In this very first episode of the Entra Chat podcast I sat down with Ben Wolfe, my former manager and ex-Microsoft, who is now the Head of Security Solutions at Increment.

How to get in touch with Ben:

Ben Wolfe - https://www.linkedin.com/in/benjaminwillwolfe/

Increment - https://www.increment.inc/

Mentions during the episode:

Graph X-Ray - https://graphxray.merill.net/

Entra.Chat Podcast - https://entra.chat

In this insightful episode, Nathan McNulty, Senior Security Solutions Architect at Patriot Consulting, shares his extensive experience deploying and securing Microsoft Entra environments. With a background spanning civil engineering, education, and critical infrastructure, Nathan brings practical wisdom from managing environments with 50,000+ users and 90,000+ devices.

Subscribe with your favorite podcast player or watch on YouTube 👇

The conversation explores realistic approaches to securing BYOD, building effective conditional access policies using a "castle" framework, and leveraging administrative units to partition permissions efficiently. Nathan reveals his innovative "operational groups" automation technique that helps classify users by authentication methods, enabling granular security controls without manual effort. The episode also covers authentication methods migration strategies, extension attributes, and modern cloud automation approaches that replace traditional server-based scripts.

Whether you're looking to improve your conditional access strategy, smoothly migrate authentication methods, or automate Entra management tasks, Nathan's field-tested insights will help you secure your environment more effectively while reducing administrative overhead.

Nathan McNulty

* Web - https://nathanmcnulty.com/

* LinkedIn - https://www.linkedin.com/in/nathanmcnulty/

* Bluesky - https://bsky.app/profile/nathanmcnulty.com

* X - https://x.com/nathanmcnulty

Related Links

* Operational Groups scripts - https://github.com/nathanmcnulty/nathanmcnulty/tree/master/Entra/operational-groups

* Maester DevOps - https://maester.dev/docs/monitoring/github

* Authentication Methods Migration - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage

* Administrative units - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

* Restricted management administrative units - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management

Episode Summary

In this episode, we dive into the sophisticated world of phishing attacks with Kuba Gretzky, creator of the renowned Evilginx framework. He shares insights on how Evilginx operates as a reverse proxy, capturing authentication tokens in real-time, and discusses the ethical considerations of creating such a powerful tool. Most importantly, Kuba provides valuable guidance on protection strategies that organizations can implement to defend against these advanced phishing techniques.

Chapters

00:00 - Introduction to Kuba and Evilginx

- Creator of Evilginx, a phishing framework demonstrating MFA vulnerabilities

- 15+ years in cybersecurity, started with MMO game hacking

- Transitioned through reverse engineering to cybersecurity

02:03 - Understanding Phishing Fundamentals

- Phishing presents fake sign-in pages to capture user credentials

- Even 7-year-olds now learn about phishing dangers in school

03:39 - How Evilginx Works Technically

- Functions as a reverse proxy between user and legitimate server

- Creates dual TLS connections to intercept all communications

- Captures authentication tokens for complete account takeover

05:55 The Evolution of Phishing Tools

- Evolved from experiments with cookie manipulation

- Improved upon older tools that required malware installation

- Developed from Nginx with Lua scripting to standalone Go application

10:37 Evilginx's Impact and Popularity

- Gained traction through demonstrating MFA vulnerabilities

- Creates "shock factor" when users see how easily accounts are compromised

- Emerged alongside other tools but distinguished by ease of demonstration

12:25 Real-World Phishing Examples

- Sophisticated attacks use browser-in-browser techniques

- High-profile victims include Linus Tech Tips YouTube channel

- Attackers leverage urgency and fear to bypass security awareness

16:23 Protecting Against Evilginx Attacks

- Implement domain verification checks through JavaScript

- Deploy "shadow tokens" with browser fingerprinting

- Utilize conditional access policies and FIDO2/passkeys

22:57 - Detecting Evilginx Attacks

- HTTP header inspection can identify attack signatures

- TLS fingerprinting (JA4) detects unusual connection patterns

- Cloudflare and other services block suspicious proxy connections

27:33 - User Education and Psychological Factors

- Focus on recognizing psychological triggers like urgency

- Reward reporting rather than punishing victims

- Teach users to access websites directly rather than through email links

31:01 - Ethical Considerations and Responsible Development

- Implemented vetting process for Evilginx Pro access

- Built anti-cracking protections to prevent misuse

- Created trusted community for responsible information sharing

36:43 - Future Developments and Evilginx Pro

- New client-server architecture with API for automation

- Features include bot protection and shadow token bypass capabilities

- Established BreakDev as company with plans for security software platform

Key Takeaways

- Modern phishing attacks like those enabled by Evilginx can bypass MFA by acting as a proxy in real-time.

- The strongest protections include device compliance, FIDO2/passkeys, and domain verification checks.

- Organizations should implement conditional access policies that verify device identity, not just user identity.

- User education should focus on recognizing urgency tactics rather than just checking URLs.

- Shadow tokens that include browser fingerprinting and domain information show promise as protection methods.

- Ethical security tools require responsible handling - vetting processes to help prevent misuse.

- Security awareness demonstrations with tools like Evilginx help stakeholders understand risks and invest in protections.

Key Links

BREAKDEV Blog → breakdev.org

Evilginx Pro → evilginx.com

Evilginx Mastery Course → academy.breakdev.org/evilginx-mastery

In this episode we discuss the evolution of guest access from SharePoint to Entra ID, the challenges of managing guest identities, and the importance of security and governance.

Our conversation covers key topics including cross-tenant access settings, identity governance, B2B direct connect, and licensing considerations.

Samantha also shares practical advice and best practices for organizations to secure their tenants and streamline external collaboration.

Subscribe with your favorite podcast player or watch on YouTube 👇

LinkedIn - https://www.linkedin.com/in/samkloos/

🔗 Related Links

* Overview: Cross-tenant access with Microsoft Entra External ID

* Cross-tenant access activity workbook

* B2B direct connect overview

* Entra Security Recommendations

📗 Chapters

00:00 The Evolution of Guest Access

04:49 Guest Access Settings and Best Practices

23:00 Cross Tenant Access Settings Demystified

36:06 B2B Direct Connect

48:09 Guest Licensing: Key Considerations

56:10 Entitlement Management and Guest Users

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this insightful discussion, Martin Sandren from IKEA joins Entra Chat to discuss the evolving landscape of IAM.

The episode covers critical considerations for modern identity strategies, including the trade-offs between syncable and device-bound passkeys, the necessity of robust regression testing for Conditional Access, and advancements in identity proofing methods.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Martin Sandren

Martin Sandren is the IAM Lead at Inter IKEA, overseeing the systems that support IKEA's worldwide presence. His extensive background includes over twenty years of experience as an IAM product lead, architect, engineering manager, and developer.

Beyond his role at IKEA, he is actively involved in the identity community as a frequent speaker at international conferences and a founder of the Digital Identity Amsterdam meetup and the Amsterdam chapter of IdentiBeer, and is active within the idNext foundation and IDPro.

LinkedIn - https://linkedin.com/in/martinsandren/

🔗 Related Links

• IAM Conferences in Europe

📗 Chapters

00:00 Intro

02:51 Martin's Journey into Entra & Early IAM Experiences

05:35 Early Entra Wins: Simplified Sign-in Logging

07:02 Value of Microsoft's Preview Feature Model (Private/Public/GA)

09:39 Evolution of Federation: SAML/OIDC Then vs Now

13:22 The Rise of SCIM for User Provisioning

14:47 Cloud Standardization vs On-Prem Customization Trade-offs

16:48 Identity Governance & Multi-Tenant Organizations (MTO)

19:01 The Power & Complexity of Conditional Access

20:23 Resilience & Offline Scenarios in IAM

23:12 Challenges with Guest User Management & Governance

26:16 Cross-Tenant Sync vs Connected Organizations

27:49 The "Schrodinger's Cat" Problem with Guest Accounts

30:58 Mastering Conditional Access Policies: Best Practices & Pitfalls

32:41 Shifting Security Focus: From Network to Identity Defense-in-Depth

34:04 Adapting Security for Different User Populations (Frontline Workers)

35:21 Leveraging ITDR, Risky User Signals & Red Teaming

38:00 Importance of Regression Testing CA Policies (Meister Tool)

39:08 Edge Cases: SSPR & Certificate-Based Authentication Conflicts

40:37 Securing Conditional Access Group Memberships

42:40 Identity Proofing, Onboarding & Phishing Risks

46:01 Wishlist: Granular Read Permissions in Entra

48:36 Passkeys & Phishing-Resistant MFA: Progress & Challenges (Android Usability)

50:01 Strategy: Syncable vs Device-Bound Passkeys

51:58 Embracing Standards: SSF & CAPE Protocols

53:04 Advice for Newcomers to the Identity & Access Management Field

54:55 Closing Remarks

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Join us for a conversation with Dhanyah Krishnamoorthy, Product Manager at Microsoft, as she discusses Microsoft Entra Connect Sync and Cloud Sync solutions for synchronizing on-premises Active Directory identities to Entra ID.

Learn about Microsoft's overall strategy for syncing and what you can do to prepare for the future including security considerations and scaling guidance.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Dhanyah

Dhanyah Krishnamurthy is a Principal Product Manager in the Microsoft Entra product group. For the past four years, Dhanyah has focused on hybrid identity scenarios, leading the product management for critical services that help organizations manage identities between on-premises Active Directory and the cloud. She specifically owns Microsoft Entra Connect Sync and the newer Microsoft Entra Cloud Sync capabilities, designing solutions to streamline identity provisioning, enhance security, and support complex scenarios like mergers and acquisitions.

LinkedIn - https://www.linkedin.com/in/dhanyah

🔗 Related Links

* Hybrid Identity - https://learn.microsoft.com/en-us/entra/identity/hybrid/

* Comparison between Microsoft Entra Connect and cloud sync - https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync

* Topologies for Microsoft Entra Connect - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies

* Factors influencing the performance of Microsoft Entra Connect - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-performance-factors

* Group writeback with Microsoft Entra Cloud Sync - https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync

📗 Chapters

00:00 Intro

03:16 Why Two Sync Solutions? Connect Sync vs Cloud Sync History

05:17 Benefits of Cloud Sync vs Connect Sync

06:23 Cloud Sync Advantage: Mergers & Acquisitions

08:16 Cloud Sync Advantages: Lightweight, High Availability, Simplicity

10:17 Shared Provisioning Agent Benefits

10:59 Future Plans: Investing in Cloud Sync

12:11 Coexistence: Using Cloud Sync & Connect Sync Together

13:25 Getting Started with Cloud Sync: Group Writeback & Acquisitions

15:56 Choosing the Right Tool: When to Use Cloud Sync

16:34 Using the Sync Wizard for Recommendations

18:03 Operational Differences & Admin Roles

19:53 Group Writeback Scaling Considerations

22:31 Common Customer Issues: Topologies & Configuration

25:36 Scaling Guidance: When to Worry About Performance

29:12 Security Considerations: Connect Sync vs Cloud Sync

30:41 Connect Sync Security Hardening & Updates

33:40 Cloud Sync Security & GMSA Accounts

35:16 Final Thoughts & Call to Action

Podcast Apps

🎙️ Entra.Chat → https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

George Roberts, Director of Identity Governance and Administration at McDonald's, shares his extensive experience in migrating the company's workforce identity platform from on-premises ADFS to Microsoft Entra.

We also talk about challenges like handling unique frontline worker needs (including a creative paper-based MFA solution) and integrating with various applications.

About George

George Roberts is the Director of Identity Governance and Administration at McDonald's, where he leads a global team responsible for building and delivering the enterprise identity and access platform to support over 2 million employees, partners, franchisees, and restaurant staff users worldwide. George has over 25 years of experience delivering secure, scalable, and user-friendly solutions that help McDonald's to accelerate its business. All views expressed are his own.

* LinkedIn - https://linkedin.com/in/sirtwist

* Bluesky - https://bsky.app/profile/sirtwi.st

🔗 Related Links

* Custom claims provider - https://learn.microsoft.com/en-us/entra/identity-platform/custom-claims-provider-overview

* Manage an external authentication method in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage

📗 Chapters

00:00 Intro

00:30 Overcoming ADFS Custom Claims Roadblock

01:35 Global Footprint and MFA Challenges for Frontline Workers

03:20 Guest Introduction: George Roberts, McDonald's

04:07 George's Background and Role at McDonald's

06:42 McDonald's Identity Journey: Decentralization to Centralization

08:38 The Entra (Azure AD) Migration Begins

13:04 Operational Benefits and Challenges of Moving to Entra

16:55 Deep Dive: Custom Claims and the Virtual Directory Service

23:56 Shift to API-First Mindset and Standards (SCIM)

32:46 Major Challenge: MFA Solutions for Frontline Workers

37:27 The Paper-Based MFA Solution

40:03 Entra External Authentication Methods

46:02 Ideas for Device-less Frontline Authentication

50:12 Onboarding Speed Challenges in Restaurants

58:06 Advice for Other Organizations: Change Management and Planning

1:05:07 Anticipating Relief from Decommissioning ADFS

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

🎙️ Entra.Chat - https://entra.chat

This episode of Entra Chat features Anju Singh, a Product Manager at Microsoft in the Microsoft Entra Authentication Experiences team. We discuss the newest authentication method in Entra: QR codes!

Anju answers heaps of questions in this deep dive including why Microsoft chose QR codes, how it works under the hood, what you should and shouldn't use it for, and the biggest question - is it considered MFA?

LinkedIn - https://www.linkedin.com/in/anjusingh29/

Prefer watching? Search for ‘Entra.Chat’ on YouTube

🔗 Related Links

* QR Code Announcement - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/simplify-frontline-workers’-sign-in-experience-with-qr-code-authentication/3822034

* QR code authentication method - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-qr-code

* Best practices to protect frontline workers - https://learn.microsoft.com/en-us/entra/identity-platform/security-best-practices-for-frontline-workers

* Set up optimized QR code authentication experience in Android app - https://learn.microsoft.com/en-us/entra/identity-platform/android-qr-code-pin-authentication

* Set up optimized QR code authentication experience in iOS/macOS app - https://learn.microsoft.com/en-us/entra/identity-platform/ios-qr-code-pin-authentication

📗 Chapters

00:00 Intro

02:58 Topic Intro: QR Code Authentication for Frontline Workers

03:30 The Problem: Why QR Code Sign-In?

04:09 Who Are Frontline Workers?

05:41 Challenges with Current Authentication (Username/Password)

07:29 Balancing Simplicity and Security

10:40 Target Scenario: Shared Devices

11:36 Other Use Cases: Education Sector

12:30 How It Works: User Sign-In Experience

15:34 QR Code Contents: More Than Just a Username

16:40 PIN & QR Code Relationship

17:13 Scenario: Lost Badge & Admin Actions

18:32 Replacing the PIN

19:10 Delegated Management: The My Staff Portal

22:11 Handling Forgotten Badges: Temporary QR Codes

24:45 Rolling Out: Bulk Generation via APIs

26:12 Cost Comparison: QR Codes vs. FIDO Keys

28:05 The Big Question: Is it MFA?

29:43 Security Best Practices & Conditional Access

30:43 Combining QR Code with MFA

35:31 Fallback Options (Username/Password, TAP)

37:35 Public Preview & Call for Feedback

38:57 Current Scope: Mobile Devices & Tablets Only

40:09 Integrating QR Sign-In into Apps (Web View vs. MSAL)

41:00 Desktop Support Status

42:26 How to Provide Feedback

43:30 Future Considerations: Barcode Scanners

44:39 Closing Thoughts & Call to Action

——

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

——

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode we chat with Microsoft PM Jordan Gross about the exciting world of Entra Kerberos.

Discover how this crucial feature bridges the gap between traditional on-premises Active Directory and the modern cloud, enabling seamless authentication for legacy applications in hybrid environments.

Jordan delves into the mechanics of Entra Kerberos, its different operational modes (up-level and down-level trust), and its significance for organizations migrating to the cloud.

We also explore MAM (Mobile Application Management) on Edge, another innovative solution Jordan worked on, which helps secure browser access on personal devices.

LinkedIn - https://www.linkedin.com/in/jordangross61/

PS. Can I ask a favor? If you enjoy this podcast please leave a review and rating on your podcast app! This helps more folks discover Entra.Chat - Thank you 🙏 - Merill

Watch on YouTube or get the podcast from the links below 👇

🔗 Related Links

Entra Kerboros

* How Azure AD Kerberos Works • Steve Syfuhs

* Cloud Kerberos trust deployment guide

* Use Kerberos for single sign-on (SSO) to your resources with Microsoft Entra Private Access

* Kerberos Constrained Delegation for single sign-on (SSO) to your apps with application proxy

* Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files

* How Windows Authentication for Azure SQL Managed Instance is implemented with Microsoft Entra ID and Kerberos

* Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID

* Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources in Platform SSO (MacOS)

MAM

* Data protection for Windows MAM

📗 Chapters

00:00 Intro

01:24 Introducing Entra Kerberos & MAM on Edge

03:13 What is Entra Kerberos?

04:14 Understanding Traditional Kerberos

06:39 Why Entra Didn't Just Use Kerberos Initially

07:36 The Lingering Importance of On-Prem AD

09:08 Where Entra Kerberos Fits: Solving Hybrid Problems

10:06 Use Cases: Regulations & File Sharing (SMB Protocol)

11:55 How Entra Kerberos Works: Two Styles

13:36 Modern Auth vs. Down-Level Trust Explained

14:04 The Convenience of Cloud TGTs with Windows Hello

15:26 Accessing Resources: TGT to TGS Exchange

17:03 How Apps Trust Entra Kerberos Tickets

18:00 Admin Setup for Trust Relationship

19:22 Supporting Legacy Apps in a Modern World

21:24 Benefits Over NTLM & Conditional Access

23:04 Future of Entra Kerberos: Cloud-Only Users

26:28 Expanding Support: Mac, Linux & Mobile Devices

29:13 Current Big Use Cases: Azure Files & AVD

30:06 Understanding Down-Level Scenarios

31:42 Interaction with Global Secure Access

33:57 Transition to MAM for Edge

34:27 What Problem Does MAM for Edge Solve?

36:12 How MAM for Edge Protects Personal Devices

38:11 Security Scope: Benign User Mistakes vs. Hackers

40:23 Combining MDM and MAM for Enhanced Security

41:20 Deployment: Intune Policies & Entra Configuration

43:18 Windows-Only Feature for Now

44:10 Benefits: Security, User Empowerment & Visibility

48:13 Intune Dependency & Flexibility with Other MDMs

49:50 The Fun of Cross-Team Collaboration

50:48 Concluding Thoughts & Thank You

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, Simon Gottschlag, CTO of Co-native and a Microsoft MVP in Azure, discusses his innovative prototype for implementing Azure service principal impersonation using Azure Functions and Key Vault.

We explore the challenges of managing service principals, the journey to building a solution, and the potential for improving developer experience in platform building. Simon shares insights on the four-eyes principle, Entra ID's newer attribute-based access control (ABAC) vs the traditional RBAC model, and how his solution can enhance security and auditability in Azure environments.

LinkedIn - https://www.linkedin.com/in/simongottschlag

🔗 Related Links

* Azure Service Principal Impersonation - https://github.com/co-native-ab/azure-service-principal-impersonation

* pimctl - https://github.com/co-native-ab/pimctl

📗 Chapters

00:00 Intro

00:42 Meet Simon: CTO & Azure MVP

01:51 The Project: Azure Service Principal Impersonation

02:11 The Problem: Challenges in Managing Service Principals

03:47 Journey to the Solution: Building Platforms & Terraform Pain Points

06:50 The Challenge with Graph Permissions & Least Privilege

08:27 Improving Developer Experience in Platform Building

11:05 The Core Issue: Running Operations Locally vs. Service Principals

13:43 The Idea: Service Principal Impersonation

13:50 Four-Eyes Principle and PIM in Azure

15:40 Understanding Attribute-Based Access Control (ABAC)

18:58 Enforcing Role Delegation with ABAC and PIM

20:12 Clarifying Service Principal Access with PIM and Four-Eyes

21:26 The Local Development Dilemma with Security Principles

22:02 PIM CTL: A CLI Tool for PIM

22:42 New Challenge: Azure Managed Grafana & Terraform Authentication

23:36 AC Identity Terraform Provider: Getting Tokens from Entra

24:42 The Big Question: Securely Getting Service Principal Tokens Locally

25:21 What is Impersonation in This Context?

26:27 Building the Solution: Federated Credentials & Custom Token Exchange

28:42 How the Azure Function Works: Authentication & Token Issuance

29:26 The Result: Consistent Workflow & Auditability

31:05 Open Source: How to Set Up and Try the Prototype

33:31 Use Cases: DevOps Automation & Time-Limited Access

35:15 Potential: Multi-Cloud Deployments & Extending Entra

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I chat with the legendary Tony Redmond, a prolific writer and author of "Office 365 for IT Pros". Tony shares unfiltered insights from his career, critiques the state of technical writing and AI, and discusses the challenges with PowerShell and the future of AI agents in the Microsoft ecosystem.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Tony Redmond

Tony Redmond is a well-known and prolific writer in the Microsoft 365 space. After a long career in large tech companies like Digital, Compaq, and HP, where he rose to the level of Vice President, he became an independent consultant and author in 2010. He is the lead author of the widely respected and continuously updated e-book, "Office 365 for IT Pros," and "Automating Microsoft 365 with PowerShell."

LinkedIn - https://www.linkedin.com/in/tonyredmond/

🔗 Related Links

* Office 365 for IT Pros (Book) - https://office365itpros.com

* Practical 365 - https://practical365.com

📗 Chapters

00:00 Intro

03:50 Tony's career and lessons from corporate life

09:06 The story behind the "Office 365 for IT Pros" book

21:35 Tony's rules for great technical writing

25:31 The problem with duplicate content and AI summaries

36:31 A critique of the Graph PowerShell SDK

45:15 The dangers of AI and the need for guardrails

50:57 Microsoft's mistake: Rushing tech without guardrails

55:04 The cyclical nature of technology and IT challenges

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I sit down with Erin Greenlee, the Product Manager for App Consent on Microsoft’s App Platform Team. We dive into the critical world of app consent and the upcoming Microsoft 365 secure-by-default changes. We explore the nuances of user and admin consent, the impact of the mid-July 2025, policy shift, and how admins can prepare for a more secure Entra environment.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Erin Greenlee

Erin Greenlee is a Product Manager at Microsoft, specializing in the App Platform Team within the Identity and Network Access division. With a decade of experience at Microsoft, including roles in B2C and domain services, Erin now focuses on consent, authorization, and app roles, helping organizations secure their applications while enabling productivity.

LinkedIn - https://www.linkedin.com/in/eringreenlee/

🔗 Related Links

* MC1097272 - Microsoft 365 Upcoming Secure by Default Settings Changes - https://mc.merill.net/message/MC1097272

* Entra Admin Consent Workflow - https://docs.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow

* Configure how users consent to applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent

* Manage app consent policies - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies

* Review App Consent audit logs - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/app-perms-audit-logs

📗 Chapters

02:15 What is App Consent?

03:22 Delegated vs. Application Permissions

07:45 The User Consent Balancing Act

13:58 How Consent is Evaluated

17:33 Understanding Tenant Consent Policies

22:28 The Admin Consent Workflow

31:18 The Big Change: Microsoft's Secure-by-Default Update

41:35 How to Prepare for the Change

49:05 Advanced Delegation with Custom Policies

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, we talk with an identity expert, ex-Microsoftie and Principal Domain Architect, Mark Renoden, about creating a modern Privileged Access Management (PAM) solution for on-premises Active Directory. Discover how to build a secure "Bastion Forest" architecture using Microsoft Entra. We talk about PIM for Groups, group write-back, phish-resistant credentials, Privileged Access Workstations (PAW), securing an Entra tenant from the ground up, and navigating challenges with Cloud Solution Provider (CSP) permissions.

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

About Mark

As Principal Domain Architect for Identity at Increment, Mark leads the design and delivery of secure, scalable identity architectures grounded in Microsoft Entra ID and aligned with Zero Trust principles. He specializes in helping organisations modernise their infrastructure and navigate complex identity transformations.

Previous to Increment, Mark spent over 20 years at Microsoft in support, field engineering, mission critical and customer experience roles focused on Identity across a wide spectrum of industries in Australia and New Zealand, including Finance, Healthcare, Government, Education and Retail.

LinkedIn - https://www.linkedin.com/in/markrenoden/

🔗 Related Links

* DirectoryShield | Increment - https://www.increment.inc/directoryshield

* Entra Security Recommendations - https://aka.ms/EntraSecurityRecommendations

* Securing privileged access overview - https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-overview

* MIM - Bastion environment - https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment

📗 Chapters

00:46 Securing Your Entra Tenant

02:09 The Quest for a Microsoft-Only PAM Solution

04:21 What is a "Bastion Forest"?

07:50 Reimagining the Bastion Forest for the Cloud

12:53 Architecting a "Secure-by-Default" Tenant

17:41 Phish-Resistant On-Prem Admins

19:50 The Modern Privileged Access Workstation (PAW)

27:04 The Tiered Administration Model Explained

29:51 The Hidden Dangers of CSP Admin Access

34:29 How Fast is PIM for Groups?

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this very special episode, I sit down with the "Yoda of Entra" himself, Tarek Dawoud, who also happens to be my manager!

We dig deep into the fascinating and often surprising history of Microsoft's identity platforms. Tarek, who has been on the team since 2007, takes us on a journey from the revolutionary launch of Active Directory in 1999, through the creation of the cloud services that battled Google Apps, to the formation of the identity division and the eventual rebrand to Entra.

You'll hear the inside story on how our customer experience team became a "secret weapon" and, most excitingly, we'll look at what the future holds for Identity and Access Management in the new age of AI agents.

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

About Tarek Dawoud

Tarek Dawoud is a long-time veteran at Microsoft, having been with the company for over 18 years. Tarek currently leads the architecture team within the customer engineering (CXE) organization, where he helps customers deploy Entra, gathers insights for the product group, and works to solve the hardest identity problems.

LinkedIn - https://www.linkedin.com/in/tarekdawoud/

🔗 Related Links

📗 Chapters

00:00 Intro

08:58 The Beginning: The Vision of Active Directory (AD)

14:51 The Consumer Side: Microsoft Passport & The Standards Debate

18:29 A Defensive Play: How Google Apps Sparked Microsoft's Cloud Identity

27:21 The First Merger: Active Directory & Cloud Teams Unite

32:03 The Birth of Conditional Access & The Authenticator App

42:52 The Security Re-org: Identity Moves to a New Home

45:30 A New Era: Rebranding to Entra

48:52 The Future is Now: AI, Agentic Identities, and the End of PowerShell?

Podcast Apps

🎙️ Entra.Chat → https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, we are joined by Maqsood Bhatti, the IAM Principal Engineer at Elkjøp Nordic, who takes us through their incredible journey of migrating from the legacy NetIQ platform to Microsoft Entra.

What's fascinating is how they accomplished this years ago, completely bypassing traditional tools like Entra Connect and adopting a "production-only" environment. Maqsood shares how they built a truly cloud-native identity solution from the ground up, leveraging custom connectors, app roles, and automating everything, including moving off the legacy platform entirely.

You’ll also hear about their advanced use of Microsoft Identity Governance, Logic Apps for custom provisioning, and a strict modern authentication policy that has shaped their identity and access management (IAM) for nearly a decade.

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

About Maqsood

Maqsood is the IAM Principal Engineer at Elkjøp Nordic, a company that was an early adopter of access automation since 2006. He has been instrumental in their journey from legacy systems like NetIQ to a modern, cloud-native Microsoft Entra infrastructure , championing innovative approaches like custom API integrations and a "prod-only" development environment.

LinkedIn - https://www.linkedin.com/in/maqsoodbhatti/

🔗 Related Links

* Elkjøp Nordic unngår IT-floker med storskala automatisering

📗 Chapters

00:00 Intro

01:10 Early Days & NetIQ Automation

03:34 The Journey to Public Cloud & Microsoft 365

08:23 Custom Connectors and Real-Time Sync

15:08 Embracing Azure, App Roles & Modern Auth

19:29 Password Sync & Skipping Entra Connect

22:57 Decommissioning NetIQ: Challenges & Motivations

27:27 Leveraging Entra ID Domain Services as a Bridge

33:28 Mastering App Roles & Guiding Developers

44:27 Migrating to Entra ID Governance & Logic Apps

52:57 The "Prod-Only" Philosophy & Cloud-Native Mindset

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Tobias Binkert, Head of IT at We Are Era, and Yusuke Kodama, Product Manager at Microsoft (who specialises in cloud-first identity, among many other things), join us to discuss We Are Era’s successful migration from on-premises Active Directory to a fully cloud-native Microsoft Entra ID environment.

We delve into the motivations behind this significant shift with practical strategies for migrating devices using Microsoft Autopilot, modernizing applications, managing user accounts and groups in the cloud, and overcoming challenges like legacy RADIUS dependencies. Tobias shares the tangible benefits We Are Era experienced, including enhanced security, a superior user experience and increased agility for adopting new technologies.

LinkedIn

* Tobias Binkert - https://www.linkedin.com/in/tobias-binkert-83844810a/

* Yusuke Kodama - https://www.linkedin.com/in/yusukekodama85/

On a related note we ran a poll a few weeks ago asking what your Identity plans were for 2030 and beyond. Nearly 90% of you were looking to go Entra ID first with more than half planning to go full cloud native with Entra ID.

So hopefully this episode with Tobias and Yusuke will help shed some light and help you start your journey to going cloud-first/cloud-native.

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

🔗 Related Links

* Road to the cloud: Introduction

* Cloud transformation posture

* Establish a Microsoft Entra footprint

* Implement a cloud-first approach

* Transition to the cloud

📗 Chapters

00:00 Intro

03:20 The Motivation: Why Decommission On-Prem Active Directory?

06:23 Gaining Buy-In: Negotiating with Business Units

09:56 The ROI & Cost Impact: Saving 70% on Infrastructure

14:47 Device Migration: Tackling Windows Workstations with Autopilot

25:31 Server & Application Challenges: RADIUS, Printing, and More

32:06 User Accounts & Groups: The Shift to Cloud-Only Identities

44:19 Addressing Security & Availability Concerns of Full Cloud

49:43 Life After AD: Next Steps and Future Identity Initiatives

51:45 Lessons Learned & Key Advice for Your Cloud Migration

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode we chat with Sapir Federovsky, a Security Researcher at CrowdStrike, who shares her journey from military service to becoming an identity threat researcher.

She discusses her learning methods, the importance of community, and the challenges of keeping up in the fast-paced world of Azure and Entra ID security.

Sapir also delves into specific Entra ID features she focuses on, the critical role of prevention alongside detection, and her experiences as a woman in the tech industry.

LinkedIn - https://www.linkedin.com/in/sapir-federovsky-a687491b0/

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

🔗 Related Links

* Sapir's blog - https://sapirxfed.com/

* Reportly - https://github.com/sap8899/reportly

📗 Chapters

00:00 Intro

01:17 Early Career Perspectives & Learning Journey

03:25 Transitioning from Military to Civilian Tech

04:25 Learning Cloud Security & The Power of Talks/Blogs

08:19 Building a Tool for Log Analysis

12:26 A Typical Day: Continuous Learning & Community Sharing

15:08 Balancing Learning Old & New in a Fast-Evolving Field

17:38 The Power of Teaching to Master a Topic

19:37 Learning by Answering Questions

21:17 Vision: Becoming the Ultimate Defender & Community Building

23:48 Deep Dive: Graph Activity Logs in Entra ID

27:33 Focusing on Hybrid Environments & Synchronization

29:37 Experiences as a Woman in Tech

36:29 The Shift from Detection to Prevention & Hardening

39:13 The Challenge of Updating Tenant Configurations

45:57 Navigating Organizational Change Management Cycles

50:29 Final Advice: Always Say Yes & Create Opportunities

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

This week, I’m joined by a stellar panel of Nathan McNulty, Ru Campbell, Martin Sandren, and Thomas Naunheim to break down the firehose of news from Microsoft Ignite related to Entra.

We dive straight into the hot debate over synced passkeys versus device-bound credentials and why consumer adoption might force our hand in the enterprise. We also explore the new Account Recovery features that could save companies thousands in helpdesk costs and unpack the massive shift toward “Agentic AI” with the launch of Entra Agent ID, a feature that fundamentally changes how we think about non-human identities.

If you are feeling overwhelmed by the pace of AI and identity changes, you are not alone. Listen in as we figure this out together.

Subscribe with your favorite podcast player or watch on YouTube 👇

About our guests

* Nathan McNulty: Nathan is a Senior Security Solutions Architect at Patriot Consulting and a Microsoft Security MVP. He has been working with Microsoft cloud identity solutions since the days of Live@edu and Office 365 in 2010.

* https://www.linkedin.com/in/nathanmcnulty/

* Ru Campbell: Ru is a Microsoft Security MVP who leads Microsoft Security at Threatscape. He describes himself as a “jack of all trades” when it comes to Microsoft 365 security, getting involved in a wide range of security topics.

* https://www.linkedin.com/in/rlcam/

* Martin Sandren: Martin is the Product Lead for Identity Access at Inter IKEA, where he manages identity solutions across the globe. He offers a unique perspective as a practitioner running identity for a massive enterprise.

* https://www.linkedin.com/in/martinsandren/

* Thomas Naunheim: Thomas is a Cloud Security Architect at glueckkanja and a Microsoft Security MVP. He specializes in cloud security architecture and actively tracks new features and announcements in the Microsoft ecosystem.

Sponsored by:

Shadow IT and SaaS sprawl are outpacing IT teams

It can feel impossible to tackle these app governance challenges:📦 Entra ID isn’t secure by default💥 SaaS adoption & sprawl isn’t slowing down⌨️ Citizen Development keeps rising (hello, Copilot Studio!)🗑️ Vendors often don’t remove apps after uninstall🔃 Offboarding is inconsistent or doesn’t happen at all🥔 App governance is passed around like a hot potato

ENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.

🔗 Related Links

* Microsoft Entra: What’s New in Secure Access on the AI Frontier

* Entra.Chat - Access Review Agent

* Entra.Chat - Conditional Access Agent

📗 Chapters

00:00 Intro

04:36 The Debate: Synced vs Device-Bound Passkeys

20:47 Entra Account Recovery & Identity Verification

30:00 Passwordless Self-Remediation

33:01 Security Copilot Comes to E5

36:47 The Rise of AI Agents in Entra

42:49 Understanding Entra Agent ID

56:47 MCP Servers & VS Code Integration

01:05:20 Global Secure Access & AI Security

01:09:14 Microsoft Security Baseline

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

This week, I’m so excited to share the inside story of a project I’ve been working on for over a year: the new Zero Trust assessment. I’m joined by some of the key folks from the team: Tarek, who’s leading the charge; Sarah and John, who are crushing docs; and Ravi, who’s owning Intune.

We unpack the wild breach that sparked it all, geek out over those Sankey charts that spotlight sneaky unmanaged devices and privileged access landmines, and tease why even “expired” app creds could be your silent killer. If you’re tired of silos between identity and endpoints, this is your wake-up call—tune in to see how to make Zero Trust practical before the next attack hits.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Our Guests

Sarah Lipsey

Sarah Lipsey has been with Microsoft for almost four years and writes about monitoring and health, ID Protection, and Security Copilot in Microsoft Entra. Sarah has worked as a technical writer and instructional designer for around 20 years, and for a university, a telecommunications firm, and a railroad. She lives in the woods with her family where she loves to knit, play video games, hike, and ski. Yes, she spends way too much time trying to close out every dot on a video game map. Still working on the Skellige map for The Witcher 3.

LinkedIn - https://www.linkedin.com/in/sarah-lipsey-b53b746/

John Flores

John is a Senior Content Developer at Microsoft, where he has worked for over eight years. He specializes in creating high-impact technical content for identity security within Microsoft Entra, focusing on areas like Conditional Access, MFA, ID Protection, and device identity. John also leads the documentation efforts for Zero Trust content across Microsoft 365 and Identity teams. He actively collaborates with engineers and PMs to test pre-release features and engages with customers to refine technical guidance.

LinkedIn - https://www.linkedin.com/in/johnbflores/

Ravi Kalwani

Ravi is a Senior Program Manager at Microsoft, based in Sydney, Australia. With over 14 years of IT experience spanning technical training, support, consulting, and program management, his focus for the past five years has been on Enterprise Client and Mobility, specifically Microsoft Configuration Manager and Intune. Ravi is also an experienced public speaker, having presented at numerous technical conferences and delivered a wide range of workshops for both internal teams and enterprise customers.

LinkedIn - https://www.linkedin.com/in/rkalwani/

Tarek Dawoud

Tarek Dawoud is a long-time veteran at Microsoft, having been with the company for over 18 years. Tarek currently leads the architecture team within the customer engineering (CXE) organization, where he helps customers deploy Entra, gathers insights for the product group, and works to solve the hardest identity problems.

LinkedIn - https://www.linkedin.com/in/tarekdawoud/

🔗 Related Links

* aka.ms/zerotrust/assessment → Microsoft Learn docs page for the assessment

* aka.ms/zerotrust/demo → Interactive demo of a sample assessment report

* aka.ms/zerotrust/feedback → Share your feedback

* aka.ms/zerotrust/issues → Logging bugs & issues

Zero Trust Assessment - Five minute walkthrough

Zero Trust Assessment Report

Sample report generated by the Zero Trust Assessment tool. Try aka.ms/zerotrust/demo for an interactive demo.

📗 Chapters

00:00 Intro

01:11 The Origin Story: A Customer Breach

05:59 A New Way to Write Docs

08:55 Bringing Intune into the Story

11:07 How This Compares to Secure Score

14:46 Uncovering Insights with Sankey Charts

21:55 Behind the Scenes: How a Test is Built

36:18 Why We Target Privileged Access (AI Attackers)

39:59 The Myth of “Safe” Expired Credentials

42:35 Final Thoughts: “Please Run It”

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Jeremy Conley, Product Manager on the Identity Governance team at Microsoft, demystifies the world of guest access in Microsoft Entra. We discuss the hidden security risks that accumulate as guests are invited into a tenant and the governance challenges this creates.

We also do a deep dive into the different licensing tiers, from P2 to the new Entra ID Governance for Guests license, and explain the recently GA’d , cost-effective MAU-based billing model for guests. Jeremy provides actionable tips for admins to start cleaning up their tenants and implementing a robust governance strategy today.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Jeremy Conley

Jeremy Conley is a Product Manager at Microsoft, focusing on identity governance. His work is centered on Entitlement Management and the governance of guest and external users within Microsoft Entra, helping customers secure their environments and manage user lifecycles effectively.

LinkedIn - https://www.linkedin.com/in/jeremy-conley-99552379/

🔗 Related Links

* Microsoft Entra ID Governance licensing for guest users • aka.ms/EntraIDGuestGovernance

* PowerShell tool to update guest sponsor info • Update-MsIdInvitedUserSponsorsFromInvitedBy

📗 Chapters

00:51 What are Guests & External Users?

03:51 The Hidden Security Risk of Guests

07:14 Understanding Licensing for Guest Governance

09:10 P2 Features: Entitlement Management & Access Reviews

15:19 Entra ID Governance: Lifecycle Workflows & Automation

20:33 The "Sponsor" Concept for Guest Accountability

25:49 The NEW Guest Licensing Model Explained

28:15 Demystifying the 1:5 Ratio vs. MAU Billing

35:18 Common Mistakes Admins Make with Guests

37:22 A Simple First Step to Clean Up Your Tenant

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode of Entra.Chat, I dive into the critical world of app governance with experts Jay Gundotra and Sander Berkouwer, who unpack the hidden risks of non-human identities in Microsoft Entra.

From shocking real-world breaches like Midnight Blizzard to a hilarious tale of a theme park’s water supply mishap, we explore why securing your cloud apps is more urgent than ever. Tune in to discover practical tips and tools to safeguard your organization without losing your giraffes!

Subscribe with your favorite podcast player or watch on YouTube 👇

About Jay Gundotra

Jay is the CEO and technical founder of E-Now. He has a long history as an Exchange and Active Directory engineer, which led him to found his company and focus on solving complex identity and application governance challenges for enterprises.

LinkedIn - https://www.linkedin.com/in/jay-gundotra-19079a/

About Sander Berkouwer

Sander Berkouwer is a 17-year Microsoft MVP veteran and an accomplished identity architect. With deep expertise from being "in the trenches," he partners with Jay to educate the community and build solutions for managing non-human identities and service principals.

LinkedIn - https://www.linkedin.com/in/sanderberkouwer/

🔗 Related Links

* AppGov Community - https://community.appgovscore.com/

* How Ownerless Apps in Entra ID Increase Your Attack Surface

* Securing Workload Identities in Entra ID: A Practical Guide for IT and Security Teams

📗 Chapters

00:00 Intro 01:55 What is App Governance? 04:02 The Origin Story of Focusing on App Governance 08:35 Why App Security is Critical Today 14:15 The Dangers of Over-Privileged Apps 20:38 The Giraffe Story: When Cleanup Goes Wrong 24:42 What Should a Successful Organization Do? 30:22 The Full Application Lifecycle: Onboarding to Offboarding 35:38 Building the AppGov Community 45:04 The Importance of Education and Automation

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode of Entra.Chat, I dive deep with cybersecurity architect Fabian Bader into his research on bypassing poorly designed Microsoft Entra’s conditional access policies and what you can do about them.

We also cover the game-changing new Group Source of Authority feature that lets you finally manage synced groups in the cloud, and share insights from Fabian’s work with MSRC to secure the platform—don’t miss this one if you want to stay ahead in cloud security!

Subscribe with your favorite podcast player or watch on YouTube 👇

About Fabian Bader

Fabian Bader is a Cybersecurity Architect at glueckkanja, based in Hamburg, Germany. He is a well-known researcher in the Microsoft identity space, creator of the Cloud Brothers blog, and creator of the Maester and Token Tactics V2 tools. His work focuses on Microsoft Entra and the Defender suite, helping customers secure their cloud environments.

LinkedIn - https://www.linkedin.com/in/fabianbader/

🔗 Related Links

* Fabian’s Blog - https://cloudbrothers.info/

* Entra Scopes - https://entrascopes.com/

* Maester - https://maester.dev/

* Token Tactics V2 - https://github.com/f-bader/TokenTacticsV2

📗 Chapters

02:19 The Story of the "Cloud Brothers" Blog 03:32 The Origin Story of Maester 07:39 Token Tactics V2 & Continuous Access Evaluation 09:43 How Conditional Access Bypasses Are Found 12:05 What is FOCI (Family of Client IDs)? 18:04 Hardening Your Conditional Access Policies 29:59 V1 vs V2 Token Endpoints Explained 38:19 Using Graph Activity Logs in Defender XDR 42:45 The New Group Source of Authority (SOA) 54:59 Workplace Ninjas US Announcement

Podcast Apps

🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx 👔 LinkedIn → linkedin.com/in/merill 🐤 Twitter → twitter.com/merill 🕺 TikTok → tiktok.com/@merillf 🦋 Bluesky → bsky.app/profile/merill.net 🐘 Mastodon → infosec.exchange/@merill 🧵 Threads → threads.net/@merillf 🤖 GitHub → github.com/merill

In this episode, I sit down with my boss, Tarek Dawoud, to pull back the curtain on what really happens during a major service outage.

Tarek shares some incredible "war stories" from his time in the trenches, from the early days of DirSync where the team had to edit a sync file with a debugger to prevent an incident, to the massive outages of 2017 and 2018 that changed everything.

We'll give you a peek into the high-stakes, quick-thinking world of a "live site" incident and reveal the groundbreaking engineering principles like cell-based architecture and the backup authentication service that were born from these challenges, making Entra more resilient than ever before.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Tarek Dawoud

Tarek Dawoud is a Lead Architect in the Customer Engineering team for Microsoft Entra. With years of experience growing up in Entra engineering, he has been involved in his share of outages and has a deep understanding of what it takes to build and maintain a resilient, hyperscale identity service.

LinkedIn - https://www.linkedin.com/in/tarekdawoud/

🔗 Related Links

* SLA performance for Microsoft Entra ID - aka.ms/entraidsla

* Microsoft Blames "Severe Weather" for Azure Cloud Outage

* Microsoft Probes Cause of Global Web Outage

* Microsoft's Azure AD authentication outage: What went wrong

📗 Chapters

00:57 What is a "Live Site"?

14:15 The Secret to Entra's Uptime: Cell-Based Architecture

18:09 How Entra Routes Your Login Request Globally

24:46 War Story #1: The 2017 Conditional Access Outage

29:52 War Story #2: How a Hurricane & an Office Bug Caused Chaos

43:39 The Backup Auth Service: Entra's Secret Weapon

57:54 Does the Backup Service Kick in Automatically?

01:04:16 Regional Isolation & The Power of Managed Identity

01:08:17 Anatomy of a Near-Outage in 2021

01:12:02 How Microsoft's Culture Learns From Mistakes

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I sit down with Conrad Murray, a seasoned expert who lives and breathes the complexities of IT migrations during mergers, acquisitions, and divestitures.

We dive deep into the real-world challenges that companies face, from the political battles of deciding whose tenant to use, to the technical nightmares of migrating three-quarters of a petabyte of data for a major global firm.

Conrad shares some incredible "war stories" about the single hardest part of any migration—the domain cutover—and reveals why the success of a months-long project boils down to just the first four hours of the end-user experience on a Monday morning.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Conrad Murray

Conrad Murray is an expert in the IT lifecycle, specializing in complex tenant-to-tenant migrations for mergers, acquisitions, and divestitures. With over 15 years of experience moving companies to the cloud, Conrad has seen it all, from early BPOS and Lotus Notes migrations to massive, petabyte-scale Microsoft 365 consolidations.

LinkedIn - Conrad Murray

🔗 Related Links

* Google to Microsoft 365 Migrations

* PowerSyncPro

📗 Chapters

00:00:00 Intro

00:05:40 The Politics of Merging Tenants

00:07:23 Greenfield Tenants: A Fresh Start

00:09:58 War Story: Migrating 750TB for S&P Global

00:19:13 The Nightmare of Domain Cutovers

00:25:14 The Critical Day-One User Experience

00:30:00 Reconfiguring Mobile Devices: The Hardest & Easiest Part

00:35:46 Multi-Tenant Orgs (MTO): A Long-Term Solution?

00:49:22 The Unique Challenges of Divestitures

00:55:17 Data Cleanup That Never Happens

01:01:06 Tools of the Trade for Migration Success

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode we are joined by Jef Kazimer, Principal Product Manager at Microsoft to discuss the critical role of Microsoft Entra ID Governance.

We explore the entire identity lifecycle from joiners, movers, and leavers (JML), the financial and security benefits of automated provisioning, and the pitfalls of legacy IGA solutions.

Jef shares his extensive experience, from deploying complex MIM solutions to helping shape the future of cloud-native governance, and provides key insights into how AI will drive the need for more robust governance and how Entra is leveraging technologies like Azure Logic Apps for supportable, long-term solutions.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Jef Kazimer

Jef Kazimer is a PM on the Microsoft Entra team, specializing in Identity Governance. With a career spanning from help desk support and consulting to his current role in engineering, Jef has a deep understanding of the real-world identity and access management challenges that organizations face. He is passionate about helping customers secure their environments by leveraging the power of the cloud.

LinkedIn - https://www.linkedin.com/in/jefkazimer/

🔗 Related Links

• Entra ID Governance licensing docs - https://learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals

📗 Chapters

01:39 From Atari to Microsoft: A Hacker's Journey

09:14 What is Identity Governance (and Why You're Already Doing It)

13:16 The Hidden Costs of Poor Governance & Licensing

15:58 The Customization Trap: Why 'Simple' is Better

22:57 Common Challenges in Identity Governance

27:36 Governance for Small vs. Large Businesses

30:51 The Secret to Great User Experience

42:33 Demystifying Entra ID Governance Licensing

46:41 The Future: How AI Changes Everything

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this eye-opening episode, I sit down with Microsoft's Clay and Ramiro, two Customer Experience (CxE) architects who've collectively run over 150 Zero Trust workshops with enterprise customers.

They reveal the shocking gaps they consistently find—like customers spending millions on compliance policies but forgetting to actually block non-compliant devices with conditional access.

We dive deep into their comprehensive Zero Trust Workshop framework that's become the "seventh wonder of the Excel world," discuss why partners are scrambling to get trained on their methodology, and explore how AI is about to reshape the entire Zero Trust landscape.

If you think your organization has Zero Trust figured out, this conversation might just change your mind.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Clay and Ramiro

Clay and Ramiro are architects in Microsoft's customer experience (CXE) team. With over a decade of experience each at Microsoft, they specialize in helping the largest and most high-profile customers navigate complex deployments and security challenges. Ramiro has a background in engineering and was part of the team that built ADFS, while Clay focuses on the Intune side of things. They are the key figures behind the development and refinement of Microsoft’s Zero Trust Workshop.

* LinkedIn - Ramiro: https://www.linkedin.com/in/ramirocalderon/

* LinkedIn - Clay: https://www.linkedin.com/in/clay-p-55899912b/

🔗 Related Links

* Zero Trust Workshop - https://aka.ms/ztworkshop

📗 Chapters

00:24 The "Why" Behind the Zero Trust Workshop

08:16 How to Run the Workshop

14:15 How the Workshop Has Evolved

20:48 How Partners Can Use the Workshop

26:51 Evolution of the Roadmap

35:30 Real-World Customer Improvements

39:46 Zero Trust is a Team Sport

47:22 The Future: AI and the Workshop

49:10 Final Advice on Zero Trust

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I sit down with Jordan Dahl, a Product Manager on the Entra Conditional Access team, to discuss the newly GA'd Conditional Access Optimization Agent. Jordan shares the origin story of the agent, explaining how customer feedback about the difficulties of managing CA policies at scale led to its creation. We delve into how this AI-powered "digital colleague" works to identify and remediate security gaps, its future roadmap including Service Now integration and phased rollouts, and how you can get started with it in your own tenant.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Jordan

Jordan is a Product Manager on the Entra Conditional Access team at Microsoft. Her current focus is on the Conditional Access Optimization Agent. Previously, she was a PM for per-policy reporting in Conditional Access and for Groups within Entra.

LinkedIn - https://www.linkedin.com/in/jordan-dahl-840182127/

🔗 Related Links

* Conditional Access optimization agent in Microsoft Entra

📗 Chapters

00:00 Intro

01:31 The Origin of the CA Optimization Agent

05:08 How the Agent Works

07:40 Autonomous Policy Changes?

12:39 How to Deploy the Agent

16:12 Customizing the Agent's Behavior

23:59 Upcoming Agent Features: Phased Rollouts & ServiceNow

29:45 The Future: A "Digital Colleague"

35:08 How to Give Feedback

41:09 Getting Started: Your Action Items

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this exciting episode of Entra Chat, I dive into the world of Entra + Windows devices with the passionate and knowledgeable John Towles, a solution architect and MVP for Windows 365 and more. We unpack why Entra hybrid join is still relevant for some organizations, explore the ins and outs of Windows Autopilot, and reveal practical tips for navigating the complexities of modern device management. Plus, we share a sneak peek into the upcoming Workplace Ninjas US event and get a special announcement about the Workplace Ninjas US "Golden Clippy Awards", including the finalists for the "Entra IDol of the Year."

Subscribe with your favorite podcast player or watch on YouTube 👇

About John Towles

John Towles is a Solutions Architect at WEI, a multi-award MVP (Windows 365, Intune), President of Workplace Ninjas US, and the proprietor of Mobile-John.com. With over a decade of experience as the face of VMware's Workplace One, John has a deep and unique perspective on endpoint management and cloud migration. He is passionate about helping organizations navigate complex technical challenges with pragmatic, real-world solutions.

LinkedIn

🔗 Related Links

* Microsoft Entra Hybrid Join: Not Dead Yet! (Jon’s blog)

* Workplace Ninjas US

* Microsoft's Entra Kerberos: Bridging Legacy AD to Cloud Auth + MAM on Edge with PM Jordan Gross

📗 Chapters

00:23 Entra Hybrid Join: To Do or Not to Do?

03:13 The Great Migration from VMware to Intune

06:23 Entra Join vs. Hybrid Join Explained

12:52 The Magic of Cloud Kerberos Trust

15:53 Demystifying Windows Autopilot

25:23 Making the Case for Hybrid Join with Autopilot

30:57 Why Cloud-Native is the Future

36:16 Introducing Workplace Ninjas US

39:06 The "Golden Clippy Awards"

41:31 Announcing the Entra IDol of the Year Finalists

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I sit down with Chetan Desai, a Principal Product Manager on the Microsoft Identity Governance team. We dive deep into a side of Entra that many admins never see: the critical "first mile problem" of getting identities into your system in the first place.

We talk about the evolution from on-prem scripts and MIM to specific connectors for Workday and SuccessFactors and then to the new powerful, generic API-driven approach that can handle any HR system and the architectural decisions behind it. Chetan also gives us a masterclass on how the provisioning engine differs from the Graph API and provides advice for anyone looking to migrate from a legacy Identity Governance and Administration (IGA) solution.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Chetan Desai

Chetan Desai is a Principal Product Manager at Microsoft on the Entra team. For the past seven years, he has been a core part of the Entra Identity Governance and Provisioning team. Before his time at Microsoft, Chetan spent 17 years in consulting within the identity and access management domain , bringing a wealth of real-world deployment and integration experience to his product management role.

🔗 Related Links

* Application and HR provisioning documentation

* Provisioning with SCIM

* API-driven inbound provisioning concepts

📗 Chapters

00:34 The "First Mile Problem" in Identity

04:51 From AD Sync to HR-Driven Provisioning

09:52 The Entra Provisioning Service Architecture

16:17 Hybrid vs. Cloud-Only Identity Flows

19:17 Beyond Workday: The Need for a Generic Connector

27:43 The Great Debate: CSV vs. SQL vs. API

35:34 Provisioning API vs. Graph API: What's the Difference?

43:24 The Latest Evolution: Custom Security Attributes

49:26 Advice for Migrating to Modern IGA

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I sit down with security researcher Katie Knowles to unpack the hidden layers of identity systems inside Microsoft Entra. We get into real-world attack paths like backdooring service principals, restricted administrative units that can accidentally create unstoppable accounts, and OAuth phishing in Copilot Studio.

Katie also shares how she approaches deep technical research, what defenders often overlook, and why identity security is only becoming more complex. This is one of those conversations where you walk away thinking differently.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Katie Knowles

Katie Knowles is a Senior Security Researcher at Datadog specializing in Microsoft Azure and Entra ID security. She has extensive experience across security engineering, penetration testing, and incident response. Katie is known for her thorough research that connects complex technical vulnerabilities to practical defensive guidance, publishing regularly on Datadog Security Labs and speaking at major security conferences.

LinkedIn - https://www.linkedin.com/in/kaknowles/

🔗 Related Links

* Katie’s Datadog security posts - https://securitylabs.datadoghq.com/articles/?author=Katie_Knowles

* Katie’s personal blog - https://kknowl.es

* Katie’s conference talks - https://kknowl.es/external-content/

* Creating immutable users through a bug in Entra ID restricted administrative units - https://securitylabs.datadoghq.com/articles/creating-immutable-users-entra-id-administrative-units/

* I SPy: Escalating to Entra ID’s Global Admin with a first-party app - https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/

* CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing - https://securitylabs.datadoghq.com/articles/cophish-using-microsoft-copilot-studio-as-a-wrapper/

📗 Chapters

02:08 The Immortal User Bug in Restricted Admin Units

04:23 Attacker Impact: The Un-deletable Malicious Account

05:59 Hacking First-Party Apps & Bypassing AppLock

09:29 How She Found the AppLock Bypass

11:16 A Day in the Life of a Security Researcher

14:20 Phishing with Copilot Studio & OAuth

17:00 Top Tips for App Governance & Security

21:45 The Hidden Risk of Azure Key Vault Access Policies

28:55 App Registrations vs. Service Principals Explained

41:48 The Future: Agent IDs & The New Trust Model

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Sami Lamppu and Thomas Naunheim, the creators of the Entra ID Attack and Defense Playbook, join me to discuss their incredible 5-year community project.

We talk about the most complex attacks they’ve researched, including the “black box” token and PRT attacks, and their shocking findings related to TPM and device compliance. We also dive deep into their brand-new chapter on the new Microsoft Entra Connect Application Based Authentication model and the critical steps you must take to secure it.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Sami & Thomas

Sami Lamppu is a Microsoft Security MVP and a Principal Cloud Security Lead at Elisa with a strong focus on the blue team side, helping organizations proactively prevent attacks.

Thomas Naunheim is a Cybersecurity Architect at glueckkanja and a Microsoft Security MVP. He specializes in Microsoft Entra, identity and access management, and cloud security posture.

* Sami LinkedIn - https://www.linkedin.com/in/sami-lamppu/

* Thomas LinkedIn - https://www.linkedin.com/in/thomasnaunheim/

🔗 Related Links

* Entra ID Attack and Defense Playbook - https://github.com/Cloud-Architekt/AzureAD-Attack-Defense

📗 Chapters

02:35 Origin Story of the Playbook

07:08 Overview of the Attack Chapters

09:53 Who is the Playbook For?

13:59 The Hardest Chapter to Write: Tokens

21:48 Shocking PRT & TPM Findings

24:43 NEW Chapter: Hacking Entra Connect (ABA)

29:10 How to Secure the New Sync Account

36:53 HSCAR: The Posture Analyzer Tool

45:09 Keeping the Playbook Updated & Community

53:12 What’s Next & Final Advice

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I chat with Dirk-jan Mollema, the legendary researcher behind some of the most important discoveries in Microsoft identity security.

We go deep into how curiosity led him from tinkering with web tools to uncovering one of the biggest Entra ID vulnerabilities ever found.

He shares the story behind the CVE that rocked the cloud world, the stress of realizing what he’d uncovered, and the mindset that drives his relentless research. If you’ve ever wondered what it feels like to find a bug that could break the internet—this one’s for you.

PS: If you like this episode please leave a review on Apple Podcast or Spotify 🙏

Subscribe with your favorite podcast player or watch on YouTube 👇

About Dirk-jan Mollema

Dirk-Jan Mollema is a security researcher and consultant specializing in Microsoft Entra ID (Azure AD) and Active Directory security. He is the creator of popular offensive security tools including ROADtools and ROADrecon.

With seven years of Entra research and nearly a decade in AD security, Dirk-Jan has discovered numerous critical vulnerabilities and has played an important role in helping improve Microsoft’s cloud security posture. He provides training and consulting services through his company Outsider Security.

Twitter → https://twitter.com/_dirkjan

LinkedIn → https://www.linkedin.com/in/dirkjanm

Contact → https://outsidersecurity.nl

🔗 Related Links

* One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens - https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens

* Dirk-Jan’s Blog - https://dirkjanm.io

* ROADtools - https://github.com/dirkjanm/ROADtools

📗 Chapters

00:00 Intro

02:11 Guest Journey into Security

07:13 Building ROADtools and ROADrecon

09:53 Research Tools & Methods

14:05 Top Discoveries Ranked

17:01 Windows Hello & PRT Deep Dive

26:07 The Cross-Tenant Actor Token Bug

35:34 Ethical Dilemmas of Big Finds

38:24 Disclosure, Impact & Community

45:59 Future Research & Intune Tips

53:58 Training, Consulting & Closing

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I sit down with Alexander Filipin, a Product Manager at Microsoft, to unpack the essentials of identity governance and why access reviews are a game-changer for security and compliance.

We explore the pitfalls like rubber stamping that plague traditional methods and tease how the new AI-driven Access Review Agent is stepping in with smart recommendations and context to make decisions easier and more accurate.

Plus, we peek into exciting future possibilities where agents could automate access management entirely—tune in to see how this could reshape your org’s approach!

Subscribe with your favorite podcast player or watch on YouTube 👇

About Alexander Filipin

Alexander Filipin is a Product Manager at Microsoft in the Microsoft Entra ID Governance team.

With a background in consulting and identity security, he previously contributed to popular community projects like Conditional Access as Code and now leads features in Microsoft Entra, including the newly released Access Review Agent.

LinkedIn - https://www.linkedin.com/in/alexfilipin/

🔗 Related Links

* Microsoft Entra Access Review Agent Documentation - https://aka.ms/aragent

* Conditional Access Optimization Agent - https://learn.microsoft.com/en-us/entra/identity/conditional-access/agent-optimization

📗 Chapters

00:00 Intro

00:48 From Community Code to Microsoft Product Management

04:42 The 4 Drivers of Governance: Security, Compliance, & Cost Savings

06:45 Why Access Reviews are Critical for Guest and Licensing Cleanup

13:46 Licensing: Entra ID P2 vs. Entra Governance Capabilities

20:01 The Biggest Problem with Traditional Access Reviews Today

20:41 Introducing the Entra Access Review Agent

23:18 The Role of AI in Generating Reviewer Context

34:04 The Audit Trail and Compliance for AI Decisions

44:26 Future Vision: The Next Evolution of Identity Governance

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Welcome back to Entra.Chat! In this rapid-fire Q&A, I’m joined by a team of brilliant CXE Identity Architects from Microsoft, and they’re answering the toughest questions on the future of identity.

We dive deep into the security challenge posed by agentic AI that can spawn self-replicating identities and how Microsoft is creating tailored behavioral analytics to protect your environment.

The team also spills the details on the shift to phishing-resistant MFA through authentication strengths capabilities for Entra ID tenants—you’ll definitely want to listen before your next audit!

Subscribe with your favorite podcast player or watch on YouTube 👇

About The Panel

This episode features an incredible panel of experts from Microsoft’s Identity team:

* Tarek Dawoud: Lead Architect of the Architecture Team, focusing on AI for Security and Entra Resilience → https://www.linkedin.com/in/tarekdawoud/

* Tyler Chan: Architect focusing on the Zero Trust Workshop and the healthcare vertical → https://www.linkedin.com/in/chantylert/

* Ramiro Calderon: Architect on the team focusing on Identity and Access Management and helping customers move to the cloud → https://www.linkedin.com/in/ramirocalderon/

* Jas Suri: Architect for Customer Identity and Access Management (CIAM), including Entra External ID as well as passwordless technologies → https://www.linkedin.com/in/jas-suri-aa644a7b/

* Ehud Itshaki: Identity Architect focusing on AI’s impact on identity systems and government customers → https://www.linkedin.com/in/ehudi/

* Thomas Detzner: Architect focusing on Global Secure Access (GSA) and the network pillar of Zero Trust. → https://www.linkedin.com/in/thomasdetzner/

* Travis Gross: Manager and lead of the overall Identity CxE team at Microsoft → https://www.linkedin.com/in/travis-gross-536b3b9b/

* Keith Brewer: Architect for Entra authentication, identity security, and U.S. government customers → https://www.linkedin.com/in/keith-b-145519174/

🔗 Related Links

* The future of AI agents—and why OAuth must evolve - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/the-future-of-ai-agents%E2%80%94and-why-oauth-must-evolve/3827391

* Beyond OAuth: Why SCIM must evolve for the AI agent revolution - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/beyond-oauth-why-scim-must-evolve-for-the-ai-agent-revolution/4433036

* Use Kerberos for single sign-on (SSO) to your resources with Microsoft Entra Private Access - https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-kerberos-sso

* Bulk operations in Microsoft Entra ID (Preview) - https://learn.microsoft.com/en-us/entra/fundamentals/bulk-operations

* Road to the cloud: AD to Entra ID - aka.ms/AD2AAD

* Microsoft Entra security operations guide - Incident Response Playbooks - https://learn.microsoft.com/en-us/entra/architecture/security-operations-introduction

* Incident response playbooks - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks

* Review permissions granted to enterprise applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-application-permissions?pivots=portal

* Multi-factor unlock - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/multifactor-unlock?tabs=intune

* API-driven Inbound Provisioning - Integration scenarios - https://learn.microsoft.com/en-au/entra/identity/app-provisioning/inbound-provisioning-api-logic-apps#integration-scenario-variations

📗 Chapters

03:57 The Challenge of Agentic AI and Identity

06:35 Top Identity Security Enhancements You Can Use Today

09:42 Entra External ID: Syncing Tenants and B2C Migration

11:41 Restoring Compromised Tenants

15:01 Verifying Real Humans: Identity Assurance Levels (IAL) Explained

17:01 Rethinking App Consent and Granular Admin Roles

18:28 Clearing Up Confusion: Passkeys vs Phishing-Resistant MFA

20:33 Ditching On-Prem: Moving Legacy Apps with Private Access

23:14 How AI Will Change IAM Admins & Permissions Forever

30:31 Is Entra ID Governance the End of MIM?

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I sit down with my longtime friends and colleagues, Jas Suri and Gayan Randeny, at Microsoft’s campus to unpack the biggest Microsoft consumer identity shift in years—Azure AD B2C’s sunset and the rise of Entra External ID. We talk about why B2C is going away, the crazy scale of tenants with 100M+ identities, the migration paths and what the future looks like for customer identity.

Plus, stick around until the end because Gayan and Jas share a world premiere on the podcast about a groundbreaking new Just-In-Time migration approach that will make moving millions of users to Entra External ID simpler than you think. You don’t want to miss this scoop!

If you want to stay ahead of this massive transition, this is a must-listen.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Jas Suri

Jas Suri is the CxE Architect PM for Microsoft Entra External ID and has a wealth of knowledge and experience in helping Microsoft customers deploy Azure AD B2C and Entra External ID. With extensive experience in Azure AD B2C and Entra External ID migrations, Jas has now taken on the CxE architect role for passkeys across both Entra ID and Entra External ID..

LinkedIn - https://www.linkedin.com/in/jas-suri-aa644a7b/

About Gayan Randeny

Gayan Randeny is a seasoned expert in customer identity and access management at Microsoft, with years of experience helping customers deploy Azure AD B2C and now leading efforts to migrate to Entra External ID. In addition to his work on Entra External ID, Gayan is now turning his attention to help enterprise customers deploy Global Secure Access.

LinkedIn - https://linkedin.com/in/gyanrandhani

🔗 Related Links

* Migrating users to Microsoft Entra External ID - https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-migrate-users

* Microsoft Entra External ID deployment architectures with Microsoft Entra - https://learn.microsoft.com/en-us/entra/architecture/external-identity-deployment-architectures

* Azure Active Directory B2C: Custom CIAM User Journeys - https://github.com/azure-ad-b2c/samples

📗 Chapters

00:00 Intro00:57 What is B2C and why it mattered03:44 The insane scale of B2C (100M+ identities)05:02 Why B2C is going away07:20 Converging enterprise and customer identity12:01 Migration differences: B2C vs Entra External ID18:24 Just-in-time and passwordless migration23:09 Hybrid tenant approach explained29:15 Migration strategies and best practices33:29 New features, partners, and what’s next36:44 Closing thoughts

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

On this episode of Entra Chat, I was thrilled to sit down with Yanyan and Sweta from the Entra UI experience team to dive deep into a feature that many of us have used but is now getting a massive refresh: Bulk Operations.

We talked about how they took a critical legacy tool and completely re-engineered it for insane performance and scale, making it more reliable than ever.

You’ll hear about some amazing new capabilities, like customizing the columns in your CSV exports and using UPNs instead of just Object IDs to add users, which is a huge time-saver.

We even get a behind-the-scenes look at the engineering that makes it possible to export over a million groups in just 10 minutes!

Subscribe with your favorite podcast player or watch on YouTube 👇

About Yanyan Ju

Yanyan Ju is a Principal Engineer Manager at Microsoft, where she is dedicated to delivering the best administrative experience for Microsoft customers. She focuses on creating value through user-friendly and consistent admin interfaces, shaping the future of AI-powered Entra Admin UX, and leading as part of a UX Engineering Center of Excellence.

* LinkedIn: https://www.linkedin.com/in/yanyan-ju-194545239/

About Sweta Kumari

Sweta Kumari is a Product Manager at Microsoft, focusing on identity and access management within Microsoft Entra. Sweta leads initiatives around Entra Admin feature enhancements, Customer feedback integration and Privileged Identity Management (PIM). Her work emphasizes improving user experience, and ensuring secure, compliant access for customers.

* LinkedIn: https://www.linkedin.com/in/sweta-kumari-557478127/

🔗 Related Links

* Bulk operations in Microsoft Entra ID (Preview) - https://learn.microsoft.com/en-us/entra/fundamentals/bulk-operations

📗 Chapters

00:01:20 What is Bulk Operations?

00:03:40 Supported Bulk Operations

00:06:34 Customizing Your Exports

00:08:45 How is it different from PowerShell?

00:11:29 Adding Members in Bulk (The Easy Way)

00:13:56 Bulk Deleting Safely

00:16:12 Why Was The Feature Rebuilt?

00:19:05 The Engineering Overhaul

00:23:02 Insane Performance Gains

00:25:19 How to Share Your Feedback

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Cybersecurity expert Erica shares her incredible journey from pharmacist to becoming a professional hacker. She reveals how attackers are bypassing modern security controls like MFA and what you can do to protect your tenant.

We talk about the most common configuration vulnerabilities that exist in almost every organization, the dangers of application onboarding, and the top five phishing vectors threat actors are using to gain initial access, including clever abuses of Microsoft Teams.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Erica

Erica has an amazing career arc, starting in pharmacy before pivoting to cybersecurity. With a deep, hands-on understanding of offensive security gained from platforms like Hack the Box and real-world penetration testing, she specializes in protecting and defending Microsoft Cloud tenants. Erica is passionate about sharing her knowledge on how to better protect your tenant and what bad guys are looking for.

LinkedIn - https://www.linkedin.com/in/erica-z-b4169598/

🔗 Related Links

* Blog - https://ericazelic.medium.com/

* Hack The Box - https://www.hackthebox.com/

* Altered Security - https://www.alteredsecurity.com/

📗 Chapters

00:00:00 Intro

00:02:14 From Pharmacy to Cybersecurity

00:07:19 Learning to Hack with Hack The Box

00:11:45 The First Cloud Hack: M365 Public Groups

00:17:50 The Hidden Dangers of App Onboarding

00:25:53 The 5 Modern Phishing Attack Vectors

00:30:36 Bypassing MFA with Device Code Phishing

00:34:34 Adversary-in-the-Middle & Auth Downgrade Attacks

00:48:24 The Secret to Mastering Cybersecurity Skills

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Microsoft Entra Agent ID Just Went GA Here’s What You Need to Know About Agent Permissions

If you’ve been waiting for the dust to settle on Microsoft Entra Agent ID before diving in, the wait is over. Agent ID hit General Availability on May 1st, and in this episode of Entra Chat, Erin Greenlee, a PM in the the Entra AuthN team joins to break down one of the trickiest parts of the new model: how permissions actually work.

The three-tier model you need to understand

The biggest mental shift with Agent ID is moving from the familiar single app registration model to a three-tier hierarchy. Here’s the short version:

* Agent Blueprint → the template for your agent. Think of it as a souped-up app registration that lives in one tenant and defines how the agent behaves. Every agent needs one, even if you’re only ever creating a single instance.

* Blueprint Principle → the identity that represents the blueprint inside each tenant it’s deployed to. This is the middle tier, and it has a superpower: permissions granted here cascade down to all current and future agent identity instances automatically.

* Agent Identity → the actual running instance of the agent. This is what authenticates, what shows up in your tenant logs, and what can hold its own individual permissions on top of whatever it inherits.

Required Resource Access is a hint, not a grant

One thing that trips people up early: adding permissions to the blueprint’s Required Resource Access (RRA) doesn’t actually grant anything. It’s a signal to admins adopting your agent. A polite list of “here’s what this agent will need to function.” The real grant happens later, either upfront during adoption or dynamically as the agent needs it. Expect agents to lean more on dynamic consent than traditional apps have, since agents evolve and request new permissions as tasks change.

Inheritance only works if you set it up

Permissions granted on the Blueprint Principle will only cascade down to agent identities if the resource app (e.g. Microsoft Graph) is explicitly marked as an inheritable resource on the blueprint. It’s an easy thing to miss, and if you skip it, your Blueprint Principle grants won’t flow through to your instances.

A free tool to visualise all of this

Erin built an interactive web app — using GitHub Copilot, no less — that makes all of the above click visually. It has a no-sign-in tutorial that walks you through the object relationships, a permission matrix view, and even generates the PowerShell or Graph API scripts to apply your configuration in real life. No changes are made to your tenant unless you explicitly ask it to. The source code is being open-sourced too, so you can fork and customise it if you want.

Watch the full episode to see Erin walk through the tool live, including how permission inheritance works in practice and a real-world debugging scenario that inspired the whole thing.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Erin Greenlee

Erin is a member of the Entra AuthN team working on AI and Agent ID at Microsoft. She previously joined Entra Chat to discuss app permissions and consent, and she loves building tools that make complex identity concepts easier to understand.

LinkedIn - https://www.linkedin.com/in/eringreenlee/

Sponsored by:

Find App Access Gaps Before They Break Workflows

In Microsoft Entra ID, small visibility gaps lead to outages and delays. Expired secrets break integrations, while unclear ownership and excessive permissions slow access decisions. Teams still struggle to answer:

* Which apps access Microsoft 365 data?

* Is that access still justified?

* Who owns it?

AppGov Score helps you quickly identify these gaps. ENow App Governance Accelerator then exposes app-specific credential risks, permission issues, and ownership gaps before they disrupt operations.

Start with your AppGov Score, then upgrade to a 7-day free trial to take action.

🔗 Related Links

* https://aka.ms/erins-agent-helper

📗 Chapters

01:11 Agent ID General Availability

04:14 The Agent ID Visualizer Tool

05:35 Defining the Agent Blueprint

08:06 Understanding the Blueprint Principle

10:57 Agent Identity Instances Explained

13:37 Required Resource Access (RRA)

24:07 Inheritable Permissions and Cascading

30:18 Applying Changes with Scripts

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Maester is back with one of its biggest release since launch. In this episode, we are joined by Sam Erde, Architect at Patriot Consulting and one of Maester’s core maintainers, to walk through everything that’s landed in Maester 2.1.

Since the December release, the community has shipped 540 new commits, grown the test suite from 128 to 168 tests, and added coverage across entirely new product areas.

Here’s a taste of what’s covered:

🤖 Securing Your AI Agents (Copilot Studio) With Microsoft’s Agent 365 going GA and organisations rapidly deploying Copilot Studio agents, Maester now includes tests based directly on Microsoft’s own recommendations for securing agents. Think orphaned agents with no owner, missing authentication on MCP connections, dormant agents, risky HTTP configurations, and agents shared too broadly. If you’re deploying agents in your tenant, these tests should be running.

🔧 AI That Writes Its Own Security Tests One of the most exciting developments in this release isn’t a test, it’s a custom AI skill that writes Maester tests for you. Sam built a GitHub Copilot agent skill that understands Maester’s structure, coding conventions, and contributor guide. You describe a security check in plain English, and within minutes you get a properly structured test, helpers, and documentation. No VS Code required! You can do it straight from GitHub’s Agents tab or even the mobile app. The barrier to contributing to Maester just got a lot lower.

🛡️ Defender for Endpoint Coverage Maester now includes 24 community-contributed MDE tests covering antivirus configuration, endpoint policy posture, cloud protection, behaviour monitoring, and PUA protection. Getting these tests into shape required the new AI skill to refactor months of pending work and it delivered.

🔑 Azure DevOps Security (37+ New Tests) With AI-generated code accelerating supply chain risks, securing your DevOps pipeline has never been more critical. Maester 2.1 ships with 37+ new Azure DevOps tests, checking OAuth config, PAT token policies, external guest access, collection admin hygiene, and more.

🔗 Linked Identity Checks for Privileged Accounts A new test surfaces a common blind spot: privileged admin accounts that remain active after their linked standard user account is disabled. If someone leaves your organisation and their cloud admin account stays enabled, Maester will now catch it.

📋 CIS Benchmark Refresh & Conditional Access Improvements Community contributor Morten has refreshed the CIS benchmark tests to reflect the latest changes, plus improved the logic behind several conditional access policy checks — including automated tracking of Entra ID roles used in XSPM and commercial access quality checks.

There’s a lot more covered in the full episode, including multi-tenant reporting updates, the new dev container for contributors, a surprisingly entertaining story about two AI models dissing each other’s code reviews, and a teaser for what’s coming in the next release.

👉 Listen to the full episode for the deep dives, the war stories behind getting community PRs across the line, and Merill and Sam’s take on where AI fits into the future of security testing.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Sam Erde

Sam is an Architect at Patriot Consulting who focuses on performing security assessments, securing and deploying Microsoft 365, and writing PowerShell. He has been a critical pillar for the Maester community over the last year, helping heavily refactor the codebase and streamlining community contributions.

LinkedIn - https://www.linkedin.com/in/samerde/

Sponsored by:

Would you bet your reputation on your current Microsoft 365 security posture?

Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.

But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.

You could assume it’s fine.

Or you could run the Microsoft 365 Security Posture Check.

It’s free.

It runs locally.

And no, it doesn’t send your tenant data back to us.

We’ll even help you set it up.

🔗 Related Links

* What’s new in Maester 2.1.0 - https://maester.dev/blog/whats-new-since-maester-2-0

📗 Chapters

00:00 Intro

05:49 Securing Copilot Studio & AI Agents

08:53 The Challenge with Defender for Endpoint Tests

013:39 Using AI to Automate Writing Security Tests

22:30 Dev Containers for Easy Contributions

24:58 New Azure DevOps Security Checks

31:02 Multi-Tenant Reporting & Xbox’s Secret

37:00 Active Directory Tests & The Future of Hybrid

43:00 The Long-Term Vision for Maester

54:48 CIS Benchmarks & Linked Identity Tests

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Hey folks, I have to start with a massive shout-out to Morten Knudsen and his entire team at Experts Live Denmark where I’m just returning from.

Organizing an event for over 1,200+ attendees is no small feat, and they pulled it off with incredible energy and precision. It was easily one of the most impressive community gatherings I’ve been a part of.

Amidst that massive crowd, I had the privilege of co-leading a deep-dive Identity Masterclass alongside four exceptional Microsoft MVPs: Jan Vidar Elven, Pim Jacobs, Thomas Naunheim, and Klaus Bierschenk.

We weren’t sure what to expect, but the response was overwhelming. We had over 120 dedicated attendees who stayed with us for the full 7-hour session - diving deep into the weeds of Entra ID, governance, privileged access, Agent ID and more. Instead of theory-heavy slides, we built a practical, end-to-end governance story.

Because we believe this knowledge should be accessible, we are now giving away the labs for free so everyone can skill up, learn, and implement these patterns in their own environments.

Here’s the core of what we covered, and what you will learn in this podcast walk through of the labs and what you can try out yourself today!

Links to GitHub repo and YouTube video below.

Sponsored by:

If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy?

Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity.

And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachat

So, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”.

1️⃣ Inbound Provisioning: Start with a Source of Truth

Most identity problems start with one issue:

There is no clean, authoritative identity source.

We demonstrated how to use Inbound Provisioning in Entra to:

* Accept identity payloads via Microsoft Graph

* Create users in a disabled state

* Capture attributes like hire date, leave date, department

* Treat HR (or another system) as the lifecycle authority

Why this matters

If identities are manually created:

* Joiners are inconsistent

* Leavers are missed

* Privileged accounts become orphaned

Inbound provisioning allows you to:

* Standardize creation

* Attach lifecycle automation immediately

* Reduce manual admin overhead

Key concept:Provision first. Enable later. Automate everything in between.

2️⃣ Lifecycle Workflows: Automate Joiner / Mover / Leaver

Once a user is provisioned, lifecycle workflows take over.

We implemented:

* Pre-hire workflow

* Day-one onboarding workflow

* Post-onboarding actions

Triggers included:

* Employee hire date

* Creation time

* Group membership

* Attribute changes

Real-world onboarding pattern

* Account is created disabled

* Workflow enables the account at the correct time

* Temporary Access Pass (TAP) is generated

* TAP is sent securely

* Access is assigned automatically

This reduces:

* Manual enablement

* Helpdesk load

* Security gaps

Design principle:Automation should enforce timing — not people.

3️⃣ Privileged Account Design: Separate the Identities

We had a strong opinion in the session:

Admin accounts should be separate and cloud-only.

Why?

* Syncing privileged accounts from on-prem introduces risk

* HR systems should not directly control privileged identities

* Governance features work best with cloud-native identities

We explored three creation patterns:

* Inbound provisioning for privileged accounts

* Access Packages (with auto-assignment or request model)

* Lifecycle workflows + custom Logic Apps

Each has trade-offs.

What matters most:Privileged identities must be:

* Separately authenticated

* Phishing-resistant (FIDO2 or passkeys)

* Independently governed

* Linked for offboarding

4️⃣ Linking Identities for Investigation

One challenge in Entra:

There’s no native “this person owns these 3 accounts” view.

We explored identity linking in Microsoft Defender XDR, where:

* Multiple accounts can be associated to one identity

* Incident investigations become clearer

* Privileged activity can be correlated with user context

This becomes critical during:

* Compromise investigations

* Insider threat analysis

* Lateral movement tracking

Security takeaway:If you can’t correlate identities, you can’t fully investigate them.

5️⃣ Backup & Restore: The Truth About Entra

There is no traditional backup system in Entra.

Instead, you have:

* Soft-delete (with recycle bin)

* Hard-delete (irreversible)

* API-based recovery

* Configuration export strategies

We discussed:

* Protecting deleted items with Protected Actions

* Using Conditional Access to restrict destructive operations

* Exporting configuration JSON regularly

* Monitoring configuration drift

Reality:If you aren’t exporting your tenant configuration, recovery becomes manual and painful.

Governance is not just about creation — it’s about resilience.

6️⃣ Protected Actions + Conditional Access

A powerful but underused feature:

Protected Actions.

You can require Conditional Access enforcement before allowing:

* Hard deletes

* Sensitive configuration changes

Example:

* Only allow permanent deletion from a compliant device

* Only allow from a trusted location

* Require phishing-resistant authentication

Even Global Admins must pass policy.

Security mindset shift:Admin role ≠ unlimited ability.

7️⃣ Agent ID & Blueprints: The Future of Identity for AI

We also explored Agent ID — one of the newer capabilities in Entra.

Why not just use a service principal?

Because agents:

* Need stronger guardrails

* Must support per-user instances

* Require conditional access enforcement

* Must be auditable at scale

Blueprints allow:

* A parent definition of permissions

* Individual agent instances per user

* Centralized governance over many agents

As AI agents scale, identity must scale securely with them.

Forward-looking insight:Agent governance will soon be as important as user governance.

8️⃣ Design Philosophy Behind the Lab

The entire masterclass was built around one principle:

Identity is a lifecycle, not a login.

We covered:

Provision → Enable → Assign → Elevate → Monitor → Protect → Offboard → Recover

If any step is manual, inconsistent, or undocumented — risk increases.

The labs give you a complete pattern you can implement in your own tenant.

🎯 What You Should Do Next

* Watch/listen to the full podcast where we walk you through the labs.

* Go try out the labs at github.com/IdentityMan/MasterclassELDK26 in your own tenant.

Subscribe with your favorite podcast player or watch on YouTube 👇

About us

* Jan Vidar Elven, Security MVP - https://www.linkedin.com/in/janvidarelven

* Pim Jacobs, Security MVP - https://www.linkedin.com/in/pimjacobs89

* Thomas Naunheim, Security MVP - https://www.linkedin.com/in/thomasnaunheim

* Klaus Bierschenk, Security MVP - https://www.linkedin.com/in/klabier

🔗 Related Links

* https://github.com/IdentityMan/MasterclassELDK26

* https://discord.entra.news

* https://on.action1.com/entrachat

📗 Chapters

00:00 Intro

00:50 Open Sourcing the Entra Lab

03:42 Entra ID Inbound Provisioning

08:05 Lifecycle Workflows and Governance

10:57 Securing Privileged Admin Accounts

16:21 Offboarding and Linked Identities

19:51 Sponsor: ActionOne

21:02 Entra ID Backup, Restore & Protected Actions

26:08 Exploring Agent ID and Blueprints

30:28 How to Access the Open Source Lab

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

What does it take to migrate 40,000 devices to a cloud-native environment in a massive, complex enterprise? For most IT leaders, the prospect of moving away from 20 years of legacy infrastructure is enough to cause a sleepless night.

In our latest episode of Entra Chat, we sat down with enterprise veterans Michael Brunker and Prem Kothandapani to deconstruct their recent, massive rollout. They successfully converted nearly 40,000 devices from on-premises Active Directory to Entra Joined in just nine to ten months—all with a lean team of 10–15 people.

Here are the high-stakes lessons they learned from the trenches of modern management.

The “Nuclear Option”: Cleaning Up 20 Years of GPO Debt

One of the most controversial decisions the team made was what they called the “nuclear option” regarding Group Policy Objects (GPOs). Instead of porting over decades of legacy policies that no one fully understood, they chose to start from scratch.

By building a new security baseline from the ground up in Intune, they ensured the new environment was clean, modern, and free from the “stale” configurations that often plague legacy estates.

Killing the “VPN Tax”

For the end user, the primary driver for this migration was a radically improved experience. In a cloud-native world, the dependency on legacy VPN technology disappears.

* Work from Anywhere: Users can sign on and get access without the friction of starting a VPN or worrying about office cabling.

* Security at the Edge: Moving to Entra ID shrinks the attack surface by removing devices as a direct entry point to your core on-prem Active Directory.

Sponsored by:

If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy?

Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity.

And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachat

So, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”.

The “Gnarly” Problems: What Breaks First?

Success wasn’t just about the big picture; it was about mastering the “fundamental basic building blocks”. Michael and Prem highlighted several technical hurdles that can derail a migration if not handled early:

* The Proxy Trap: Many organizations fail to update their proxy server allow-lists with the specific Microsoft URLs required for cloud authentication.

* App Authentication: Moving from Kerberos-based device auth to OAuth and modern cloud flows requires rigorous testing across different “personas,” such as front line workers versus corporate office users.

The Secret to Scaling: Small Teams, Big Strategy

Perhaps the most surprising takeaway was that a project of this scale didn’t require an army. By focusing on a “small team” of highly skilled engineers and dedicated communications experts, they maintained momentum and avoided “stop-start” migration fatigue.

Want to hear the full technical breakdown, including how they handled zero-downtime requirements for front line workers?

Subscribe with your favorite podcast player or watch on YouTube 👇

About Michael Brunker

Michael Brunker has approaching 40 years in the IT industry and has operated as an enterprise architect across major organizations like BP, Woodside, and Telstra.

LinkedIn - https://www.linkedin.com/in/michaelbrunker/

About Prem Kothandapani

Prem Kothandapani is an EndPoint Architect with over 14 years of experience in endpoint computing and major migrations, having worked at NBN, Australian Unity, and Telstra.

LinkedIn - https://www.linkedin.com/in/premnath-kothandapani-41744153/

📗 Chapters

00:00 Cloud-Native Device Management

02:58 The True Cost of Legacy Infrastructure

07:47 Moving to Modern Management

11:13 The Blueprint for a 40,000 Device Migration

20:07 Handling Complex App Dependencies

28:07 Crafting a Seamless User Migration Experience

33:28 Automating with Graph API and Autopilot

43:09 Avoiding the Co-Management Trap

55:01 The New Starter Experience

57:24 Migration Velocity and Lessons Learned

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

March 2026 is shaping up to be one of the most important months for Microsoft Entra ID administrators in recent memory.

Microsoft is automatically enabling passkey profiles in Entra ID, and if you don’t configure them yourself, your tenant will be migrated with default settings.

In this episode of Entra Chat, I sat down with Microsoft Security MVPs Daniel Bradley and Ewelina Paskowska to break down what this really means for Microsoft 365 administrators.

But passkeys aren’t the only story this month.

1️⃣ Passkey Profiles Are Becoming the Default

Starting March 2026:

* Passkey profiles will be auto-enabled

* Tenants that haven’t configured profiles will be migrated

* Registration campaigns will shift from Authenticator-first to passkey-first

This is a major shift toward phishing-resistant authentication.

You’ll now be able to:

* Separate hardware-backed vs synced passkeys

* Apply granular group-based controls

* Enforce stronger authentication for privileged users

2️⃣ Source of Authority Conversion Is Finally GA

For years, admins used messy delete-and-restore hacks to convert synced users to cloud-only.

Now it’s officially supported.

You can convert individual users from on-premises authority to cloud-managed — without breaking hybrid entirely.

Why this matters:

* Easier M&A transitions

* Full access to Entra ID Governance features

* Cleaner lifecycle management

* Reduced dependency on legacy infrastructure

For hybrid environments moving toward cloud-first identity, this is huge.

Sponsored by:

If you are a systems administrator managing endpoints every day, you’ve probably postponed patching at least once — not because you forgot… But because you didn’t feel like gambling with uptime. Meanwhile, the backlog grows, vulnerabilities pile up, and patching stays stuck in manual mode.

Action1  fixes that.

Action1 is a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps — all from one place, no VPN needed. Curious how easy it is to start? You can use it on your first 200 endpoints, for free, forever, with no functional limits. It’s not a disguised free trial. No credit card required, no hidden limits, no tricks.

All you have to do is visit on.action1.com/entrachat and get started today.

So, if you’re looking to automate patching at scale and get weeks— even months—of your time back, go to on.action1.com/entrachat and sign up for patching—that—just—works.

3️⃣ App Registration Deactivation (A Quietly Powerful Feature)

Microsoft added the ability to deactivate app registrations.

Instead of deleting an app (and losing configuration), you can now:

* Immediately stop token issuance

* Preserve metadata and permissions

* Investigate safely

* Re-enable without rebuilding

For incident response scenarios — especially in multi-tenant or MSP environments — this is a big step forward.

4️⃣ Conditional Access Behavior Changes

There’s also a change impacting tenants with Conditional Access policies targeting “All resources” but excluding certain apps.

Previously, certain minimal-scope apps could bypass enforcement under specific conditions.

That loophole is closing.

Admins should:

* Review message center notifications

* Audit legacy apps

* Validate MFA handling before rollout

As always with identity changes: being proactive is critical.

5️⃣ Sync Security Hardening (Hard Match Protection)

Microsoft is adding additional validation to protect against malicious hard matching scenarios in hybrid environments.

This reduces the risk of identity takeover via manipulated on-prem objects.

It’s automatic — but important to understand if you manage hybrid identity or MSP transitions.

Watch the full episode for the deep technical breakdown and real-world implications.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Daniel Bradley

Daniel is a Senior Solution Architect for CDW and Microsoft MVP in Identity & Graph API. He is a avid writer who enjoys investigating new features and building practical tools to share with the community through his blog. He also is one of the moderators for the r/entra subreddit.

* Website: https://ourcloudnetwork.com

* LinkedIn: https://www.linkedin.com/in/danielbradley2

* X: https://x.com/DanielatOCN

About Ewelina Paczkowska

Ewelina is a Solution Architect at Theatscape and a Microsoft Security MVP. She is a content creator and speaker who enjoys breaking down complex solutions into clear, practical guidance. Ewelina is also an organiser of the Microsoft 365 Security & Compliance user group and the creator behind Welka’s World, where she shares insights and real-world knowledge around Microsoft security and compliance.

* Website: https://welkasworld.com

* LinkedIn: https://www.linkedin.com/in/ewelinapaczkowska

* X: https://x.com/WelkasWorld

🔗 Related Links

* MC1221452 - Microsoft Entra ID: Auto-enabling passkey profiles - https://mc.merill.net/message/MC1221452

* Ability to convert Source of Authority of synced on-prem AD users to cloud users is now available - https://learn.microsoft.com/en-us/entra/identity/hybrid/user-source-of-authority-overview

* Service Principal creation audit logs for alerting & monitoring - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/understand-service-principal-creation-with-new-audit-log-properties

* Deactivate an app registration - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/deactivate-app-registration

* MC1223829 - Upcoming Conditional Access change: Improved enforcement for policies with resource exclusions - https://mc.merill.net/message/MC1223829

* Microsoft Entra Connect security hardening to prevent user account takeover - https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#general-availability---microsoft-entra-connect-security-hardening-to-prevent-user-account-takeover

📗 Chapters

06:16 Converting Source of Authority to Cloud

15:37 Auto-Enabling Passkey Profiles

24:33 Deactivating App Registrations

31:56 Conditional Access for Excluded Apps

38:48 Sync Jacking Protection

41:45 Unified Tenant Configuration Management

46:31 Service Principal Creation Logs

Podcast Apps

🎙️ Entra.Chat → https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Governance in Microsoft 365 has always been hard. Not because the tools didn’t exist, but because scale, complexity, and change made consistency almost impossible. As tenants grow, so do the challenges of configuration drift, manual admin changes, and inconsistent environments.

For years, admins have relied on scripts, tribal knowledge, and community-led solutions like Microsoft 365 Desired State Configuration (M365DSC) to manage this “policy sprawl”. While M365DSC was a groundbreaking open-source effort, it often faced a steep learning curve and lacked official Microsoft support.

Until now.

In this episode of Entra Chat, we sit down with Nik Charlebois, Principal Program Manager at Microsoft and the original visionary behind M365DSC. Nik now leads the charge for one of the most significant platform shifts in Microsoft 365 administration: Tenant Configuration Management (TCM).

Shadow IT and SaaS sprawl are outpacing IT teams

It can feel impossible to tackle these app governance challenges:📦 Entra ID isn’t secure by default💥 SaaS adoption & sprawl isn’t slowing down⌨️ Citizen Development keeps rising (hello, Copilot Studio!)🗑️ Vendors often don’t remove apps after uninstall🔃 Offboarding is inconsistent or doesn’t happen at all🥔 App governance is passed around like a hot potato

ENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.

What is Tenant Configuration Management?

TCM is Microsoft’s official “Config as Code” platform for M365. Built directly on top of the Microsoft Graph, it represents a new operating model for how tenants are governed.

Key features discussed in this episode include:

* Official Support: Moving beyond best-effort community maintenance to a fully supported Microsoft solution.

* Simplified Experience: Transitioning from cryptic MOF files to human-readable JSON templates, significantly lowering the learning curve for admins.

* Snapshot & Drift Detection: The ability to capture “snapshots” of your tenant’s current state and monitor for unauthorized changes.

* Automatic Remediation: Automatically reverting detected configuration drifts back to your defined “gold standard” state.

* Broad Coverage: Support for core workloads including Entra ID, Exchange, Intune, Purview, Defender, and Teams with more to come.

This isn’t just a new feature; it’s the evolution of tenant governance into a native, API-driven platform. Tune in to hear Nik explain how TCM is bridging the gap between community innovation and official enterprise-grade management.

Listen to the full episode now to learn how to start your journey with the TCM public preview!

Subscribe with your favorite podcast player or watch on YouTube 👇

About Nik Charlebois

Nik is a Principal Program Manager at Microsoft leading the Microsoft 365 configuration-as-code efforts. Ex-MVP, speaker, blogger, and author, he leads the configuration-as-code efforts for Microsoft 365.

LinkedIn - https://linkedin.com/in/nikcharlebois

🔗 Related Links

* Nik’s Blog - https://nikcharlebois.com/

* Overview of the unified tenant configuration management APIs - https://learn.microsoft.com/en-us/graph/unified-tenant-configuration-management-concept-overview

📗 Chapters

00:00 Intro

03:44 Origin of M365DSC

07:51 Introducing Tenant Config Management

09:24 Supported Workloads

11:15 Control Plane vs Data Plane

14:26 DSC vs TCM Architecture

15:22 Snapshots and Monitors

18:56 Managing Drift Across Environments

28:03 Licensing and Limits

32:48 Authentication and Permissions

37:53 Getting Started

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, we sit down with Eric Woodruff, Chief Identity Architect at Semperis, to discuss the reality of achieving a 100% phishing-resistant environment. Over the course of just three months, Eric led a 600-person organization through a complete rollout of passkeys, Windows Hello for Business, and Platform SSO. This conversation moves beyond the technical “knobs and dials” to explore why organizational change management and C-suite buy-in are the true foundations of a successful identity modernization project.

Eric shares the creative strategies his team used to drive adoption, including a custom self-enrollment portal built with Power Platform that allowed early adopters to “dogfood” the technology. We dive into the “voluntold” phase of the rollout, where voluntary participation transitioned into mandatory policy, and how they used Power BI to track progress and identify “stragglers”. The episode also provides a transparent look at the technical hurdles encountered, from legacy application exclusions to troubleshooting older Android devices and niche browsers.

Looking ahead, we discuss the critical importance of protecting against “downgrade attacks,” where sophisticated phishing attempts try to bypass modern security by tricking users into traditional password entries. Eric emphasizes that the final mile of this journey—removing passwords entirely—is as much about supporting your helpdesk and documenting processes as it is about the technology itself. Whether you are managing a cloud-only tenant or navigating complex hybrid scenarios, this episode offers a practical roadmap for the future of enterprise identity.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Eric Woodruff

Throughout his 25-year career in the IT field, Eric has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity Architect at Microsoft partners, spent time working at Microsoft as a Sr. Premier Field Engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager.

LinkedIn - https://www.linkedin.com/in/ericonidentity/

🔗 Related Links

* Phishing-resistant passwordless authentication deployment in Microsoft Entra ID

* Semperis Research Uncovers Ongoing Risk from nOAuth Vulnerability in Microsoft Entra ID, Affecting Enterprise SaaS Applications

* ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants

* Meet Silver SAML: Golden SAML in the Cloud

* Manage tokens for Zero Trust

📗 Chapters

02:50 Rolling Out Passkeys

06:47 Application and Device Issues

09:49 Identifying Password Users

12:15 Lessons Learned for 2026

15:14 Understanding Downgrade Attacks

20:10 The NoAuth Vulnerability

27:08 Silver SAML Explained

32:56 Managing Service Principals

38:15 The Consent Fix Attack

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Service principals worked for static apps, but AI agents are different—they make autonomous decisions using LLMs and require a new approach to identity and security.

In this episode of Entra Chat, Padma Parthasarathy, Product Manager for Microsoft Entra Agent Registry, explains why Microsoft created Entra Agent Registry and Agent ID, and how they provide identity, governance, and security for AI agents.

We cover agent collections, discovery policies, integration with identity protection, and how custom security attributes automate AI agent governance at scale. You’ll also see how agents discover other agents by skills, how global and quarantine collections control visibility, and why these capabilities are critical for enterprise AI security.

This is a must-watch (listen) for identity, security, and platform architects preparing for AI at scale.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Padma

With close to 20 years of experience in Identity, Security, and enterprise platforms, Padma Prasad Parthasarathy currently leads product and architecture for Security for AI and Agent Identity at Microsoft. He has built and scaled IAM and Zero Trust solutions across some of the world’s largest organizations, bridging deep technical expertise with real-world product impact.

LinkedIn - https://www.linkedin.com/in/padmaprasadp/

🔗 Related Links

* What is the Microsoft Entra Agent Registry? - https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/what-is-agent-registry

📗 Chapters

00:00 Intro

02:14 The Rise of Digital Workers

07:13 Static Apps vs. AI Agents

12:43 Introducing Entra Agent Registry

17:28 Agent ID vs. Registry

24:08 How Agents Collaborate

30:29 Emerging Agent Standards

35:24 Understanding Agent Collections

42:05 Managing Risky Agents

46:01 Automating Agent Security

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I’m joined by Christopher Brumm from glueckkanja to discuss real-world experiences deploying Microsoft Entra Global Secure Access (GSA).We go beyond the docs to talk about actual customer rollouts, scaling challenges, retiring VPNs, and what teams often underestimate when moving to Zero Trust Network Access.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Christopher Brumm

Christopher Brumm is a Cyber Security Architect at glueckkanja AG in Germany. With more than 15 years of experience in IT security, Chris brings deep expertise and hands-on knowledge across the Microsoft Security portfolio and beyond. His career journey spans from network and data center technologies to Active Directory and Entra ID, with a strong focus on identity security.

As a Microsoft MVP and CISSP, Chris is an active voice in the security community, regularly speaking at events and sharing insights through blog posts on identity and security topics. His latest passion is Global Secure Access, where identity, security, and networking converge to deliver a holistic Zero Trust approach.

* LinkedIn - https://www.linkedin.com/in/christopherbrumm

🔗 Related Links

* Blog - https://chris-brumm.com

📗 Chapters

04:46 Proof of Concept vs Pilot

12:19 Deployment Strategy: The Blue Pill Approach

16:03 Solving Performance with Intelligent Local Access

17:49 Navigating Networking Challenges

25:14 The Hardest Part: Shutting Down Legacy VPNs

27:38 Handling External Access and BYOD

32:15 B2B Features and Tenant Switching

46:05 Why You Need the Microsoft 365 Profile

50:49 The Ultimate Admin Workstation Security

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Nicolas Blank, Founder of NBConsult and a 20-year Microsoft MVP, joins the show to dismantle the complexity around Zero Trust.Most Zero Trust conversations fail because they start with technology. Nicolas flips the script by using powerful everyday analogies (locking your car, protecting your newborn) to land the three core principles with executives.

Essential watching for anyone implementing Zero Trust, securing Microsoft 365/Entra ID, or needing leadership support in 2026.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Nicholas Blank

Nicolas is the founder, as well an architect, author and speaker focused on Office 365 and Azure at NBConsult in South Africa, England and Hong Kong. Nicolas is a Microsoft Certified Master, Dual Microsoft MVP - Microsoft Office Apps and Services, Microsoft Azure since March 2007.​

Nicolas has co-authored the Microsoft Zero Trust Adoption Framework https://aka.ms/zero-trust-adopt, published by Microsoft; “Microsoft Exchange Server 2013: Design, Deploy and Deliver an Enterprise Messaging Solution”, published by Sybex and available on Amazon; as well as authoring “Azure Site Recovery: IaaS Migration and Disaster Recovery”, published by Pluralsight.

Nicolas can be found on LinkedIn: https://www.linkedin.com/in/nicolasblank/

Or via his Company Website:​ https://www.nbconsult.co

🔗 Related Links

* Microsoft Zero Trust Workshop - https://aka.ms/ztworkshop

* Zero Trust Adoption Framework - https://aka.ms/zero-trust-adopt

* Microsoft Digital Defense Report - http://aka.ms/mddr

📗 Chapters

01:52 The Why Behind Zero Trust

04:17 The Baby Analogy: Explaining Least Privilege

07:41 Debunking Security Myths

11:43 Assume Breach vs Being Secure

15:28 Getting Stakeholder Buy-in

20:24 The Immune System Approach

21:45 Ruining Attacker ROI 25:50 The

96% Statistic You Can’t Ignore

33:24 Where to Start: Practical Tools

37:54 The Zero Trust Adoption Framework

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Is the traditional VPN dead? In the latest episode of Entra Chat, we dive deep Microsoft Entra Global Secure Access (GSA).Joined by Karen Simmel from the GSA product team and Thomas from the Entra CXE Architecture team, we explore how Microsoft is bridging the gap between identity and network security.The Shift from VPN to SASEThe "good old days" of spinning up firewalls and DMZs are fading. Traditional controls are often too coarse-grained and lack identity awareness. As Thomas explains, the COVID-19 pandemic accelerated the need for change when traditional VPN gateways physically couldn't handle the load of remote workforces.This has paved the way for SASE (Secure Access Service Edge) and SSE (Security Service Edge), which move security controls to the cloud at hyperscale.What is Global Secure Access?The team breaks down the confusing terminology to help you understand the core products:* Microsoft Entra Private Access: This is the ZTNA (Zero Trust Network Access) solution, replacing the classic VPN for accessing on-prem and private resources.* Microsoft Entra Internet Access: This acts as a Secure Web Gateway (SWG), protecting outbound access to SaaS apps and the internet with URL filtering and DLP controls.* Microsoft Entra Suite: A bundle that combines these network capabilities with Verified ID, Identity Governance, and Identity Protection for a comprehensive solution.The "Secret Sauce"Why choose Microsoft's solution? The differentiator is that GSA isn't just integrated with the Identity Provider (IdP)—it *is* part of the IdP.This deep integration allows for near real-time security. For example, if a user's device is compromised, the SOC team can revoke the token, and Entra can immediately terminate the network tunnel or prompt for step-up authentication. It brings the power of Conditional Access directly to network traffic.Better Performance, Better PrivacyContrary to the belief that security slows things down, GSA often improves performance. By leveraging Microsoft's massive global private fiber network, traffic is intelligently routed to the closest point of presence rather than being backhauled to a headquarters.From a privacy standpoint, admins have granular control. You decide what traffic is tunneled and inspected, ensuring you can meet compliance requirements (like those in the EU) without over-monitoring employee activity.Ready to Deploy?Deployment doesn't have to take months. Some customers are getting up and running with a Proof of Concept (PoC) in a single day. Whether you use the client-based agent or need client-less access for contractors, Microsoft provides detailed deployment plans to guide you.

Subscribe with your favorite podcast player or watch on YouTube 👇

About the Guests

Keren SemelKeren leads visibility and data insights for the Global Secure Access product group. Based in Tel Aviv, she brings deep experience from the SASE/SSE market to Microsoft.

LinkedIn: https://www.linkedin.com/in/keren-semel-4876383/Thomas Detzner Thomas is a lead architect in the Entra CxE team, specializing in Global Secure Access and Zero Trust. A former network engineer based near Munich, he helps organizations bridge the gap between traditional networking and modern identity security.

LinkedIn: https://www.linkedin.com/in/thomasdetzner/

🔗 Related Links

* Microsoft Global Secure Access Documentation - https://learn.microsoft.com/en-us/entra/global-secure-access/

* Zero Trust Workshop - https://aka.ms/ztworkshop

📗 Chapters

00:00 Intro

05:17 The Limitations of Legacy VPNs

12:49 SASE vs SSE vs ZTNA Explained

21:26 The Identity-Network Secret Sauce

29:42 Unpacking Entra Suite

33:20 Microsoft’s Global Network Architecture

38:19 Client and Clientless Connectivity

41:26 Deployment and POC Process

45:31 Migrating from Zscaler to GSA

47:15 Privacy and Compliance Controls

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Louis Mastelinck, a Microsoft MVP and Security Consultant at Proximus NXT, joins me to discuss the critical journey of moving organizations away from SMS-based MFA.

We deep dive into a practical strategy for migrating users to the Authenticator app, starting with “stopping the bleed” and managing user groups. We also explore a significant security blind spot regarding Email OTP for SharePoint guest access and how to resolve it.

Finally, we debate the future of authentication with device-bound versus synced Passkeys and how to defend against downgrade attacks.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Louis Mastelinck

Louis Mastelinck is a Security Consultant at Proximus NXT and a recognized Microsoft MVP based in Belgium. Specializing in Incident Response and the full Microsoft Security stack (including MDE, MDO, Sentinel, and Identity Management), he is dedicated to neutralizing threats and securing digital environments. A GCFA-certified professional, Louis is known for his deep technical expertise in areas like Conditional Access and authentication methods.

LinkedIn - https://www.linkedin.com/in/louismastelinck/

🔗 Related Links

* Microsoft: Hang up on SMS - http://aka.ms/hangup

📗 Chapters

00:00 Intro

00:52 Props and PIM

01:41 The Dangers of SMS MFA

04:51 Strategy: Stopping the Bleed

10:06 Migrating Existing Users off SMS

19:20 Impact on Self-Service Password Reset

22:39 The SharePoint Email OTP Security Gap

25:13 Enabling Entra B2B Integration

34:28 Passkeys: Device-Bound vs Synced

44:40 Defending Against MFA Downgrade Attacks

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Identity Governance is often treated as a “nice-to-have” compliance checkbox, but as ID Governance expert Sandra Saluti reveals, it is actually the foundation of a secure, scalable environment. In this technical deep dive, we move past the marketing slides to discuss some of the common real-world “gotchas” that break Entra ID deployments.

In this episode, you will learn:

* The Golden Rule of Automation: Why you must stop using “presentation data” (like UPNs or Email addresses) as your anchor. We explain why the Object ID is the only immutable truth for your automation.

* The “Marriage Bug”: A cautionary tale of how a simple name change can break hybrid joins and lead to accidental laptop wipes and how to prevent it.

* The “Unsexy” Side of Governance: Why the most important part of your job isn’t writing PowerShell, but interviewing HR and stakeholders to map out process flow diagrams before you ever touch the portal.

* Closing the “Rehire Gap”: How to solve the common crisis where contractors lose access for 48 hours during a renewal because of lifecycle synchronization delays.

* Directory Extensions vs. Exchange Attributes: Technical advice on where to store your identity metadata for the most reliable governance.

Sponsored by:

Entra ID Gaps That Cause Outages

In Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.

Teams are left asking:

* Which applications can access Microsoft 365 data?

* Is that access still appropriate?

* Who owns the app?

Unclear answers stall reviews, weaken accountability, and slow delivery.

ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Sandra Saluti

Sandra Saluti is a consultant at Epical working with Microsoft Entra ID and identity governance. She helps organisations design secure and practical identity solutions with a focus on governance, access management, and Zero Trust.

LinkedIn - https://www.linkedin.com/in/sandra-saluti-6866a686/

🔗 Related Links

* Sandra’s Blog - https://agderinthe.cloud/author/sandra/

📗 Chapters

00:00 Welcome to Entra Chat

03:18 Explaining Identity Governance

08:51 Handling Late Hires and Rehires

11:25 Using Directory Extensions Effectively

18:50 Stop Targeting UPNs for Automation

25:18 Managing Chaos with Guest Access Reviews

30:56 Deciding Who Approves App Access

33:51 Replacing Nested Groups with Access Packages

39:29 Closing Thoughts and Community

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill