and inconsistent environments.For years, admins have relied on scripts, tribal knowledge, and community-led solutions like Microsoft 365 Desired State Configuration (M365DSC) to manage this “policy sprawl”. While M365DSC was a groundbreaking open-source effort, it often faced a steep learning curve and lacked official Microsoft support.Until now.In this episode of Entra Chat, we sit down with Nik Charlebois, Principal Program Manager at Microsoft and the original visionary behind M365DSC. Nik now leads the charge for one of the most significant platform shifts in Microsoft 365 administration: Tenant Configuration Management (TCM).Shadow IT and SaaS sprawl are outpacing IT teamsIt can feel impossible to tackle these app governance challenges:📦 Entra ID isn’t secure by default💥 SaaS adoption & sprawl isn’t slowing down⌨️ Citizen Development keeps rising (hello, Copilot Studio!)🗑️ Vendors often don’t remove apps after uninstall🔃 Offboarding is inconsistent or doesn’t happen at all🥔 App governance is passed around like a hot potatoENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.What is Tenant Configuration Management?TCM is Microsoft’s official “Config as Code” platform for M365. Built directly on top of the Microsoft Graph, it represents a new operating model for how tenants are governed.Key features discussed in this episode include:* Official Support: Moving beyond best-effort community maintenance to a fully supported Microsoft solution.* Simplified Experience: Transitioning from cryptic MOF files to human-readable JSON templates, significantly lowering the learning curve for admins.* Snapshot & Drift Detection: The ability to capture “snapshots” of your tenant’s current state and monitor for unauthorized changes.* Automatic Remediation: Automatically reverting detected configuration drifts back to your defined “gold standard” state.* Broad Coverage: Support for core workloads including Entra ID, Exchange, Intune, Purview, Defender, and Teams with more to come.This isn’t just a new feature; it’s the evolution of tenant governance into a native, API-driven platform. Tune in to hear Nik explain how TCM is bridging the gap between community innovation and official enterprise-grade management.Listen to the full episode now to learn how to start your journey with the TCM public preview!Subscribe with your favorite podcast player or watch on YouTube 👇About Nik CharleboisNik is a Principal Program Manager at Microsoft leading the Microsoft 365 configuration-as-code efforts. Ex-MVP, speaker, blogger, and author, he leads the configuration-as-code efforts for Microsoft 365.LinkedIn - https://linkedin.com/in/nikcharlebois🔗 Related Links* Nik’s Blog - https://nikcharlebois.com/* Overview of the unified tenant configuration management APIs - https://learn.microsoft.com/en-us/graph/unified-tenant-configuration-management-concept-overview📗 Chapters00:00 Intro 03:44 Origin of M365DSC 07:51 Introducing Tenant Config Management 09:24 Supported Workloads 11:15 Control Plane vs Data Plane 14:26 DSC vs TCM Architecture 15:22 Snapshots and Monitors 18:56 Managing Drift Across Environments 28:03 Licensing and Limits 32:48 Authentication and Permissions 37:53 Getting StartedPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, we sit down with Eric Woodruff, Chief Identity Architect at Semperis, to discuss the reality of achieving a 100% phishing-resistant environment. Over the course of just three months, Eric led a 600-person organization through a complete rollout of passkeys, Windows Hello for Business, and Platform SSO. This conversation moves beyond the technical “knobs and dials” to explore why organizational change management and C-suite buy-in are the true foundations of a successful identity modernization project.Eric shares the creative strategies his team used to drive adoption, including a custom self-enrollment portal built with Power Platform that allowed early adopters to “dogfood” the technology. We dive into the “voluntold” phase of the rollout, where voluntary participation transitioned into mandatory policy, and how they used Power BI to track progress and identify “stragglers”. The episode also provides a transparent look at the technical hurdles encountered, from legacy application exclusions to troubleshooting older Android devices and niche browsers.Looking ahead, we discuss the critical importance of protecting against “downgrade attacks,” where sophisticated phishing attempts try to bypass modern security by tricking users into traditional password entries. Eric emphasizes that the final mile of this journey—removing passwords entirely—is as much about supporting your helpdesk and documenting processes as it is about the technology itself. Whether you are managing a cloud-only tenant or navigating complex hybrid scenarios, this episode offers a practical roadmap for the future of enterprise identity.Subscribe with your favorite podcast player or watch on YouTube 👇About Eric WoodruffThroughout his 25-year career in the IT field, Eric has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity Architect at Microsoft partners, spent time working at Microsoft as a Sr. Premier Field Engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager.LinkedIn - https://www.linkedin.com/in/ericonidentity/🔗 Related Links* Phishing-resistant passwordless authentication deployment in Microsoft Entra ID* Semperis Research Uncovers Ongoing Risk from nOAuth Vulnerability in Microsoft Entra ID, Affecting Enterprise SaaS Applications* ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants* Meet Silver SAML: Golden SAML in the Cloud* Manage tokens for Zero Trust📗 Chapters02:50 Rolling Out Passkeys 06:47 Application and Device Issues 09:49 Identifying Password Users 12:15 Lessons Learned for 2026 15:14 Understanding Downgrade Attacks 20:10 The NoAuth Vulnerability 27:08 Silver SAML Explained 32:56 Managing Service Principals 38:15 The Consent Fix AttackPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Service principals worked for static apps, but AI agents are different—they make autonomous decisions using LLMs and require a new approach to identity and security.In this episode of Entra Chat, Padma Parthasarathy, Product Manager for Microsoft Entra Agent Registry, explains why Microsoft created Entra Agent Registry and Agent ID, and how they provide identity, governance, and security for AI agents.We cover agent collections, discovery policies, integration with identity protection, and how custom security attributes automate AI agent governance at scale. You’ll also see how agents discover other agents by skills, how global and quarantine collections control visibility, and why these capabilities are critical for enterprise AI security.This is a must-watch (listen) for identity, security, and platform architects preparing for AI at scale.Subscribe with your favorite podcast player or watch on YouTube 👇About PadmaWith close to 20 years of experience in Identity, Security, and enterprise platforms, Padma Prasad Parthasarathy currently leads product and architecture for Security for AI and Agent Identity at Microsoft. He has built and scaled IAM and Zero Trust solutions across some of the world’s largest organizations, bridging deep technical expertise with real-world product impact.LinkedIn - https://www.linkedin.com/in/padmaprasadp/🔗 Related Links* What is the Microsoft Entra Agent Registry? - https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/what-is-agent-registry📗 Chapters00:00 Intro 02:14 The Rise of Digital Workers 07:13 Static Apps vs. AI Agents 12:43 Introducing Entra Agent Registry 17:28 Agent ID vs. Registry 24:08 How Agents Collaborate 30:29 Emerging Agent Standards 35:24 Understanding Agent Collections 42:05 Managing Risky Agents 46:01 Automating Agent SecurityPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I’m joined by Christopher Brumm from glueckkanja to discuss real-world experiences deploying Microsoft Entra Global Secure Access (GSA).We go beyond the docs to talk about actual customer rollouts, scaling challenges, retiring VPNs, and what teams often underestimate when moving to Zero Trust Network Access.Subscribe with your favorite podcast player or watch on YouTube 👇About Christopher BrummChristopher Brumm is a Cyber Security Architect at glueckkanja AG in Germany. With more than 15 years of experience in IT security, Chris brings deep expertise and hands-on knowledge across the Microsoft Security portfolio and beyond. His career journey spans from network and data center technologies to Active Directory and Entra ID, with a strong focus on identity security.As a Microsoft MVP and CISSP, Chris is an active voice in the security community, regularly speaking at events and sharing insights through blog posts on identity and security topics. His latest passion is Global Secure Access, where identity, security, and networking converge to deliver a holistic Zero Trust approach.* LinkedIn - https://www.linkedin.com/in/christopherbrumm🔗 Related Links* Blog - https://chris-brumm.com📗 Chapters04:46 Proof of Concept vs Pilot 12:19 Deployment Strategy: The Blue Pill Approach 16:03 Solving Performance with Intelligent Local Access 17:49 Navigating Networking Challenges 25:14 The Hardest Part: Shutting Down Legacy VPNs 27:38 Handling External Access and BYOD 32:15 B2B Features and Tenant Switching 46:05 Why You Need the Microsoft 365 Profile 50:49 The Ultimate Admin Workstation SecurityPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Nicolas Blank, Founder of NBConsult and a 20-year Microsoft MVP, joins the show to dismantle the complexity around Zero Trust.Most Zero Trust conversations fail because they start with technology. Nicolas flips the script by using powerful everyday analogies (locking your car, protecting your newborn) to land the three core principles with executives.Essential watching for anyone implementing Zero Trust, securing Microsoft 365/Entra ID, or needing leadership support in 2026.Subscribe with your favorite podcast player or watch on YouTube 👇About Nicholas BlankNicolas is the founder, as well an architect, author and speaker focused on Office 365 and Azure at NBConsult in South Africa, England and Hong Kong. Nicolas is a Microsoft Certified Master, Dual Microsoft MVP - Microsoft Office Apps and Services, Microsoft Azure since March 2007.​Nicolas has co-authored the Microsoft Zero Trust Adoption Framework https://aka.ms/zero-trust-adopt, published by Microsoft; “Microsoft Exchange Server 2013: Design, Deploy and Deliver an Enterprise Messaging Solution”, published by Sybex and available on Amazon; as well as authoring “Azure Site Recovery: IaaS Migration and Disaster Recovery”, published by Pluralsight.Nicolas can be found on LinkedIn: https://www.linkedin.com/in/nicolasblank/Or via his Company Website:​ https://www.nbconsult.co🔗 Related Links* Microsoft Zero Trust Workshop - https://aka.ms/ztworkshop* Zero Trust Adoption Framework - https://aka.ms/zero-trust-adopt* Microsoft Digital Defense Report - http://aka.ms/mddr📗 Chapters01:52 The Why Behind Zero Trust 04:17 The Baby Analogy: Explaining Least Privilege 07:41 Debunking Security Myths 11:43 Assume Breach vs Being Secure 15:28 Getting Stakeholder Buy-in 20:24 The Immune System Approach 21:45 Ruining Attacker ROI 25:50 The 96% Statistic You Can’t Ignore 33:24 Where to Start: Practical Tools 37:54 The Zero Trust Adoption FrameworkPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Is the traditional VPN dead? In the latest episode of Entra Chat, we dive deep Microsoft Entra Global Secure Access (GSA).Joined by Karen Simmel from the GSA product team and Thomas from the Entra CXE Architecture team, we explore how Microsoft is bridging the gap between identity and network security.The Shift from VPN to SASEThe "good old days" of spinning up firewalls and DMZs are fading. Traditional controls are often too coarse-grained and lack identity awareness. As Thomas explains, the COVID-19 pandemic accelerated the need for change when traditional VPN gateways physically couldn't handle the load of remote workforces.This has paved the way for SASE (Secure Access Service Edge) and SSE (Security Service Edge), which move security controls to the cloud at hyperscale.What is Global Secure Access?The team breaks down the confusing terminology to help you understand the core products:* Microsoft Entra Private Access: This is the ZTNA (Zero Trust Network Access) solution, replacing the classic VPN for accessing on-prem and private resources.* Microsoft Entra Internet Access: This acts as a Secure Web Gateway (SWG), protecting outbound access to SaaS apps and the internet with URL filtering and DLP controls.* Microsoft Entra Suite: A bundle that combines these network capabilities with Verified ID, Identity Governance, and Identity Protection for a comprehensive solution.The "Secret Sauce"Why choose Microsoft's solution? The differentiator is that GSA isn't just integrated with the Identity Provider (IdP)—it *is* part of the IdP.This deep integration allows for near real-time security. For example, if a user's device is compromised, the SOC team can revoke the token, and Entra can immediately terminate the network tunnel or prompt for step-up authentication. It brings the power of Conditional Access directly to network traffic.Better Performance, Better PrivacyContrary to the belief that security slows things down, GSA often improves performance. By leveraging Microsoft's massive global private fiber network, traffic is intelligently routed to the closest point of presence rather than being backhauled to a headquarters.From a privacy standpoint, admins have granular control. You decide what traffic is tunneled and inspected, ensuring you can meet compliance requirements (like those in the EU) without over-monitoring employee activity.Ready to Deploy?Deployment doesn't have to take months. Some customers are getting up and running with a Proof of Concept (PoC) in a single day. Whether you use the client-based agent or need client-less access for contractors, Microsoft provides detailed deployment plans to guide you.Subscribe with your favorite podcast player or watch on YouTube 👇About the GuestsKeren SemelKeren leads visibility and data insights for the Global Secure Access product group. Based in Tel Aviv, she brings deep experience from the SASE/SSE market to Microsoft.LinkedIn: https://www.linkedin.com/in/keren-semel-4876383/Thomas Detzner Thomas is a lead architect in the Entra CxE team, specializing in Global Secure Access and Zero Trust. A former network engineer based near Munich, he helps organizations bridge the gap between traditional networking and modern identity security.LinkedIn: https://www.linkedin.com/in/thomasdetzner/🔗 Related Links* Microsoft Global Secure Access Documentation - https://learn.microsoft.com/en-us/entra/global-secure-access/ * Zero Trust Workshop - https://aka.ms/ztworkshop📗 Chapters00:00 Intro 05:17 The Limitations of Legacy VPNs 12:49 SASE vs SSE vs ZTNA Explained 21:26 The Identity-Network Secret Sauce 29:42 Unpacking Entra Suite 33:20 Microsoft’s Global Network Architecture 38:19 Client and Clientless Connectivity 41:26 Deployment and POC Process 45:31 Migrating from Zscaler to GSA 47:15 Privacy and Compliance ControlsPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Louis Mastelinck, a Microsoft MVP and Security Consultant at Proximus NXT, joins me to discuss the critical journey of moving organizations away from SMS-based MFA.We deep dive into a practical strategy for migrating users to the Authenticator app, starting with “stopping the bleed” and managing user groups. We also explore a significant security blind spot regarding Email OTP for SharePoint guest access and how to resolve it. Finally, we debate the future of authentication with device-bound versus synced Passkeys and how to defend against downgrade attacks.Subscribe with your favorite podcast player or watch on YouTube 👇About Louis MastelinckLouis Mastelinck is a Security Consultant at Proximus NXT and a recognized Microsoft MVP based in Belgium. Specializing in Incident Response and the full Microsoft Security stack (including MDE, MDO, Sentinel, and Identity Management), he is dedicated to neutralizing threats and securing digital environments. A GCFA-certified professional, Louis is known for his deep technical expertise in areas like Conditional Access and authentication methods.LinkedIn - https://www.linkedin.com/in/louismastelinck/ 🔗 Related Links* Microsoft: Hang up on SMS - http://aka.ms/hangup📗 Chapters00:00 Intro 00:52 Props and PIM 01:41 The Dangers of SMS MFA 04:51 Strategy: Stopping the Bleed 10:06 Migrating Existing Users off SMS 19:20 Impact on Self-Service Password Reset 22:39 The SharePoint Email OTP Security Gap 25:13 Enabling Entra B2B Integration 34:28 Passkeys: Device-Bound vs Synced 44:40 Defending Against MFA Downgrade AttacksPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this week’s episode Jan Bakker, Microsoft MVP and solution architect from the Netherlands, joins us for a masterclass in extending Microsoft Entra ID beyond out-of-the-box capabilities. This episode is your complete guide to building custom identity governance and lifecycle management using Power Apps, Logic Apps, and Azure automation.You’ll learn the fundamental building blocks of automation in the Microsoft ecosystem and how to combine them creatively.Jan’s approach: treat Entra as a platform, not just a product.The automation stack he teaches: → Power Automate (everyday workflows)→ Logic Apps (enterprise automation)→ Dynamic Groups (intelligent triggers)→ Graph API (the foundation of everything)→ Event Hub (cost-effective event streaming)Key topics covered:* Understanding Power Automate vs Azure Logic Apps (and when to use each)* Managed identities and least privilege automation* Dynamic groups as automation triggers* Event Hub for cost-effective event-driven workflows* Custom authentication extensions and token augmentation* Real implementation costs ($50/month for enterprise solutions!)From the conversation:* Step-by-step temporary access pass automation* Automatic refresh token revocation on account disable* MFA method change notifications (like Gmail/Twitter)* Guest lifecycle management and approval flows* Conditional access policy monitoringWhether you’re new to automation or an experienced architect, you’ll walk away with actionable ideas and a new way of thinking about identity solutions.Subscribe with your favorite podcast player or watch on YouTube 👇About Jan BakkerJan is a Microsoft MVP and Solution Architect based in the Netherlands. He is known for his ability to make complex DevOps and Entra concepts accessible and publishes extensive guides on his blog about extending Entra capabilities.LinkedIn: https://www.linkedin.com/in/jan-bakker/🔗 Related Links* Send an email on a new MFA method registration - https://janbakker.tech/send-an-email-on-a-new-azure-mfa-method-registration/* How to build a PowerApp – Temporary Access Pass Manager - https://janbakker.tech/category/power-platform/* Trigger Logic App on group membership changes in Entra ID - https://janbakker.tech/trigger-logic-app-on-group-membership-changes-in-entra-id/* Poor man’s IGA: Monitor and clean up stale guest accounts - https://janbakker.tech/poor-mans-iga-monitor-and-clean-up-stale-guest-accounts/* Poor man’s IGA: Generate Temporary Access Pass for joiners - https://janbakker.tech/poor-mans-iga-generate-temporary-access-pass-for-joiners/* Unlocking the Power of employeeHireDate in Entra ID Dynamic Groups - https://janbakker.tech/unlocking-the-power-of-employeehiredate-in-entra-id-dynamic-groups/* Temporary exclusions for Conditional Access using PIM for Groups - https://janbakker.tech/temporary-exclusions-for-conditional-access-using-pim-for-groups/Sponsored by:Shadow IT and SaaS sprawl are outpacing IT teamsIt can feel impossible to tackle these app governance challenges:📦 Entra ID isn’t secure by default💥 SaaS adoption & sprawl isn’t slowing down⌨️ Citizen Development keeps rising (hello, Copilot Studio!)🗑️ Vendors often don’t remove apps after uninstall🔃 Offboarding is inconsistent or doesn’t happen at all🥔 App governance is passed around like a hot potatoENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.Secure & Govern Entra Apps Now📗 Chapters00:03 The Poor Man’s IGA Concept 00:07 Revoking Refresh Tokens Automatically 00:13 Power Apps for Approval Workflows 00:16 Custom Logic for Managing Guest Access 00:19 Building a Temporary Access Pass Tool 00:25 Power Automate vs. Azure Logic Apps 00:28 Triggering Automation with Event Hubs 00:31 Alerting on Security Changes via Audit Logs 00:41 Self-Service Group Management 00:44 Why You Must Learn Graph APIPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Khurram, a key member of the internal App Governance assessment team at Microsoft, joins the show to pull back the curtain on how Microsoft manages application security at a massive corporate scale and the rigorous internal security measures Microsoft employs to protect its corporate Entra ID tenant from risky applications.In this deep dive, Khurram reveals Microsoft’s custom-built App Governance blueprint. He details the process for reviewing and consenting to the hundreds of new application requests the organization receives monthly.Key Takeaways* Permission Risk Rating: Learn how Microsoft’s team assesses and assigns a severity rating—Low, Moderate, Important, or Critical—to permissions. This rating is based on the permission’s capability, whether it’s delegated or application, and its potential for PII exposure (e.g., Application permission or a .all scope will score higher).* The Weighting Model: Discover how the Microsoft app assessment team has proactively risk-rated between 3,000 and 3,500 permissions. This approach dictates when an app is automatically approved (for low-risk requests like User.Read) versus when it is flagged for manual, scenario-based review.* Holistic Risk Review: Khurram explains how the app’s overall risk is calculated beyond just permissions. This includes mandatory security controls like banning high-risk reply URLs (e.g., azurewebsites.net and aka.ms) , enforcing the use of certificates over secrets , and requiring multiple owners.* Multi-Team Veto Power: Understand the critical approval workflow where requests for higher-risk permissions are routed to specific organizational data owners (like the DLP, Identity, or Exchange teams). All teams must approve the request as a whole, giving each team a critical veto power over access to their services.Subscribe with your favorite podcast player or watch on YouTube 👇About Khurram ChaudharyKhurram is a Principal Security Assurance Eng on the internal assessment team at Microsoft. He specializes in App Governance and was instrumental in developing the systems and risk-rating methodologies used to manage thousands of application requests within Microsoft’s corporate tenant.🔗 Related Links* Entra Application Management - https://learn.microsoft.com/en-us/entra/identity/enterprise-appsSponsored by:Shadow IT and SaaS sprawl are outpacing IT teamsIt can feel impossible to tackle these app governance challenges:📦 Entra ID isn’t secure by default💥 SaaS adoption & sprawl isn’t slowing down⌨️ Citizen Development keeps rising (hello, Copilot Studio!)🗑️ Vendors often don’t remove apps after uninstall🔃 Offboarding is inconsistent or doesn’t happen at all🥔 App governance is passed around like a hot potatoENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.Secure & Govern Entra Apps Now📗 Chapters01:21 The Shift to Admin Consent 03:38 Factors for Reviewing App Risk 06:35 How We Rate Permission Severity 09:25 Automating Low-Risk Approvals 14:17 The Internal Review Workflow 21:40 The App Governance Scoring System 29:01 The Localhost Redirect Debate 39:35 Handling Stale Apps and Permissions 49:34 Advice for Identity AdminsPodcast Apps🎙️ Entra.Chat → https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Luca Spolidoro from the Microsoft Entra AI Innovations team joins us to unveil the new Microsoft MCP Server for Enterprise. We discuss how this innovation allows admins and AI agents to interface with their tenant using natural language, bridging the gap between LLMs and the complexity of Microsoft Graph.We also talk about the technical challenges of token limits, the patented “three-tool” solution that optimizes queries, and the roadmap for write operations and PowerShell script generation.Subscribe with your favorite podcast player or watch on YouTube 👇About Luca Spolidoro Luca is a Product Manager on the Entra AI Innovations team at Microsoft. Formerly working on advanced queries for Microsoft Graph, he now focuses on enabling AI agents to interact securely and efficiently with directory objects and tenant data. LinkedIn - https://www.linkedin.com/in/lucaspolidoro/🔗 Related Links * Microsoft MCP Server for Enterprise - https://aka.ms/mcp/entraSponsored by:Shadow IT and SaaS sprawl are outpacing IT teamsIt can feel impossible to tackle these app governance challenges:📦 Entra ID isn’t secure by default💥 SaaS adoption & sprawl isn’t slowing down⌨️ Citizen Development keeps rising (hello, Copilot Studio!)🗑️ Vendors often don’t remove apps after uninstall🔃 Offboarding is inconsistent or doesn’t happen at all🥔 App governance is passed around like a hot potatoENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.Secure & Govern Entra Apps Now📗 Chapters 03:36 The Hackathon Origin Story 05:55 What is the Model Context Protocol? 09:22 The Token Limit Problem 15:45 Microsoft’s “Secret Sauce” Solution 19:54 Current Limitations & Future Scope 23:57 Future: Write Operations & Scripts 30:12 Security & Admin Controls 42:43 Security Copilot vs. Standalone MCP 50:21 Getting StartedPodcast Apps 🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rssMerill’s socials 📺 YouTube → youtube.com/@merillx 👔 LinkedIn → linkedin.com/in/merill 🐤 Twitter → twitter.com/merill 🕺 TikTok → tiktok.com/@merillf 🦋 Bluesky → bsky.app/profile/merill.net 🐘 Mastodon → infosec.exchange/@merill 🧵 Threads → threads.net/@merillf 🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

This week, I’m joined by a stellar panel of Nathan McNulty, Ru Campbell, Martin Sandren, and Thomas Naunheim to break down the firehose of news from Microsoft Ignite related to Entra. We dive straight into the hot debate over synced passkeys versus device-bound credentials and why consumer adoption might force our hand in the enterprise. We also explore the new Account Recovery features that could save companies thousands in helpdesk costs and unpack the massive shift toward “Agentic AI” with the launch of Entra Agent ID, a feature that fundamentally changes how we think about non-human identities. If you are feeling overwhelmed by the pace of AI and identity changes, you are not alone. Listen in as we figure this out together.Subscribe with your favorite podcast player or watch on YouTube 👇About our guests* Nathan McNulty: Nathan is a Senior Security Solutions Architect at Patriot Consulting and a Microsoft Security MVP. He has been working with Microsoft cloud identity solutions since the days of Live@edu and Office 365 in 2010.* https://www.linkedin.com/in/nathanmcnulty/* Ru Campbell: Ru is a Microsoft Security MVP who leads Microsoft Security at Threatscape. He describes himself as a “jack of all trades” when it comes to Microsoft 365 security, getting involved in a wide range of security topics.* https://www.linkedin.com/in/rlcam/* Martin Sandren: Martin is the Product Lead for Identity Access at Inter IKEA, where he manages identity solutions across the globe. He offers a unique perspective as a practitioner running identity for a massive enterprise.* https://www.linkedin.com/in/martinsandren/* Thomas Naunheim: Thomas is a Cloud Security Architect at glueckkanja and a Microsoft Security MVP. He specializes in cloud security architecture and actively tracks new features and announcements in the Microsoft ecosystem.Sponsored by:Shadow IT and SaaS sprawl are outpacing IT teamsIt can feel impossible to tackle these app governance challenges:📦 Entra ID isn’t secure by default💥 SaaS adoption & sprawl isn’t slowing down⌨️ Citizen Development keeps rising (hello, Copilot Studio!)🗑️ Vendors often don’t remove apps after uninstall🔃 Offboarding is inconsistent or doesn’t happen at all🥔 App governance is passed around like a hot potatoENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.🔗 Related Links* Microsoft Entra: What’s New in Secure Access on the AI Frontier* Entra.Chat - Access Review Agent* Entra.Chat - Conditional Access Agent📗 Chapters00:00 Intro04:36 The Debate: Synced vs Device-Bound Passkeys20:47 Entra Account Recovery & Identity Verification30:00 Passwordless Self-Remediation33:01 Security Copilot Comes to E536:47 The Rise of AI Agents in Entra42:49 Understanding Entra Agent ID56:47 MCP Servers & VS Code Integration01:05:20 Global Secure Access & AI Security01:09:14 Microsoft Security BaselinePodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

This week, I’m so excited to share the inside story of a project I’ve been working on for over a year: the new Zero Trust assessment. I’m joined by some of the key folks from the team: Tarek, who’s leading the charge; Sarah and John, who are crushing docs; and Ravi, who’s owning Intune.We unpack the wild breach that sparked it all, geek out over those Sankey charts that spotlight sneaky unmanaged devices and privileged access landmines, and tease why even “expired” app creds could be your silent killer. If you’re tired of silos between identity and endpoints, this is your wake-up call—tune in to see how to make Zero Trust practical before the next attack hits.Subscribe with your favorite podcast player or watch on YouTube 👇About Our GuestsSarah LipseySarah Lipsey has been with Microsoft for almost four years and writes about monitoring and health, ID Protection, and Security Copilot in Microsoft Entra. Sarah has worked as a technical writer and instructional designer for around 20 years, and for a university, a telecommunications firm, and a railroad. She lives in the woods with her family where she loves to knit, play video games, hike, and ski. Yes, she spends way too much time trying to close out every dot on a video game map. Still working on the Skellige map for The Witcher 3.LinkedIn - https://www.linkedin.com/in/sarah-lipsey-b53b746/John FloresJohn is a Senior Content Developer at Microsoft, where he has worked for over eight years. He specializes in creating high-impact technical content for identity security within Microsoft Entra, focusing on areas like Conditional Access, MFA, ID Protection, and device identity. John also leads the documentation efforts for Zero Trust content across Microsoft 365 and Identity teams. He actively collaborates with engineers and PMs to test pre-release features and engages with customers to refine technical guidance.LinkedIn - https://www.linkedin.com/in/johnbflores/Ravi KalwaniRavi is a Senior Program Manager at Microsoft, based in Sydney, Australia. With over 14 years of IT experience spanning technical training, support, consulting, and program management, his focus for the past five years has been on Enterprise Client and Mobility, specifically Microsoft Configuration Manager and Intune. Ravi is also an experienced public speaker, having presented at numerous technical conferences and delivered a wide range of workshops for both internal teams and enterprise customers.LinkedIn - https://www.linkedin.com/in/rkalwani/Tarek DawoudTarek Dawoud is a long-time veteran at Microsoft, having been with the company for over 18 years. Tarek currently leads the architecture team within the customer engineering (CXE) organization, where he helps customers deploy Entra, gathers insights for the product group, and works to solve the hardest identity problems.LinkedIn - https://www.linkedin.com/in/tarekdawoud/🔗 Related Links* aka.ms/zerotrust/assessment → Microsoft Learn docs page for the assessment* aka.ms/zerotrust/demo → Interactive demo of a sample assessment report* aka.ms/zerotrust/feedback → Share your feedback* aka.ms/zerotrust/issues → Logging bugs & issuesZero Trust Assessment - Five minute walkthroughZero Trust Assessment ReportSample report generated by the Zero Trust Assessment tool. Try aka.ms/zerotrust/demo for an interactive demo.📗 Chapters00:00 Intro 01:11 The Origin Story: A Customer Breach 05:59 A New Way to Write Docs 08:55 Bringing Intune into the Story 11:07 How This Compares to Secure Score 14:46 Uncovering Insights with Sankey Charts 21:55 Behind the Scenes: How a Test is Built 36:18 Why We Target Privileged Access (AI Attackers) 39:59 The Myth of “Safe” Expired Credentials 42:35 Final Thoughts: “Please Run It”Podcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with security researcher Katie Knowles to unpack the hidden layers of identity systems inside Microsoft Entra. We get into real-world attack paths like backdooring service principals, restricted administrative units that can accidentally create unstoppable accounts, and OAuth phishing in Copilot Studio. Katie also shares how she approaches deep technical research, what defenders often overlook, and why identity security is only becoming more complex. This is one of those conversations where you walk away thinking differently.Subscribe with your favorite podcast player or watch on YouTube 👇About Katie KnowlesKatie Knowles is a Senior Security Researcher at Datadog specializing in Microsoft Azure and Entra ID security. She has extensive experience across security engineering, penetration testing, and incident response. Katie is known for her thorough research that connects complex technical vulnerabilities to practical defensive guidance, publishing regularly on Datadog Security Labs and speaking at major security conferences.LinkedIn - https://www.linkedin.com/in/kaknowles/🔗 Related Links* Katie’s Datadog security posts - https://securitylabs.datadoghq.com/articles/?author=Katie_Knowles* Katie’s personal blog - https://kknowl.es* Katie’s conference talks - https://kknowl.es/external-content/* Creating immutable users through a bug in Entra ID restricted administrative units - https://securitylabs.datadoghq.com/articles/creating-immutable-users-entra-id-administrative-units/* I SPy: Escalating to Entra ID’s Global Admin with a first-party app - https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/* CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing - https://securitylabs.datadoghq.com/articles/cophish-using-microsoft-copilot-studio-as-a-wrapper/📗 Chapters02:08 The Immortal User Bug in Restricted Admin Units04:23 Attacker Impact: The Un-deletable Malicious Account05:59 Hacking First-Party Apps & Bypassing AppLock09:29 How She Found the AppLock Bypass11:16 A Day in the Life of a Security Researcher14:20 Phishing with Copilot Studio & OAuth17:00 Top Tips for App Governance & Security21:45 The Hidden Risk of Azure Key Vault Access Policies28:55 App Registrations vs. Service Principals Explained41:48 The Future: Agent IDs & The New Trust ModelPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Sami Lamppu and Thomas Naunheim, the creators of the Entra ID Attack and Defense Playbook, join me to discuss their incredible 5-year community project.We talk about the most complex attacks they’ve researched, including the “black box” token and PRT attacks, and their shocking findings related to TPM and device compliance. We also dive deep into their brand-new chapter on the new Microsoft Entra Connect Application Based Authentication model and the critical steps you must take to secure it.Subscribe with your favorite podcast player or watch on YouTube 👇About Sami & ThomasSami Lamppu is a Microsoft Security MVP and a Principal Cloud Security Lead at Elisa with a strong focus on the blue team side, helping organizations proactively prevent attacks.Thomas Naunheim is a Cybersecurity Architect at glueckkanja and a Microsoft Security MVP. He specializes in Microsoft Entra, identity and access management, and cloud security posture.* Sami LinkedIn - https://www.linkedin.com/in/sami-lamppu/* Thomas LinkedIn - https://www.linkedin.com/in/thomasnaunheim/🔗 Related Links* Entra ID Attack and Defense Playbook - https://github.com/Cloud-Architekt/AzureAD-Attack-Defense📗 Chapters02:35 Origin Story of the Playbook 07:08 Overview of the Attack Chapters 09:53 Who is the Playbook For? 13:59 The Hardest Chapter to Write: Tokens 21:48 Shocking PRT & TPM Findings 24:43 NEW Chapter: Hacking Entra Connect (ABA) 29:10 How to Secure the New Sync Account 36:53 HSCAR: The Posture Analyzer Tool 45:09 Keeping the Playbook Updated & Community 53:12 What’s Next & Final AdvicePodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I chat with Dirk-jan Mollema, the legendary researcher behind some of the most important discoveries in Microsoft identity security. We go deep into how curiosity led him from tinkering with web tools to uncovering one of the biggest Entra ID vulnerabilities ever found. He shares the story behind the CVE that rocked the cloud world, the stress of realizing what he’d uncovered, and the mindset that drives his relentless research. If you’ve ever wondered what it feels like to find a bug that could break the internet—this one’s for you.PS: If you like this episode please leave a review on Apple Podcast or Spotify 🙏Subscribe with your favorite podcast player or watch on YouTube 👇About Dirk-jan MollemaDirk-Jan Mollema is a security researcher and consultant specializing in Microsoft Entra ID (Azure AD) and Active Directory security. He is the creator of popular offensive security tools including ROADtools and ROADrecon. With seven years of Entra research and nearly a decade in AD security, Dirk-Jan has discovered numerous critical vulnerabilities and has played an important role in helping improve Microsoft’s cloud security posture. He provides training and consulting services through his company Outsider Security.Twitter → https://twitter.com/_dirkjanLinkedIn → https://www.linkedin.com/in/dirkjanmContact → https://outsidersecurity.nl🔗 Related Links* One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens - https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens* Dirk-Jan’s Blog - https://dirkjanm.io* ROADtools - https://github.com/dirkjanm/ROADtools📗 Chapters00:00 Intro02:11 Guest Journey into Security07:13 Building ROADtools and ROADrecon09:53 Research Tools & Methods14:05 Top Discoveries Ranked17:01 Windows Hello & PRT Deep Dive26:07 The Cross-Tenant Actor Token Bug35:34 Ethical Dilemmas of Big Finds38:24 Disclosure, Impact & Community45:59 Future Research & Intune Tips53:58 Training, Consulting & ClosingPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with Alexander Filipin, a Product Manager at Microsoft, to unpack the essentials of identity governance and why access reviews are a game-changer for security and compliance.We explore the pitfalls like rubber stamping that plague traditional methods and tease how the new AI-driven Access Review Agent is stepping in with smart recommendations and context to make decisions easier and more accurate. Plus, we peek into exciting future possibilities where agents could automate access management entirely—tune in to see how this could reshape your org’s approach!Subscribe with your favorite podcast player or watch on YouTube 👇About Alexander FilipinAlexander Filipin is a Product Manager at Microsoft in the Microsoft Entra ID Governance team. With a background in consulting and identity security, he previously contributed to popular community projects like Conditional Access as Code and now leads features in Microsoft Entra, including the newly released Access Review Agent.LinkedIn - https://www.linkedin.com/in/alexfilipin/🔗 Related Links* Microsoft Entra Access Review Agent Documentation - https://aka.ms/aragent* Conditional Access Optimization Agent - https://learn.microsoft.com/en-us/entra/identity/conditional-access/agent-optimization📗 Chapters00:00 Intro00:48 From Community Code to Microsoft Product Management04:42 The 4 Drivers of Governance: Security, Compliance, & Cost Savings06:45 Why Access Reviews are Critical for Guest and Licensing Cleanup13:46 Licensing: Entra ID P2 vs. Entra Governance Capabilities20:01 The Biggest Problem with Traditional Access Reviews Today20:41 Introducing the Entra Access Review Agent23:18 The Role of AI in Generating Reviewer Context34:04 The Audit Trail and Compliance for AI Decisions44:26 Future Vision: The Next Evolution of Identity GovernancePodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Welcome back to Entra.Chat! In this rapid-fire Q&A, I’m joined by a team of brilliant CXE Identity Architects from Microsoft, and they’re answering the toughest questions on the future of identity. We dive deep into the security challenge posed by agentic AI that can spawn self-replicating identities and how Microsoft is creating tailored behavioral analytics to protect your environment. The team also spills the details on the shift to phishing-resistant MFA through authentication strengths capabilities for Entra ID tenants—you’ll definitely want to listen before your next audit!Subscribe with your favorite podcast player or watch on YouTube 👇About The PanelThis episode features an incredible panel of experts from Microsoft’s Identity team:* Tarek Dawoud: Lead Architect of the Architecture Team, focusing on AI for Security and Entra Resilience → https://www.linkedin.com/in/tarekdawoud/* Tyler Chan: Architect focusing on the Zero Trust Workshop and the healthcare vertical → https://www.linkedin.com/in/chantylert/* Ramiro Calderon: Architect on the team focusing on Identity and Access Management and helping customers move to the cloud → https://www.linkedin.com/in/ramirocalderon/* Jas Suri: Architect for Customer Identity and Access Management (CIAM), including Entra External ID as well as passwordless technologies → https://www.linkedin.com/in/jas-suri-aa644a7b/* Ehud Itshaki: Identity Architect focusing on AI’s impact on identity systems and government customers → https://www.linkedin.com/in/ehudi/* Thomas Detzner: Architect focusing on Global Secure Access (GSA) and the network pillar of Zero Trust. → https://www.linkedin.com/in/thomasdetzner/* Travis Gross: Manager and lead of the overall Identity CxE team at Microsoft → https://www.linkedin.com/in/travis-gross-536b3b9b/* Keith Brewer: Architect for Entra authentication, identity security, and U.S. government customers → https://www.linkedin.com/in/keith-b-145519174/🔗 Related Links* The future of AI agents—and why OAuth must evolve - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/the-future-of-ai-agents%E2%80%94and-why-oauth-must-evolve/3827391* Beyond OAuth: Why SCIM must evolve for the AI agent revolution - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/beyond-oauth-why-scim-must-evolve-for-the-ai-agent-revolution/4433036* Use Kerberos for single sign-on (SSO) to your resources with Microsoft Entra Private Access - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-kerberos-sso* Bulk operations in Microsoft Entra ID (Preview) - https://learn.microsoft.com/en-us/entra/fundamentals/bulk-operations* Road to the cloud: AD to Entra ID - aka.ms/AD2AAD* Microsoft Entra security operations guide - Incident Response Playbooks - https://learn.microsoft.com/en-us/entra/architecture/security-operations-introduction* Incident response playbooks - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks* Review permissions granted to enterprise applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-application-permissions?pivots=portal* Multi-factor unlock - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/multifactor-unlock?tabs=intune* API-driven Inbound Provisioning - Integration scenarios - https://learn.microsoft.com/en-au/entra/identity/app-provisioning/inbound-provisioning-api-logic-apps#integration-scenario-variations📗 Chapters03:57 The Challenge of Agentic AI and Identity 06:35 Top Identity Security Enhancements You Can Use Today 09:42 Entra External ID: Syncing Tenants and B2C Migration 11:41 Restoring Compromised Tenants15:01 Verifying Real Humans: Identity Assurance Levels (IAL) Explained 17:01 Rethinking App Consent and Granular Admin Roles 18:28 Clearing Up Confusion: Passkeys vs Phishing-Resistant MFA 20:33 Ditching On-Prem: Moving Legacy Apps with Private Access 23:14 How AI Will Change IAM Admins & Permissions Forever 30:31 Is Entra ID Governance the End of MIM?Podcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with my longtime friends and colleagues, Jas Suri and Gayan Randeny, at Microsoft’s campus to unpack the biggest Microsoft consumer identity shift in years—Azure AD B2C’s sunset and the rise of Entra External ID. We talk about why B2C is going away, the crazy scale of tenants with 100M+ identities, the migration paths and what the future looks like for customer identity. Plus, stick around until the end because Gayan and Jas share a world premiere on the podcast about a groundbreaking new Just-In-Time migration approach that will make moving millions of users to Entra External ID simpler than you think. You don’t want to miss this scoop!If you want to stay ahead of this massive transition, this is a must-listen.Subscribe with your favorite podcast player or watch on YouTube 👇About Jas SuriJas Suri is the CxE Architect PM for Microsoft Entra External ID and has a wealth of knowledge and experience in helping Microsoft customers deploy Azure AD B2C and Entra External ID. With extensive experience in Azure AD B2C and Entra External ID migrations, Jas has now taken on the CxE architect role for passkeys across both Entra ID and Entra External ID..LinkedIn - https://www.linkedin.com/in/jas-suri-aa644a7b/About Gayan RandenyGayan Randeny is a seasoned expert in customer identity and access management at Microsoft, with years of experience helping customers deploy Azure AD B2C and now leading efforts to migrate to Entra External ID. In addition to his work on Entra External ID, Gayan is now turning his attention to help enterprise customers deploy Global Secure Access.LinkedIn - https://linkedin.com/in/gyanrandhani🔗 Related Links* Migrating users to Microsoft Entra External ID - https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-migrate-users* Microsoft Entra External ID deployment architectures with Microsoft Entra - https://learn.microsoft.com/en-us/entra/architecture/external-identity-deployment-architectures* Azure Active Directory B2C: Custom CIAM User Journeys - https://github.com/azure-ad-b2c/samples📗 Chapters00:00 Intro00:57 What is B2C and why it mattered03:44 The insane scale of B2C (100M+ identities)05:02 Why B2C is going away07:20 Converging enterprise and customer identity12:01 Migration differences: B2C vs Entra External ID18:24 Just-in-time and passwordless migration23:09 Hybrid tenant approach explained29:15 Migration strategies and best practices33:29 New features, partners, and what’s next36:44 Closing thoughtsPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

On this episode of Entra Chat, I was thrilled to sit down with Yanyan and Sweta from the Entra UI experience team to dive deep into a feature that many of us have used but is now getting a massive refresh: Bulk Operations. We talked about how they took a critical legacy tool and completely re-engineered it for insane performance and scale, making it more reliable than ever. You’ll hear about some amazing new capabilities, like customizing the columns in your CSV exports and using UPNs instead of just Object IDs to add users, which is a huge time-saver. We even get a behind-the-scenes look at the engineering that makes it possible to export over a million groups in just 10 minutes!Subscribe with your favorite podcast player or watch on YouTube 👇About Yanyan JuYanyan Ju is a Principal Engineer Manager at Microsoft, where she is dedicated to delivering the best administrative experience for Microsoft customers. She focuses on creating value through user-friendly and consistent admin interfaces, shaping the future of AI-powered Entra Admin UX, and leading as part of a UX Engineering Center of Excellence.* LinkedIn: https://www.linkedin.com/in/yanyan-ju-194545239/About Sweta KumariSweta Kumari is a Product Manager at Microsoft, focusing on identity and access management within Microsoft Entra. Sweta leads initiatives around Entra Admin feature enhancements, Customer feedback integration and Privileged Identity Management (PIM). Her work emphasizes improving user experience, and ensuring secure, compliant access for customers.* LinkedIn: https://www.linkedin.com/in/sweta-kumari-557478127/🔗 Related Links* Bulk operations in Microsoft Entra ID (Preview) - https://learn.microsoft.com/en-us/entra/fundamentals/bulk-operations📗 Chapters00:01:20 What is Bulk Operations? 00:03:40 Supported Bulk Operations 00:06:34 Customizing Your Exports 00:08:45 How is it different from PowerShell? 00:11:29 Adding Members in Bulk (The Easy Way) 00:13:56 Bulk Deleting Safely 00:16:12 Why Was The Feature Rebuilt? 00:19:05 The Engineering Overhaul 00:23:02 Insane Performance Gains 00:25:19 How to Share Your FeedbackPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Cybersecurity expert Erica shares her incredible journey from pharmacist to becoming a professional hacker. She reveals how attackers are bypassing modern security controls like MFA and what you can do to protect your tenant.We talk about the most common configuration vulnerabilities that exist in almost every organization, the dangers of application onboarding, and the top five phishing vectors threat actors are using to gain initial access, including clever abuses of Microsoft Teams.Subscribe with your favorite podcast player or watch on YouTube 👇About EricaErica has an amazing career arc, starting in pharmacy before pivoting to cybersecurity. With a deep, hands-on understanding of offensive security gained from platforms like Hack the Box and real-world penetration testing, she specializes in protecting and defending Microsoft Cloud tenants. Erica is passionate about sharing her knowledge on how to better protect your tenant and what bad guys are looking for.LinkedIn - https://www.linkedin.com/in/erica-z-b4169598/🔗 Related Links* Blog - https://ericazelic.medium.com/* Hack The Box - https://www.hackthebox.com/* Altered Security - https://www.alteredsecurity.com/📗 Chapters00:00:00 Intro 00:02:14 From Pharmacy to Cybersecurity 00:07:19 Learning to Hack with Hack The Box 00:11:45 The First Cloud Hack: M365 Public Groups 00:17:50 The Hidden Dangers of App Onboarding 00:25:53 The 5 Modern Phishing Attack Vectors 00:30:36 Bypassing MFA with Device Code Phishing 00:34:34 Adversary-in-the-Middle & Auth Downgrade Attacks 00:48:24 The Secret to Mastering Cybersecurity SkillsPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Jeremy Conley, Product Manager on the Identity Governance team at Microsoft, demystifies the world of guest access in Microsoft Entra. We discuss the hidden security risks that accumulate as guests are invited into a tenant and the governance challenges this creates.We also do a deep dive into the different licensing tiers, from P2 to the new Entra ID Governance for Guests license, and explain the recently GA’d , cost-effective MAU-based billing model for guests. Jeremy provides actionable tips for admins to start cleaning up their tenants and implementing a robust governance strategy today.Subscribe with your favorite podcast player or watch on YouTube 👇About Jeremy ConleyJeremy Conley is a Product Manager at Microsoft, focusing on identity governance. His work is centered on Entitlement Management and the governance of guest and external users within Microsoft Entra, helping customers secure their environments and manage user lifecycles effectively.LinkedIn - https://www.linkedin.com/in/jeremy-conley-99552379/🔗 Related Links* Microsoft Entra ID Governance licensing for guest users • aka.ms/EntraIDGuestGovernance* PowerShell tool to update guest sponsor info • Update-MsIdInvitedUserSponsorsFromInvitedBy📗 Chapters00:51 What are Guests & External Users? 03:51 The Hidden Security Risk of Guests 07:14 Understanding Licensing for Guest Governance 09:10 P2 Features: Entitlement Management & Access Reviews 15:19 Entra ID Governance: Lifecycle Workflows & Automation 20:33 The "Sponsor" Concept for Guest Accountability 25:49 The NEW Guest Licensing Model Explained28:15 Demystifying the 1:5 Ratio vs. MAU Billing35:18 Common Mistakes Admins Make with Guests 37:22 A Simple First Step to Clean Up Your TenantPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode of Entra.Chat, I dive into the critical world of app governance with experts Jay Gundotra and Sander Berkouwer, who unpack the hidden risks of non-human identities in Microsoft Entra. From shocking real-world breaches like Midnight Blizzard to a hilarious tale of a theme park’s water supply mishap, we explore why securing your cloud apps is more urgent than ever. Tune in to discover practical tips and tools to safeguard your organization without losing your giraffes!Subscribe with your favorite podcast player or watch on YouTube 👇About Jay GundotraJay is the CEO and technical founder of E-Now. He has a long history as an Exchange and Active Directory engineer, which led him to found his company and focus on solving complex identity and application governance challenges for enterprises.LinkedIn - https://www.linkedin.com/in/jay-gundotra-19079a/About Sander BerkouwerSander Berkouwer is a 17-year Microsoft MVP veteran and an accomplished identity architect. With deep expertise from being "in the trenches," he partners with Jay to educate the community and build solutions for managing non-human identities and service principals.LinkedIn - https://www.linkedin.com/in/sanderberkouwer/🔗 Related Links* AppGov Community - https://community.appgovscore.com/* How Ownerless Apps in Entra ID Increase Your Attack Surface* Securing Workload Identities in Entra ID: A Practical Guide for IT and Security Teams📗 Chapters00:00 Intro 01:55 What is App Governance? 04:02 The Origin Story of Focusing on App Governance 08:35 Why App Security is Critical Today 14:15 The Dangers of Over-Privileged Apps 20:38 The Giraffe Story: When Cleanup Goes Wrong 24:42 What Should a Successful Organization Do? 30:22 The Full Application Lifecycle: Onboarding to Offboarding 35:38 Building the AppGov Community 45:04 The Importance of Education and AutomationPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode of Entra.Chat, I dive deep with cybersecurity architect Fabian Bader into his research on bypassing poorly designed Microsoft Entra’s conditional access policies and what you can do about them. We also cover the game-changing new Group Source of Authority feature that lets you finally manage synced groups in the cloud, and share insights from Fabian’s work with MSRC to secure the platform—don’t miss this one if you want to stay ahead in cloud security!Subscribe with your favorite podcast player or watch on YouTube 👇About Fabian BaderFabian Bader is a Cybersecurity Architect at glueckkanja, based in Hamburg, Germany. He is a well-known researcher in the Microsoft identity space, creator of the Cloud Brothers blog, and creator of the Maester and Token Tactics V2 tools. His work focuses on Microsoft Entra and the Defender suite, helping customers secure their cloud environments.LinkedIn - https://www.linkedin.com/in/fabianbader/🔗 Related Links* Fabian’s Blog - https://cloudbrothers.info/* Entra Scopes - https://entrascopes.com/* Maester - https://maester.dev/* Token Tactics V2 - https://github.com/f-bader/TokenTacticsV2📗 Chapters 02:19 The Story of the "Cloud Brothers" Blog 03:32 The Origin Story of Maester 07:39 Token Tactics V2 & Continuous Access Evaluation 09:43 How Conditional Access Bypasses Are Found 12:05 What is FOCI (Family of Client IDs)? 18:04 Hardening Your Conditional Access Policies 29:59 V1 vs V2 Token Endpoints Explained 38:19 Using Graph Activity Logs in Defender XDR 42:45 The New Group Source of Authority (SOA) 54:59 Workplace Ninjas US AnnouncementPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx 👔 LinkedIn → linkedin.com/in/merill 🐤 Twitter → twitter.com/merill 🕺 TikTok → tiktok.com/@merillf 🦋 Bluesky → bsky.app/profile/merill.net 🐘 Mastodon → infosec.exchange/@merill 🧵 Threads → threads.net/@merillf 🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with my boss, Tarek Dawoud, to pull back the curtain on what really happens during a major service outage. Tarek shares some incredible "war stories" from his time in the trenches, from the early days of DirSync where the team had to edit a sync file with a debugger to prevent an incident, to the massive outages of 2017 and 2018 that changed everything. We'll give you a peek into the high-stakes, quick-thinking world of a "live site" incident and reveal the groundbreaking engineering principles like cell-based architecture and the backup authentication service that were born from these challenges, making Entra more resilient than ever before. Subscribe with your favorite podcast player or watch on YouTube 👇About Tarek Dawoud Tarek Dawoud is a Lead Architect in the Customer Engineering team for Microsoft Entra. With years of experience growing up in Entra engineering, he has been involved in his share of outages and has a deep understanding of what it takes to build and maintain a resilient, hyperscale identity service. LinkedIn - https://www.linkedin.com/in/tarekdawoud/🔗 Related Links * SLA performance for Microsoft Entra ID - aka.ms/entraidsla * Microsoft Blames "Severe Weather" for Azure Cloud Outage * Microsoft Probes Cause of Global Web Outage* Microsoft's Azure AD authentication outage: What went wrong📗 Chapters00:57 What is a "Live Site"? 14:15 The Secret to Entra's Uptime: Cell-Based Architecture 18:09 How Entra Routes Your Login Request Globally 24:46 War Story #1: The 2017 Conditional Access Outage 29:52 War Story #2: How a Hurricane & an Office Bug Caused Chaos 43:39 The Backup Auth Service: Entra's Secret Weapon 57:54 Does the Backup Service Kick in Automatically? 01:04:16 Regional Isolation & The Power of Managed Identity 01:08:17 Anatomy of a Near-Outage in 2021 01:12:02 How Microsoft's Culture Learns From MistakesPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with Conrad Murray, a seasoned expert who lives and breathes the complexities of IT migrations during mergers, acquisitions, and divestitures.We dive deep into the real-world challenges that companies face, from the political battles of deciding whose tenant to use, to the technical nightmares of migrating three-quarters of a petabyte of data for a major global firm.Conrad shares some incredible "war stories" about the single hardest part of any migration—the domain cutover—and reveals why the success of a months-long project boils down to just the first four hours of the end-user experience on a Monday morning. Subscribe with your favorite podcast player or watch on YouTube 👇About Conrad MurrayConrad Murray is an expert in the IT lifecycle, specializing in complex tenant-to-tenant migrations for mergers, acquisitions, and divestitures. With over 15 years of experience moving companies to the cloud, Conrad has seen it all, from early BPOS and Lotus Notes migrations to massive, petabyte-scale Microsoft 365 consolidations.LinkedIn - Conrad Murray🔗 Related Links* Google to Microsoft 365 Migrations* PowerSyncPro📗 Chapters00:00:00 Intro 00:05:40 The Politics of Merging Tenants 00:07:23 Greenfield Tenants: A Fresh Start 00:09:58 War Story: Migrating 750TB for S&P Global 00:19:13 The Nightmare of Domain Cutovers 00:25:14 The Critical Day-One User Experience 00:30:00 Reconfiguring Mobile Devices: The Hardest & Easiest Part 00:35:46 Multi-Tenant Orgs (MTO): A Long-Term Solution? 00:49:22 The Unique Challenges of Divestitures 00:55:17 Data Cleanup That Never Happens 01:01:06 Tools of the Trade for Migration SuccessPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode we are joined by Jef Kazimer, Principal Product Manager at Microsoft to discuss the critical role of Microsoft Entra ID Governance. We explore the entire identity lifecycle from joiners, movers, and leavers (JML), the financial and security benefits of automated provisioning, and the pitfalls of legacy IGA solutions. Jef shares his extensive experience, from deploying complex MIM solutions to helping shape the future of cloud-native governance, and provides key insights into how AI will drive the need for more robust governance and how Entra is leveraging technologies like Azure Logic Apps for supportable, long-term solutions.Subscribe with your favorite podcast player or watch on YouTube 👇About Jef KazimerJef Kazimer is a PM on the Microsoft Entra team, specializing in Identity Governance. With a career spanning from help desk support and consulting to his current role in engineering, Jef has a deep understanding of the real-world identity and access management challenges that organizations face. He is passionate about helping customers secure their environments by leveraging the power of the cloud.LinkedIn - https://www.linkedin.com/in/jefkazimer/🔗 Related Links• Entra ID Governance licensing docs - https://learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals📗 Chapters01:39 From Atari to Microsoft: A Hacker's Journey 09:14 What is Identity Governance (and Why You're Already Doing It) 13:16 The Hidden Costs of Poor Governance & Licensing 15:58 The Customization Trap: Why 'Simple' is Better 22:57 Common Challenges in Identity Governance 27:36 Governance for Small vs. Large Businesses 30:51 The Secret to Great User Experience 42:33 Demystifying Entra ID Governance Licensing 46:41 The Future: How AI Changes EverythingPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this eye-opening episode, I sit down with Microsoft's Clay and Ramiro, two Customer Experience (CxE) architects who've collectively run over 150 Zero Trust workshops with enterprise customers. They reveal the shocking gaps they consistently find—like customers spending millions on compliance policies but forgetting to actually block non-compliant devices with conditional access. We dive deep into their comprehensive Zero Trust Workshop framework that's become the "seventh wonder of the Excel world," discuss why partners are scrambling to get trained on their methodology, and explore how AI is about to reshape the entire Zero Trust landscape. If you think your organization has Zero Trust figured out, this conversation might just change your mind.Subscribe with your favorite podcast player or watch on YouTube 👇About Clay and RamiroClay and Ramiro are architects in Microsoft's customer experience (CXE) team. With over a decade of experience each at Microsoft, they specialize in helping the largest and most high-profile customers navigate complex deployments and security challenges. Ramiro has a background in engineering and was part of the team that built ADFS, while Clay focuses on the Intune side of things. They are the key figures behind the development and refinement of Microsoft’s Zero Trust Workshop.* LinkedIn - Ramiro: https://www.linkedin.com/in/ramirocalderon/* LinkedIn - Clay: https://www.linkedin.com/in/clay-p-55899912b/🔗 Related Links* Zero Trust Workshop - https://aka.ms/ztworkshop📗 Chapters00:24 The "Why" Behind the Zero Trust Workshop 08:16 How to Run the Workshop 14:15 How the Workshop Has Evolved 20:48 How Partners Can Use the Workshop 26:51 Evolution of the Roadmap 35:30 Real-World Customer Improvements 39:46 Zero Trust is a Team Sport 47:22 The Future: AI and the Workshop 49:10 Final Advice on Zero TrustPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with Jordan Dahl, a Product Manager on the Entra Conditional Access team, to discuss the newly GA'd Conditional Access Optimization Agent. Jordan shares the origin story of the agent, explaining how customer feedback about the difficulties of managing CA policies at scale led to its creation. We delve into how this AI-powered "digital colleague" works to identify and remediate security gaps, its future roadmap including Service Now integration and phased rollouts, and how you can get started with it in your own tenant.Subscribe with your favorite podcast player or watch on YouTube 👇About JordanJordan is a Product Manager on the Entra Conditional Access team at Microsoft. Her current focus is on the Conditional Access Optimization Agent. Previously, she was a PM for per-policy reporting in Conditional Access and for Groups within Entra.LinkedIn - https://www.linkedin.com/in/jordan-dahl-840182127/🔗 Related Links* Conditional Access optimization agent in Microsoft Entra📗 Chapters00:00 Intro 01:31 The Origin of the CA Optimization Agent 05:08 How the Agent Works 07:40 Autonomous Policy Changes? 12:39 How to Deploy the Agent 16:12 Customizing the Agent's Behavior 23:59 Upcoming Agent Features: Phased Rollouts & ServiceNow 29:45 The Future: A "Digital Colleague" 35:08 How to Give Feedback 41:09 Getting Started: Your Action ItemsPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this exciting episode of Entra Chat, I dive into the world of Entra + Windows devices with the passionate and knowledgeable John Towles, a solution architect and MVP for Windows 365 and more. We unpack why Entra hybrid join is still relevant for some organizations, explore the ins and outs of Windows Autopilot, and reveal practical tips for navigating the complexities of modern device management. Plus, we share a sneak peek into the upcoming Workplace Ninjas US event and get a special announcement about the Workplace Ninjas US "Golden Clippy Awards", including the finalists for the "Entra IDol of the Year."Subscribe with your favorite podcast player or watch on YouTube 👇About John TowlesJohn Towles is a Solutions Architect at WEI, a multi-award MVP (Windows 365, Intune), President of Workplace Ninjas US, and the proprietor of Mobile-John.com. With over a decade of experience as the face of VMware's Workplace One, John has a deep and unique perspective on endpoint management and cloud migration. He is passionate about helping organizations navigate complex technical challenges with pragmatic, real-world solutions.LinkedIn🔗 Related Links* Microsoft Entra Hybrid Join: Not Dead Yet! (Jon’s blog)* Workplace Ninjas US* Microsoft's Entra Kerberos: Bridging Legacy AD to Cloud Auth + MAM on Edge with PM Jordan Gross📗 Chapters00:23 Entra Hybrid Join: To Do or Not to Do? 03:13 The Great Migration from VMware to Intune 06:23 Entra Join vs. Hybrid Join Explained 12:52 The Magic of Cloud Kerberos Trust 15:53 Demystifying Windows Autopilot 25:23 Making the Case for Hybrid Join with Autopilot 30:57 Why Cloud-Native is the Future 36:16 Introducing Workplace Ninjas US 39:06 The "Golden Clippy Awards" 41:31 Announcing the Entra IDol of the Year FinalistsPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with Chetan Desai, a Principal Product Manager on the Microsoft Identity Governance team. We dive deep into a side of Entra that many admins never see: the critical "first mile problem" of getting identities into your system in the first place.We talk about the evolution from on-prem scripts and MIM to specific connectors for Workday and SuccessFactors and then to the new powerful, generic API-driven approach that can handle any HR system and the architectural decisions behind it. Chetan also gives us a masterclass on how the provisioning engine differs from the Graph API and provides advice for anyone looking to migrate from a legacy Identity Governance and Administration (IGA) solution.Subscribe with your favorite podcast player or watch on YouTube 👇About Chetan DesaiChetan Desai is a Principal Product Manager at Microsoft on the Entra team. For the past seven years, he has been a core part of the Entra Identity Governance and Provisioning team. Before his time at Microsoft, Chetan spent 17 years in consulting within the identity and access management domain , bringing a wealth of real-world deployment and integration experience to his product management role.🔗 Related Links* Application and HR provisioning documentation* Provisioning with SCIM* API-driven inbound provisioning concepts📗 Chapters00:34 The "First Mile Problem" in Identity 04:51 From AD Sync to HR-Driven Provisioning 09:52 The Entra Provisioning Service Architecture 16:17 Hybrid vs. Cloud-Only Identity Flows 19:17 Beyond Workday: The Need for a Generic Connector 27:43 The Great Debate: CSV vs. SQL vs. API 35:34 Provisioning API vs. Graph API: What's the Difference? 43:24 The Latest Evolution: Custom Security Attributes 49:26 Advice for Migrating to Modern IGAPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I chat with the legendary Tony Redmond, a prolific writer and author of "Office 365 for IT Pros". Tony shares unfiltered insights from his career, critiques the state of technical writing and AI, and discusses the challenges with PowerShell and the future of AI agents in the Microsoft ecosystem.Subscribe with your favorite podcast player or watch on YouTube 👇About Tony RedmondTony Redmond is a well-known and prolific writer in the Microsoft 365 space. After a long career in large tech companies like Digital, Compaq, and HP, where he rose to the level of Vice President, he became an independent consultant and author in 2010. He is the lead author of the widely respected and continuously updated e-book, "Office 365 for IT Pros," and "Automating Microsoft 365 with PowerShell."LinkedIn - https://www.linkedin.com/in/tonyredmond/ 🔗 Related Links* Office 365 for IT Pros (Book) - https://office365itpros.com * Practical 365 - https://practical365.com📗 Chapters00:00 Intro 03:50 Tony's career and lessons from corporate life 09:06 The story behind the "Office 365 for IT Pros" book 21:35 Tony's rules for great technical writing 25:31 The problem with duplicate content and AI summaries 36:31 A critique of the Graph PowerShell SDK 45:15 The dangers of AI and the need for guardrails 50:57 Microsoft's mistake: Rushing tech without guardrails 55:04 The cyclical nature of technology and IT challengesPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with Erin Greenlee, the Product Manager for App Consent on Microsoft’s App Platform Team. We dive into the critical world of app consent and the upcoming Microsoft 365 secure-by-default changes. We explore the nuances of user and admin consent, the impact of the mid-July 2025, policy shift, and how admins can prepare for a more secure Entra environment.Subscribe with your favorite podcast player or watch on YouTube 👇About Erin GreenleeErin Greenlee is a Product Manager at Microsoft, specializing in the App Platform Team within the Identity and Network Access division. With a decade of experience at Microsoft, including roles in B2C and domain services, Erin now focuses on consent, authorization, and app roles, helping organizations secure their applications while enabling productivity.LinkedIn - https://www.linkedin.com/in/eringreenlee/🔗 Related Links* MC1097272 - Microsoft 365 Upcoming Secure by Default Settings Changes - https://mc.merill.net/message/MC1097272 * Entra Admin Consent Workflow - https://docs.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow * Configure how users consent to applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent* Manage app consent policies - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies* Review App Consent audit logs - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/app-perms-audit-logs📗 Chapters02:15 What is App Consent?03:22 Delegated vs. Application Permissions07:45 The User Consent Balancing Act13:58 How Consent is Evaluated17:33 Understanding Tenant Consent Policies22:28 The Admin Consent Workflow31:18 The Big Change: Microsoft's Secure-by-Default Update41:35 How to Prepare for the Change49:05 Advanced Delegation with Custom PoliciesPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, we talk with an identity expert, ex-Microsoftie and Principal Domain Architect, Mark Renoden, about creating a modern Privileged Access Management (PAM) solution for on-premises Active Directory. Discover how to build a secure "Bastion Forest" architecture using Microsoft Entra. We talk about PIM for Groups, group write-back, phish-resistant credentials, Privileged Access Workstations (PAW), securing an Entra tenant from the ground up, and navigating challenges with Cloud Solution Provider (CSP) permissions.Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - MerillAbout MarkAs Principal Domain Architect for Identity at Increment, Mark leads the design and delivery of secure, scalable identity architectures grounded in Microsoft Entra ID and aligned with Zero Trust principles. He specializes in helping organisations modernise their infrastructure and navigate complex identity transformations.Previous to Increment, Mark spent over 20 years at Microsoft in support, field engineering, mission critical and customer experience roles focused on Identity across a wide spectrum of industries in Australia and New Zealand, including Finance, Healthcare, Government, Education and Retail.LinkedIn - https://www.linkedin.com/in/markrenoden/🔗 Related Links* DirectoryShield | Increment - https://www.increment.inc/directoryshield* Entra Security Recommendations - https://aka.ms/EntraSecurityRecommendations* Securing privileged access overview - https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-overview* MIM - Bastion environment - https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment📗 Chapters00:46 Securing Your Entra Tenant02:09 The Quest for a Microsoft-Only PAM Solution04:21 What is a "Bastion Forest"?07:50 Reimagining the Bastion Forest for the Cloud12:53 Architecting a "Secure-by-Default" Tenant17:41 Phish-Resistant On-Prem Admins19:50 The Modern Privileged Access Workstation (PAW)27:04 The Tiered Administration Model Explained29:51 The Hidden Dangers of CSP Admin Access34:29 How Fast is PIM for Groups?Podcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this very special episode, I sit down with the "Yoda of Entra" himself, Tarek Dawoud, who also happens to be my manager!We dig deep into the fascinating and often surprising history of Microsoft's identity platforms. Tarek, who has been on the team since 2007, takes us on a journey from the revolutionary launch of Active Directory in 1999, through the creation of the cloud services that battled Google Apps, to the formation of the identity division and the eventual rebrand to Entra.You'll hear the inside story on how our customer experience team became a "secret weapon" and, most excitingly, we'll look at what the future holds for Identity and Access Management in the new age of AI agents.Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - MerillAbout Tarek DawoudTarek Dawoud is a long-time veteran at Microsoft, having been with the company for over 18 years. Tarek currently leads the architecture team within the customer engineering (CXE) organization, where he helps customers deploy Entra, gathers insights for the product group, and works to solve the hardest identity problems.LinkedIn - https://www.linkedin.com/in/tarekdawoud/🔗 Related Links📗 Chapters00:00 Intro08:58 The Beginning: The Vision of Active Directory (AD)14:51 The Consumer Side: Microsoft Passport & The Standards Debate18:29 A Defensive Play: How Google Apps Sparked Microsoft's Cloud Identity27:21 The First Merger: Active Directory & Cloud Teams Unite32:03 The Birth of Conditional Access & The Authenticator App42:52 The Security Re-org: Identity Moves to a New Home45:30 A New Era: Rebranding to Entra48:52 The Future is Now: AI, Agentic Identities, and the End of PowerShell?Podcast Apps🎙️ Entra.Chat → https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, we are joined by Maqsood Bhatti, the IAM Principal Engineer at Elkjøp Nordic, who takes us through their incredible journey of migrating from the legacy NetIQ platform to Microsoft Entra. What's fascinating is how they accomplished this years ago, completely bypassing traditional tools like Entra Connect and adopting a "production-only" environment. Maqsood shares how they built a truly cloud-native identity solution from the ground up, leveraging custom connectors, app roles, and automating everything, including moving off the legacy platform entirely.You’ll also hear about their advanced use of Microsoft Identity Governance, Logic Apps for custom provisioning, and a strict modern authentication policy that has shaped their identity and access management (IAM) for nearly a decade.Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - MerillAbout MaqsoodMaqsood is the IAM Principal Engineer at Elkjøp Nordic, a company that was an early adopter of access automation since 2006. He has been instrumental in their journey from legacy systems like NetIQ to a modern, cloud-native Microsoft Entra infrastructure , championing innovative approaches like custom API integrations and a "prod-only" development environment.LinkedIn - https://www.linkedin.com/in/maqsoodbhatti/🔗 Related Links* Elkjøp Nordic unngår IT-floker med storskala automatisering📗 Chapters00:00 Intro01:10 Early Days & NetIQ Automation03:34 The Journey to Public Cloud & Microsoft 36508:23 Custom Connectors and Real-Time Sync15:08 Embracing Azure, App Roles & Modern Auth19:29 Password Sync & Skipping Entra Connect22:57 Decommissioning NetIQ: Challenges & Motivations27:27 Leveraging Entra ID Domain Services as a Bridge33:28 Mastering App Roles & Guiding Developers44:27 Migrating to Entra ID Governance & Logic Apps52:57 The "Prod-Only" Philosophy & Cloud-Native MindsetPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Tobias Binkert, Head of IT at We Are Era, and Yusuke Kodama, Product Manager at Microsoft (who specialises in cloud-first identity, among many other things), join us to discuss We Are Era’s successful migration from on-premises Active Directory to a fully cloud-native Microsoft Entra ID environment.We delve into the motivations behind this significant shift with practical strategies for migrating devices using Microsoft Autopilot, modernizing applications, managing user accounts and groups in the cloud, and overcoming challenges like legacy RADIUS dependencies. Tobias shares the tangible benefits We Are Era experienced, including enhanced security, a superior user experience and increased agility for adopting new technologies.LinkedIn* Tobias Binkert - https://www.linkedin.com/in/tobias-binkert-83844810a/ * Yusuke Kodama - https://www.linkedin.com/in/yusukekodama85/On a related note we ran a poll a few weeks ago asking what your Identity plans were for 2030 and beyond. Nearly 90% of you were looking to go Entra ID first with more than half planning to go full cloud native with Entra ID.So hopefully this episode with Tobias and Yusuke will help shed some light and help you start your journey to going cloud-first/cloud-native.Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill🔗 Related Links* Road to the cloud: Introduction* Cloud transformation posture* Establish a Microsoft Entra footprint* Implement a cloud-first approach* Transition to the cloud📗 Chapters00:00 Intro03:20 The Motivation: Why Decommission On-Prem Active Directory?06:23 Gaining Buy-In: Negotiating with Business Units09:56 The ROI & Cost Impact: Saving 70% on Infrastructure14:47 Device Migration: Tackling Windows Workstations with Autopilot25:31 Server & Application Challenges: RADIUS, Printing, and More32:06 User Accounts & Groups: The Shift to Cloud-Only Identities44:19 Addressing Security & Availability Concerns of Full Cloud49:43 Life After AD: Next Steps and Future Identity Initiatives51:45 Lessons Learned & Key Advice for Your Cloud MigrationPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode we chat with Sapir Federovsky, a Security Researcher at CrowdStrike, who shares her journey from military service to becoming an identity threat researcher.She discusses her learning methods, the importance of community, and the challenges of keeping up in the fast-paced world of Azure and Entra ID security.Sapir also delves into specific Entra ID features she focuses on, the critical role of prevention alongside detection, and her experiences as a woman in the tech industry.LinkedIn - https://www.linkedin.com/in/sapir-federovsky-a687491b0/Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill🔗 Related Links* Sapir's blog - https://sapirxfed.com/* Reportly - https://github.com/sap8899/reportly📗 Chapters00:00 Intro01:17 Early Career Perspectives & Learning Journey03:25 Transitioning from Military to Civilian Tech04:25 Learning Cloud Security & The Power of Talks/Blogs08:19 Building a Tool for Log Analysis12:26 A Typical Day: Continuous Learning & Community Sharing15:08 Balancing Learning Old & New in a Fast-Evolving Field17:38 The Power of Teaching to Master a Topic19:37 Learning by Answering Questions21:17 Vision: Becoming the Ultimate Defender & Community Building23:48 Deep Dive: Graph Activity Logs in Entra ID27:33 Focusing on Hybrid Environments & Synchronization29:37 Experiences as a Woman in Tech36:29 The Shift from Detection to Prevention & Hardening39:13 The Challenge of Updating Tenant Configurations45:57 Navigating Organizational Change Management Cycles50:29 Final Advice: Always Say Yes & Create OpportunitiesPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe