Entra.Chat – Details, episodes & analysis

In this very first episode of the Entra Chat podcast I sat down with Ben Wolfe, my former manager and ex-Microsoft, who is now the Head of Security Solutions at Increment.

How to get in touch with Ben:

Ben Wolfe - https://www.linkedin.com/in/benjaminwillwolfe/

Increment - https://www.increment.inc/

Mentions during the episode:

Graph X-Ray - https://graphxray.merill.net/

Entra.Chat Podcast - https://entra.chat

In this insightful episode, Nathan McNulty, Senior Security Solutions Architect at Patriot Consulting, shares his extensive experience deploying and securing Microsoft Entra environments. With a background spanning civil engineering, education, and critical infrastructure, Nathan brings practical wisdom from managing environments with 50,000+ users and 90,000+ devices.

Subscribe with your favorite podcast player or watch on YouTube 👇

The conversation explores realistic approaches to securing BYOD, building effective conditional access policies using a "castle" framework, and leveraging administrative units to partition permissions efficiently. Nathan reveals his innovative "operational groups" automation technique that helps classify users by authentication methods, enabling granular security controls without manual effort. The episode also covers authentication methods migration strategies, extension attributes, and modern cloud automation approaches that replace traditional server-based scripts.

Whether you're looking to improve your conditional access strategy, smoothly migrate authentication methods, or automate Entra management tasks, Nathan's field-tested insights will help you secure your environment more effectively while reducing administrative overhead.

Nathan McNulty

* Web - https://nathanmcnulty.com/

* LinkedIn - https://www.linkedin.com/in/nathanmcnulty/

* Bluesky - https://bsky.app/profile/nathanmcnulty.com

* X - https://x.com/nathanmcnulty

Related Links

* Operational Groups scripts - https://github.com/nathanmcnulty/nathanmcnulty/tree/master/Entra/operational-groups

* Maester DevOps - https://maester.dev/docs/monitoring/github

* Authentication Methods Migration - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage

* Administrative units - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

* Restricted management administrative units - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management

Episode Summary

In this episode, we dive into the sophisticated world of phishing attacks with Kuba Gretzky, creator of the renowned Evilginx framework. He shares insights on how Evilginx operates as a reverse proxy, capturing authentication tokens in real-time, and discusses the ethical considerations of creating such a powerful tool. Most importantly, Kuba provides valuable guidance on protection strategies that organizations can implement to defend against these advanced phishing techniques.

Chapters

00:00 - Introduction to Kuba and Evilginx

- Creator of Evilginx, a phishing framework demonstrating MFA vulnerabilities

- 15+ years in cybersecurity, started with MMO game hacking

- Transitioned through reverse engineering to cybersecurity

02:03 - Understanding Phishing Fundamentals

- Phishing presents fake sign-in pages to capture user credentials

- Even 7-year-olds now learn about phishing dangers in school

03:39 - How Evilginx Works Technically

- Functions as a reverse proxy between user and legitimate server

- Creates dual TLS connections to intercept all communications

- Captures authentication tokens for complete account takeover

05:55 The Evolution of Phishing Tools

- Evolved from experiments with cookie manipulation

- Improved upon older tools that required malware installation

- Developed from Nginx with Lua scripting to standalone Go application

10:37 Evilginx's Impact and Popularity

- Gained traction through demonstrating MFA vulnerabilities

- Creates "shock factor" when users see how easily accounts are compromised

- Emerged alongside other tools but distinguished by ease of demonstration

12:25 Real-World Phishing Examples

- Sophisticated attacks use browser-in-browser techniques

- High-profile victims include Linus Tech Tips YouTube channel

- Attackers leverage urgency and fear to bypass security awareness

16:23 Protecting Against Evilginx Attacks

- Implement domain verification checks through JavaScript

- Deploy "shadow tokens" with browser fingerprinting

- Utilize conditional access policies and FIDO2/passkeys

22:57 - Detecting Evilginx Attacks

- HTTP header inspection can identify attack signatures

- TLS fingerprinting (JA4) detects unusual connection patterns

- Cloudflare and other services block suspicious proxy connections

27:33 - User Education and Psychological Factors

- Focus on recognizing psychological triggers like urgency

- Reward reporting rather than punishing victims

- Teach users to access websites directly rather than through email links

31:01 - Ethical Considerations and Responsible Development

- Implemented vetting process for Evilginx Pro access

- Built anti-cracking protections to prevent misuse

- Created trusted community for responsible information sharing

36:43 - Future Developments and Evilginx Pro

- New client-server architecture with API for automation

- Features include bot protection and shadow token bypass capabilities

- Established BreakDev as company with plans for security software platform

Key Takeaways

- Modern phishing attacks like those enabled by Evilginx can bypass MFA by acting as a proxy in real-time.

- The strongest protections include device compliance, FIDO2/passkeys, and domain verification checks.

- Organizations should implement conditional access policies that verify device identity, not just user identity.

- User education should focus on recognizing urgency tactics rather than just checking URLs.

- Shadow tokens that include browser fingerprinting and domain information show promise as protection methods.

- Ethical security tools require responsible handling - vetting processes to help prevent misuse.

- Security awareness demonstrations with tools like Evilginx help stakeholders understand risks and invest in protections.

Key Links

BREAKDEV Blog → breakdev.org

Evilginx Pro → evilginx.com

Evilginx Mastery Course → academy.breakdev.org/evilginx-mastery

In this episode we discuss the evolution of guest access from SharePoint to Entra ID, the challenges of managing guest identities, and the importance of security and governance.

Our conversation covers key topics including cross-tenant access settings, identity governance, B2B direct connect, and licensing considerations.

Samantha also shares practical advice and best practices for organizations to secure their tenants and streamline external collaboration.

Subscribe with your favorite podcast player or watch on YouTube 👇

LinkedIn - https://www.linkedin.com/in/samkloos/

🔗 Related Links

* Overview: Cross-tenant access with Microsoft Entra External ID

* Cross-tenant access activity workbook

* B2B direct connect overview

* Entra Security Recommendations

📗 Chapters

00:00 The Evolution of Guest Access

04:49 Guest Access Settings and Best Practices

23:00 Cross Tenant Access Settings Demystified

36:06 B2B Direct Connect

48:09 Guest Licensing: Key Considerations

56:10 Entitlement Management and Guest Users

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this insightful discussion, Martin Sandren from IKEA joins Entra Chat to discuss the evolving landscape of IAM.

The episode covers critical considerations for modern identity strategies, including the trade-offs between syncable and device-bound passkeys, the necessity of robust regression testing for Conditional Access, and advancements in identity proofing methods.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Martin Sandren

Martin Sandren is the IAM Lead at Inter IKEA, overseeing the systems that support IKEA's worldwide presence. His extensive background includes over twenty years of experience as an IAM product lead, architect, engineering manager, and developer.

Beyond his role at IKEA, he is actively involved in the identity community as a frequent speaker at international conferences and a founder of the Digital Identity Amsterdam meetup and the Amsterdam chapter of IdentiBeer, and is active within the idNext foundation and IDPro.

LinkedIn - https://linkedin.com/in/martinsandren/

🔗 Related Links

• IAM Conferences in Europe

📗 Chapters

00:00 Intro

02:51 Martin's Journey into Entra & Early IAM Experiences

05:35 Early Entra Wins: Simplified Sign-in Logging

07:02 Value of Microsoft's Preview Feature Model (Private/Public/GA)

09:39 Evolution of Federation: SAML/OIDC Then vs Now

13:22 The Rise of SCIM for User Provisioning

14:47 Cloud Standardization vs On-Prem Customization Trade-offs

16:48 Identity Governance & Multi-Tenant Organizations (MTO)

19:01 The Power & Complexity of Conditional Access

20:23 Resilience & Offline Scenarios in IAM

23:12 Challenges with Guest User Management & Governance

26:16 Cross-Tenant Sync vs Connected Organizations

27:49 The "Schrodinger's Cat" Problem with Guest Accounts

30:58 Mastering Conditional Access Policies: Best Practices & Pitfalls

32:41 Shifting Security Focus: From Network to Identity Defense-in-Depth

34:04 Adapting Security for Different User Populations (Frontline Workers)

35:21 Leveraging ITDR, Risky User Signals & Red Teaming

38:00 Importance of Regression Testing CA Policies (Meister Tool)

39:08 Edge Cases: SSPR & Certificate-Based Authentication Conflicts

40:37 Securing Conditional Access Group Memberships

42:40 Identity Proofing, Onboarding & Phishing Risks

46:01 Wishlist: Granular Read Permissions in Entra

48:36 Passkeys & Phishing-Resistant MFA: Progress & Challenges (Android Usability)

50:01 Strategy: Syncable vs Device-Bound Passkeys

51:58 Embracing Standards: SSF & CAPE Protocols

53:04 Advice for Newcomers to the Identity & Access Management Field

54:55 Closing Remarks

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Join us for a conversation with Dhanyah Krishnamoorthy, Product Manager at Microsoft, as she discusses Microsoft Entra Connect Sync and Cloud Sync solutions for synchronizing on-premises Active Directory identities to Entra ID.

Learn about Microsoft's overall strategy for syncing and what you can do to prepare for the future including security considerations and scaling guidance.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Dhanyah

Dhanyah Krishnamurthy is a Principal Product Manager in the Microsoft Entra product group. For the past four years, Dhanyah has focused on hybrid identity scenarios, leading the product management for critical services that help organizations manage identities between on-premises Active Directory and the cloud. She specifically owns Microsoft Entra Connect Sync and the newer Microsoft Entra Cloud Sync capabilities, designing solutions to streamline identity provisioning, enhance security, and support complex scenarios like mergers and acquisitions.

LinkedIn - https://www.linkedin.com/in/dhanyah

🔗 Related Links

* Hybrid Identity - https://learn.microsoft.com/en-us/entra/identity/hybrid/

* Comparison between Microsoft Entra Connect and cloud sync - https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync

* Topologies for Microsoft Entra Connect - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies

* Factors influencing the performance of Microsoft Entra Connect - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-performance-factors

* Group writeback with Microsoft Entra Cloud Sync - https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync

📗 Chapters

00:00 Intro

03:16 Why Two Sync Solutions? Connect Sync vs Cloud Sync History

05:17 Benefits of Cloud Sync vs Connect Sync

06:23 Cloud Sync Advantage: Mergers & Acquisitions

08:16 Cloud Sync Advantages: Lightweight, High Availability, Simplicity

10:17 Shared Provisioning Agent Benefits

10:59 Future Plans: Investing in Cloud Sync

12:11 Coexistence: Using Cloud Sync & Connect Sync Together

13:25 Getting Started with Cloud Sync: Group Writeback & Acquisitions

15:56 Choosing the Right Tool: When to Use Cloud Sync

16:34 Using the Sync Wizard for Recommendations

18:03 Operational Differences & Admin Roles

19:53 Group Writeback Scaling Considerations

22:31 Common Customer Issues: Topologies & Configuration

25:36 Scaling Guidance: When to Worry About Performance

29:12 Security Considerations: Connect Sync vs Cloud Sync

30:41 Connect Sync Security Hardening & Updates

33:40 Cloud Sync Security & GMSA Accounts

35:16 Final Thoughts & Call to Action

Podcast Apps

🎙️ Entra.Chat → https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

George Roberts, Director of Identity Governance and Administration at McDonald's, shares his extensive experience in migrating the company's workforce identity platform from on-premises ADFS to Microsoft Entra.

We also talk about challenges like handling unique frontline worker needs (including a creative paper-based MFA solution) and integrating with various applications.

About George

George Roberts is the Director of Identity Governance and Administration at McDonald's, where he leads a global team responsible for building and delivering the enterprise identity and access platform to support over 2 million employees, partners, franchisees, and restaurant staff users worldwide. George has over 25 years of experience delivering secure, scalable, and user-friendly solutions that help McDonald's to accelerate its business. All views expressed are his own.

* LinkedIn - https://linkedin.com/in/sirtwist

* Bluesky - https://bsky.app/profile/sirtwi.st

🔗 Related Links

* Custom claims provider - https://learn.microsoft.com/en-us/entra/identity-platform/custom-claims-provider-overview

* Manage an external authentication method in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage

📗 Chapters

00:00 Intro

00:30 Overcoming ADFS Custom Claims Roadblock

01:35 Global Footprint and MFA Challenges for Frontline Workers

03:20 Guest Introduction: George Roberts, McDonald's

04:07 George's Background and Role at McDonald's

06:42 McDonald's Identity Journey: Decentralization to Centralization

08:38 The Entra (Azure AD) Migration Begins

13:04 Operational Benefits and Challenges of Moving to Entra

16:55 Deep Dive: Custom Claims and the Virtual Directory Service

23:56 Shift to API-First Mindset and Standards (SCIM)

32:46 Major Challenge: MFA Solutions for Frontline Workers

37:27 The Paper-Based MFA Solution

40:03 Entra External Authentication Methods

46:02 Ideas for Device-less Frontline Authentication

50:12 Onboarding Speed Challenges in Restaurants

58:06 Advice for Other Organizations: Change Management and Planning

1:05:07 Anticipating Relief from Decommissioning ADFS

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

🎙️ Entra.Chat - https://entra.chat

This episode of Entra Chat features Anju Singh, a Product Manager at Microsoft in the Microsoft Entra Authentication Experiences team. We discuss the newest authentication method in Entra: QR codes!

Anju answers heaps of questions in this deep dive including why Microsoft chose QR codes, how it works under the hood, what you should and shouldn't use it for, and the biggest question - is it considered MFA?

LinkedIn - https://www.linkedin.com/in/anjusingh29/

Prefer watching? Search for ‘Entra.Chat’ on YouTube

🔗 Related Links

* QR Code Announcement - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/simplify-frontline-workers’-sign-in-experience-with-qr-code-authentication/3822034

* QR code authentication method - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-qr-code

* Best practices to protect frontline workers - https://learn.microsoft.com/en-us/entra/identity-platform/security-best-practices-for-frontline-workers

* Set up optimized QR code authentication experience in Android app - https://learn.microsoft.com/en-us/entra/identity-platform/android-qr-code-pin-authentication

* Set up optimized QR code authentication experience in iOS/macOS app - https://learn.microsoft.com/en-us/entra/identity-platform/ios-qr-code-pin-authentication

📗 Chapters

00:00 Intro

02:58 Topic Intro: QR Code Authentication for Frontline Workers

03:30 The Problem: Why QR Code Sign-In?

04:09 Who Are Frontline Workers?

05:41 Challenges with Current Authentication (Username/Password)

07:29 Balancing Simplicity and Security

10:40 Target Scenario: Shared Devices

11:36 Other Use Cases: Education Sector

12:30 How It Works: User Sign-In Experience

15:34 QR Code Contents: More Than Just a Username

16:40 PIN & QR Code Relationship

17:13 Scenario: Lost Badge & Admin Actions

18:32 Replacing the PIN

19:10 Delegated Management: The My Staff Portal

22:11 Handling Forgotten Badges: Temporary QR Codes

24:45 Rolling Out: Bulk Generation via APIs

26:12 Cost Comparison: QR Codes vs. FIDO Keys

28:05 The Big Question: Is it MFA?

29:43 Security Best Practices & Conditional Access

30:43 Combining QR Code with MFA

35:31 Fallback Options (Username/Password, TAP)

37:35 Public Preview & Call for Feedback

38:57 Current Scope: Mobile Devices & Tablets Only

40:09 Integrating QR Sign-In into Apps (Web View vs. MSAL)

41:00 Desktop Support Status

42:26 How to Provide Feedback

43:30 Future Considerations: Barcode Scanners

44:39 Closing Thoughts & Call to Action

——

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

——

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode we chat with Microsoft PM Jordan Gross about the exciting world of Entra Kerberos.

Discover how this crucial feature bridges the gap between traditional on-premises Active Directory and the modern cloud, enabling seamless authentication for legacy applications in hybrid environments.

Jordan delves into the mechanics of Entra Kerberos, its different operational modes (up-level and down-level trust), and its significance for organizations migrating to the cloud.

We also explore MAM (Mobile Application Management) on Edge, another innovative solution Jordan worked on, which helps secure browser access on personal devices.

LinkedIn - https://www.linkedin.com/in/jordangross61/

PS. Can I ask a favor? If you enjoy this podcast please leave a review and rating on your podcast app! This helps more folks discover Entra.Chat - Thank you 🙏 - Merill

Watch on YouTube or get the podcast from the links below 👇

🔗 Related Links

Entra Kerboros

* How Azure AD Kerberos Works • Steve Syfuhs

* Cloud Kerberos trust deployment guide

* Use Kerberos for single sign-on (SSO) to your resources with Microsoft Entra Private Access

* Kerberos Constrained Delegation for single sign-on (SSO) to your apps with application proxy

* Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files

* How Windows Authentication for Azure SQL Managed Instance is implemented with Microsoft Entra ID and Kerberos

* Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID

* Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources in Platform SSO (MacOS)

MAM

* Data protection for Windows MAM

📗 Chapters

00:00 Intro

01:24 Introducing Entra Kerberos & MAM on Edge

03:13 What is Entra Kerberos?

04:14 Understanding Traditional Kerberos

06:39 Why Entra Didn't Just Use Kerberos Initially

07:36 The Lingering Importance of On-Prem AD

09:08 Where Entra Kerberos Fits: Solving Hybrid Problems

10:06 Use Cases: Regulations & File Sharing (SMB Protocol)

11:55 How Entra Kerberos Works: Two Styles

13:36 Modern Auth vs. Down-Level Trust Explained

14:04 The Convenience of Cloud TGTs with Windows Hello

15:26 Accessing Resources: TGT to TGS Exchange

17:03 How Apps Trust Entra Kerberos Tickets

18:00 Admin Setup for Trust Relationship

19:22 Supporting Legacy Apps in a Modern World

21:24 Benefits Over NTLM & Conditional Access

23:04 Future of Entra Kerberos: Cloud-Only Users

26:28 Expanding Support: Mac, Linux & Mobile Devices

29:13 Current Big Use Cases: Azure Files & AVD

30:06 Understanding Down-Level Scenarios

31:42 Interaction with Global Secure Access

33:57 Transition to MAM for Edge

34:27 What Problem Does MAM for Edge Solve?

36:12 How MAM for Edge Protects Personal Devices

38:11 Security Scope: Benign User Mistakes vs. Hackers

40:23 Combining MDM and MAM for Enhanced Security

41:20 Deployment: Intune Policies & Entra Configuration

43:18 Windows-Only Feature for Now

44:10 Benefits: Security, User Empowerment & Visibility

48:13 Intune Dependency & Flexibility with Other MDMs

49:50 The Fun of Cross-Team Collaboration

50:48 Concluding Thoughts & Thank You

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, Simon Gottschlag, CTO of Co-native and a Microsoft MVP in Azure, discusses his innovative prototype for implementing Azure service principal impersonation using Azure Functions and Key Vault.

We explore the challenges of managing service principals, the journey to building a solution, and the potential for improving developer experience in platform building. Simon shares insights on the four-eyes principle, Entra ID's newer attribute-based access control (ABAC) vs the traditional RBAC model, and how his solution can enhance security and auditability in Azure environments.

LinkedIn - https://www.linkedin.com/in/simongottschlag

🔗 Related Links

* Azure Service Principal Impersonation - https://github.com/co-native-ab/azure-service-principal-impersonation

* pimctl - https://github.com/co-native-ab/pimctl

📗 Chapters

00:00 Intro

00:42 Meet Simon: CTO & Azure MVP

01:51 The Project: Azure Service Principal Impersonation

02:11 The Problem: Challenges in Managing Service Principals

03:47 Journey to the Solution: Building Platforms & Terraform Pain Points

06:50 The Challenge with Graph Permissions & Least Privilege

08:27 Improving Developer Experience in Platform Building

11:05 The Core Issue: Running Operations Locally vs. Service Principals

13:43 The Idea: Service Principal Impersonation

13:50 Four-Eyes Principle and PIM in Azure

15:40 Understanding Attribute-Based Access Control (ABAC)

18:58 Enforcing Role Delegation with ABAC and PIM

20:12 Clarifying Service Principal Access with PIM and Four-Eyes

21:26 The Local Development Dilemma with Security Principles

22:02 PIM CTL: A CLI Tool for PIM

22:42 New Challenge: Azure Managed Grafana & Terraform Authentication

23:36 AC Identity Terraform Provider: Getting Tokens from Entra

24:42 The Big Question: Securely Getting Service Principal Tokens Locally

25:21 What is Impersonation in This Context?

26:27 Building the Solution: Federated Credentials & Custom Token Exchange

28:42 How the Azure Function Works: Authentication & Token Issuance

29:26 The Result: Consistent Workflow & Auditability

31:05 Open Source: How to Set Up and Try the Prototype

33:31 Use Cases: DevOps Automation & Time-Limited Access

35:15 Potential: Multi-Cloud Deployments & Extending Entra

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill