Entra.Chat

Cybersecurity expert Erica shares her incredible journey from pharmacist to becoming a professional hacker. She reveals how attackers are bypassing modern security controls like MFA and what you can do to protect your tenant.We talk about the most common configuration vulnerabilities that exist in almost every organization, the dangers of application onboarding, and the top five phishing vectors threat actors are using to gain initial access, including clever abuses of Microsoft Teams.Subscribe with your favorite podcast player or watch on YouTube 👇About EricaErica has an amazing career arc, starting in pharmacy before pivoting to cybersecurity. With a deep, hands-on understanding of offensive security gained from platforms like Hack the Box and real-world penetration testing, she specializes in protecting and defending Microsoft Cloud tenants. Erica is passionate about sharing her knowledge on how to better protect your tenant and what bad guys are looking for.LinkedIn - https://www.linkedin.com/in/erica-z-b4169598/🔗 Related Links* Blog - https://ericazelic.medium.com/* Hack The Box - https://www.hackthebox.com/* Altered Security - https://www.alteredsecurity.com/📗 Chapters00:00:00 Intro 00:02:14 From Pharmacy to Cybersecurity 00:07:19 Learning to Hack with Hack The Box 00:11:45 The First Cloud Hack: M365 Public Groups 00:17:50 The Hidden Dangers of App Onboarding 00:25:53 The 5 Modern Phishing Attack Vectors 00:30:36 Bypassing MFA with Device Code Phishing 00:34:34 Adversary-in-the-Middle & Auth Downgrade Attacks 00:48:24 The Secret to Mastering Cybersecurity SkillsPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Jeremy Conley, Product Manager on the Identity Governance team at Microsoft, demystifies the world of guest access in Microsoft Entra. We discuss the hidden security risks that accumulate as guests are invited into a tenant and the governance challenges this creates.We also do a deep dive into the different licensing tiers, from P2 to the new Entra ID Governance for Guests license, and explain the recently GA’d , cost-effective MAU-based billing model for guests. Jeremy provides actionable tips for admins to start cleaning up their tenants and implementing a robust governance strategy today.Subscribe with your favorite podcast player or watch on YouTube 👇About Jeremy ConleyJeremy Conley is a Product Manager at Microsoft, focusing on identity governance. His work is centered on Entitlement Management and the governance of guest and external users within Microsoft Entra, helping customers secure their environments and manage user lifecycles effectively.LinkedIn - https://www.linkedin.com/in/jeremy-conley-99552379/🔗 Related Links* Microsoft Entra ID Governance licensing for guest users • aka.ms/EntraIDGuestGovernance* PowerShell tool to update guest sponsor info • Update-MsIdInvitedUserSponsorsFromInvitedBy📗 Chapters00:51 What are Guests & External Users? 03:51 The Hidden Security Risk of Guests 07:14 Understanding Licensing for Guest Governance 09:10 P2 Features: Entitlement Management & Access Reviews 15:19 Entra ID Governance: Lifecycle Workflows & Automation 20:33 The "Sponsor" Concept for Guest Accountability 25:49 The NEW Guest Licensing Model Explained28:15 Demystifying the 1:5 Ratio vs. MAU Billing35:18 Common Mistakes Admins Make with Guests 37:22 A Simple First Step to Clean Up Your TenantPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode of Entra.Chat, I dive into the critical world of app governance with experts Jay Gundotra and Sander Berkouwer, who unpack the hidden risks of non-human identities in Microsoft Entra. From shocking real-world breaches like Midnight Blizzard to a hilarious tale of a theme park’s water supply mishap, we explore why securing your cloud apps is more urgent than ever. Tune in to discover practical tips and tools to safeguard your organization without losing your giraffes!Subscribe with your favorite podcast player or watch on YouTube 👇About Jay GundotraJay is the CEO and technical founder of E-Now. He has a long history as an Exchange and Active Directory engineer, which led him to found his company and focus on solving complex identity and application governance challenges for enterprises.LinkedIn - https://www.linkedin.com/in/jay-gundotra-19079a/About Sander BerkouwerSander Berkouwer is a 17-year Microsoft MVP veteran and an accomplished identity architect. With deep expertise from being "in the trenches," he partners with Jay to educate the community and build solutions for managing non-human identities and service principals.LinkedIn - https://www.linkedin.com/in/sanderberkouwer/🔗 Related Links* AppGov Community - https://community.appgovscore.com/* How Ownerless Apps in Entra ID Increase Your Attack Surface* Securing Workload Identities in Entra ID: A Practical Guide for IT and Security Teams📗 Chapters00:00 Intro 01:55 What is App Governance? 04:02 The Origin Story of Focusing on App Governance 08:35 Why App Security is Critical Today 14:15 The Dangers of Over-Privileged Apps 20:38 The Giraffe Story: When Cleanup Goes Wrong 24:42 What Should a Successful Organization Do? 30:22 The Full Application Lifecycle: Onboarding to Offboarding 35:38 Building the AppGov Community 45:04 The Importance of Education and AutomationPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode of Entra.Chat, I dive deep with cybersecurity architect Fabian Bader into his research on bypassing poorly designed Microsoft Entra’s conditional access policies and what you can do about them. We also cover the game-changing new Group Source of Authority feature that lets you finally manage synced groups in the cloud, and share insights from Fabian’s work with MSRC to secure the platform—don’t miss this one if you want to stay ahead in cloud security!Subscribe with your favorite podcast player or watch on YouTube 👇About Fabian BaderFabian Bader is a Cybersecurity Architect at glueckkanja, based in Hamburg, Germany. He is a well-known researcher in the Microsoft identity space, creator of the Cloud Brothers blog, and creator of the Maester and Token Tactics V2 tools. His work focuses on Microsoft Entra and the Defender suite, helping customers secure their cloud environments.LinkedIn - https://www.linkedin.com/in/fabianbader/🔗 Related Links* Fabian’s Blog - https://cloudbrothers.info/* Entra Scopes - https://entrascopes.com/* Maester - https://maester.dev/* Token Tactics V2 - https://github.com/f-bader/TokenTacticsV2📗 Chapters 02:19 The Story of the "Cloud Brothers" Blog 03:32 The Origin Story of Maester 07:39 Token Tactics V2 & Continuous Access Evaluation 09:43 How Conditional Access Bypasses Are Found 12:05 What is FOCI (Family of Client IDs)? 18:04 Hardening Your Conditional Access Policies 29:59 V1 vs V2 Token Endpoints Explained 38:19 Using Graph Activity Logs in Defender XDR 42:45 The New Group Source of Authority (SOA) 54:59 Workplace Ninjas US AnnouncementPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx 👔 LinkedIn → linkedin.com/in/merill 🐤 Twitter → twitter.com/merill 🕺 TikTok → tiktok.com/@merillf 🦋 Bluesky → bsky.app/profile/merill.net 🐘 Mastodon → infosec.exchange/@merill 🧵 Threads → threads.net/@merillf 🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with my boss, Tarek Dawoud, to pull back the curtain on what really happens during a major service outage. Tarek shares some incredible "war stories" from his time in the trenches, from the early days of DirSync where the team had to edit a sync file with a debugger to prevent an incident, to the massive outages of 2017 and 2018 that changed everything. We'll give you a peek into the high-stakes, quick-thinking world of a "live site" incident and reveal the groundbreaking engineering principles like cell-based architecture and the backup authentication service that were born from these challenges, making Entra more resilient than ever before. Subscribe with your favorite podcast player or watch on YouTube 👇About Tarek Dawoud Tarek Dawoud is a Lead Architect in the Customer Engineering team for Microsoft Entra. With years of experience growing up in Entra engineering, he has been involved in his share of outages and has a deep understanding of what it takes to build and maintain a resilient, hyperscale identity service. LinkedIn - https://www.linkedin.com/in/tarekdawoud/🔗 Related Links * SLA performance for Microsoft Entra ID - aka.ms/entraidsla * Microsoft Blames "Severe Weather" for Azure Cloud Outage * Microsoft Probes Cause of Global Web Outage* Microsoft's Azure AD authentication outage: What went wrong📗 Chapters00:57 What is a "Live Site"? 14:15 The Secret to Entra's Uptime: Cell-Based Architecture 18:09 How Entra Routes Your Login Request Globally 24:46 War Story #1: The 2017 Conditional Access Outage 29:52 War Story #2: How a Hurricane & an Office Bug Caused Chaos 43:39 The Backup Auth Service: Entra's Secret Weapon 57:54 Does the Backup Service Kick in Automatically? 01:04:16 Regional Isolation & The Power of Managed Identity 01:08:17 Anatomy of a Near-Outage in 2021 01:12:02 How Microsoft's Culture Learns From MistakesPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with Conrad Murray, a seasoned expert who lives and breathes the complexities of IT migrations during mergers, acquisitions, and divestitures.We dive deep into the real-world challenges that companies face, from the political battles of deciding whose tenant to use, to the technical nightmares of migrating three-quarters of a petabyte of data for a major global firm.Conrad shares some incredible "war stories" about the single hardest part of any migration—the domain cutover—and reveals why the success of a months-long project boils down to just the first four hours of the end-user experience on a Monday morning. Subscribe with your favorite podcast player or watch on YouTube 👇About Conrad MurrayConrad Murray is an expert in the IT lifecycle, specializing in complex tenant-to-tenant migrations for mergers, acquisitions, and divestitures. With over 15 years of experience moving companies to the cloud, Conrad has seen it all, from early BPOS and Lotus Notes migrations to massive, petabyte-scale Microsoft 365 consolidations.LinkedIn - Conrad Murray🔗 Related Links* Google to Microsoft 365 Migrations* PowerSyncPro📗 Chapters00:00:00 Intro 00:05:40 The Politics of Merging Tenants 00:07:23 Greenfield Tenants: A Fresh Start 00:09:58 War Story: Migrating 750TB for S&P Global 00:19:13 The Nightmare of Domain Cutovers 00:25:14 The Critical Day-One User Experience 00:30:00 Reconfiguring Mobile Devices: The Hardest & Easiest Part 00:35:46 Multi-Tenant Orgs (MTO): A Long-Term Solution? 00:49:22 The Unique Challenges of Divestitures 00:55:17 Data Cleanup That Never Happens 01:01:06 Tools of the Trade for Migration SuccessPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode we are joined by Jef Kazimer, Principal Product Manager at Microsoft to discuss the critical role of Microsoft Entra ID Governance. We explore the entire identity lifecycle from joiners, movers, and leavers (JML), the financial and security benefits of automated provisioning, and the pitfalls of legacy IGA solutions. Jef shares his extensive experience, from deploying complex MIM solutions to helping shape the future of cloud-native governance, and provides key insights into how AI will drive the need for more robust governance and how Entra is leveraging technologies like Azure Logic Apps for supportable, long-term solutions.Subscribe with your favorite podcast player or watch on YouTube 👇About Jef KazimerJef Kazimer is a PM on the Microsoft Entra team, specializing in Identity Governance. With a career spanning from help desk support and consulting to his current role in engineering, Jef has a deep understanding of the real-world identity and access management challenges that organizations face. He is passionate about helping customers secure their environments by leveraging the power of the cloud.LinkedIn - https://www.linkedin.com/in/jefkazimer/🔗 Related Links• Entra ID Governance licensing docs - https://learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals📗 Chapters01:39 From Atari to Microsoft: A Hacker's Journey 09:14 What is Identity Governance (and Why You're Already Doing It) 13:16 The Hidden Costs of Poor Governance & Licensing 15:58 The Customization Trap: Why 'Simple' is Better 22:57 Common Challenges in Identity Governance 27:36 Governance for Small vs. Large Businesses 30:51 The Secret to Great User Experience 42:33 Demystifying Entra ID Governance Licensing 46:41 The Future: How AI Changes EverythingPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this eye-opening episode, I sit down with Microsoft's Clay and Ramiro, two Customer Experience (CxE) architects who've collectively run over 150 Zero Trust workshops with enterprise customers. They reveal the shocking gaps they consistently find—like customers spending millions on compliance policies but forgetting to actually block non-compliant devices with conditional access. We dive deep into their comprehensive Zero Trust Workshop framework that's become the "seventh wonder of the Excel world," discuss why partners are scrambling to get trained on their methodology, and explore how AI is about to reshape the entire Zero Trust landscape. If you think your organization has Zero Trust figured out, this conversation might just change your mind.Subscribe with your favorite podcast player or watch on YouTube 👇About Clay and RamiroClay and Ramiro are architects in Microsoft's customer experience (CXE) team. With over a decade of experience each at Microsoft, they specialize in helping the largest and most high-profile customers navigate complex deployments and security challenges. Ramiro has a background in engineering and was part of the team that built ADFS, while Clay focuses on the Intune side of things. They are the key figures behind the development and refinement of Microsoft’s Zero Trust Workshop.* LinkedIn - Ramiro: https://www.linkedin.com/in/ramirocalderon/* LinkedIn - Clay: https://www.linkedin.com/in/clay-p-55899912b/🔗 Related Links* Zero Trust Workshop - https://aka.ms/ztworkshop📗 Chapters00:24 The "Why" Behind the Zero Trust Workshop 08:16 How to Run the Workshop 14:15 How the Workshop Has Evolved 20:48 How Partners Can Use the Workshop 26:51 Evolution of the Roadmap 35:30 Real-World Customer Improvements 39:46 Zero Trust is a Team Sport 47:22 The Future: AI and the Workshop 49:10 Final Advice on Zero TrustPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with Jordan Dahl, a Product Manager on the Entra Conditional Access team, to discuss the newly GA'd Conditional Access Optimization Agent. Jordan shares the origin story of the agent, explaining how customer feedback about the difficulties of managing CA policies at scale led to its creation. We delve into how this AI-powered "digital colleague" works to identify and remediate security gaps, its future roadmap including Service Now integration and phased rollouts, and how you can get started with it in your own tenant.Subscribe with your favorite podcast player or watch on YouTube 👇About JordanJordan is a Product Manager on the Entra Conditional Access team at Microsoft. Her current focus is on the Conditional Access Optimization Agent. Previously, she was a PM for per-policy reporting in Conditional Access and for Groups within Entra.LinkedIn - https://www.linkedin.com/in/jordan-dahl-840182127/🔗 Related Links* Conditional Access optimization agent in Microsoft Entra📗 Chapters00:00 Intro 01:31 The Origin of the CA Optimization Agent 05:08 How the Agent Works 07:40 Autonomous Policy Changes? 12:39 How to Deploy the Agent 16:12 Customizing the Agent's Behavior 23:59 Upcoming Agent Features: Phased Rollouts & ServiceNow 29:45 The Future: A "Digital Colleague" 35:08 How to Give Feedback 41:09 Getting Started: Your Action ItemsPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this exciting episode of Entra Chat, I dive into the world of Entra + Windows devices with the passionate and knowledgeable John Towles, a solution architect and MVP for Windows 365 and more. We unpack why Entra hybrid join is still relevant for some organizations, explore the ins and outs of Windows Autopilot, and reveal practical tips for navigating the complexities of modern device management. Plus, we share a sneak peek into the upcoming Workplace Ninjas US event and get a special announcement about the Workplace Ninjas US "Golden Clippy Awards", including the finalists for the "Entra IDol of the Year."Subscribe with your favorite podcast player or watch on YouTube 👇About John TowlesJohn Towles is a Solutions Architect at WEI, a multi-award MVP (Windows 365, Intune), President of Workplace Ninjas US, and the proprietor of Mobile-John.com. With over a decade of experience as the face of VMware's Workplace One, John has a deep and unique perspective on endpoint management and cloud migration. He is passionate about helping organizations navigate complex technical challenges with pragmatic, real-world solutions.LinkedIn🔗 Related Links* Microsoft Entra Hybrid Join: Not Dead Yet! (Jon’s blog)* Workplace Ninjas US* Microsoft's Entra Kerberos: Bridging Legacy AD to Cloud Auth + MAM on Edge with PM Jordan Gross📗 Chapters00:23 Entra Hybrid Join: To Do or Not to Do? 03:13 The Great Migration from VMware to Intune 06:23 Entra Join vs. Hybrid Join Explained 12:52 The Magic of Cloud Kerberos Trust 15:53 Demystifying Windows Autopilot 25:23 Making the Case for Hybrid Join with Autopilot 30:57 Why Cloud-Native is the Future 36:16 Introducing Workplace Ninjas US 39:06 The "Golden Clippy Awards" 41:31 Announcing the Entra IDol of the Year FinalistsPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with Chetan Desai, a Principal Product Manager on the Microsoft Identity Governance team. We dive deep into a side of Entra that many admins never see: the critical "first mile problem" of getting identities into your system in the first place.We talk about the evolution from on-prem scripts and MIM to specific connectors for Workday and SuccessFactors and then to the new powerful, generic API-driven approach that can handle any HR system and the architectural decisions behind it. Chetan also gives us a masterclass on how the provisioning engine differs from the Graph API and provides advice for anyone looking to migrate from a legacy Identity Governance and Administration (IGA) solution.Subscribe with your favorite podcast player or watch on YouTube 👇About Chetan DesaiChetan Desai is a Principal Product Manager at Microsoft on the Entra team. For the past seven years, he has been a core part of the Entra Identity Governance and Provisioning team. Before his time at Microsoft, Chetan spent 17 years in consulting within the identity and access management domain , bringing a wealth of real-world deployment and integration experience to his product management role.🔗 Related Links* Application and HR provisioning documentation* Provisioning with SCIM* API-driven inbound provisioning concepts📗 Chapters00:34 The "First Mile Problem" in Identity 04:51 From AD Sync to HR-Driven Provisioning 09:52 The Entra Provisioning Service Architecture 16:17 Hybrid vs. Cloud-Only Identity Flows 19:17 Beyond Workday: The Need for a Generic Connector 27:43 The Great Debate: CSV vs. SQL vs. API 35:34 Provisioning API vs. Graph API: What's the Difference? 43:24 The Latest Evolution: Custom Security Attributes 49:26 Advice for Migrating to Modern IGAPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I chat with the legendary Tony Redmond, a prolific writer and author of "Office 365 for IT Pros". Tony shares unfiltered insights from his career, critiques the state of technical writing and AI, and discusses the challenges with PowerShell and the future of AI agents in the Microsoft ecosystem.Subscribe with your favorite podcast player or watch on YouTube 👇About Tony RedmondTony Redmond is a well-known and prolific writer in the Microsoft 365 space. After a long career in large tech companies like Digital, Compaq, and HP, where he rose to the level of Vice President, he became an independent consultant and author in 2010. He is the lead author of the widely respected and continuously updated e-book, "Office 365 for IT Pros," and "Automating Microsoft 365 with PowerShell."LinkedIn - https://www.linkedin.com/in/tonyredmond/ 🔗 Related Links* Office 365 for IT Pros (Book) - https://office365itpros.com * Practical 365 - https://practical365.com📗 Chapters00:00 Intro 03:50 Tony's career and lessons from corporate life 09:06 The story behind the "Office 365 for IT Pros" book 21:35 Tony's rules for great technical writing 25:31 The problem with duplicate content and AI summaries 36:31 A critique of the Graph PowerShell SDK 45:15 The dangers of AI and the need for guardrails 50:57 Microsoft's mistake: Rushing tech without guardrails 55:04 The cyclical nature of technology and IT challengesPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, I sit down with Erin Greenlee, the Product Manager for App Consent on Microsoft’s App Platform Team. We dive into the critical world of app consent and the upcoming Microsoft 365 secure-by-default changes. We explore the nuances of user and admin consent, the impact of the mid-July 2025, policy shift, and how admins can prepare for a more secure Entra environment.Subscribe with your favorite podcast player or watch on YouTube 👇About Erin GreenleeErin Greenlee is a Product Manager at Microsoft, specializing in the App Platform Team within the Identity and Network Access division. With a decade of experience at Microsoft, including roles in B2C and domain services, Erin now focuses on consent, authorization, and app roles, helping organizations secure their applications while enabling productivity.LinkedIn - https://www.linkedin.com/in/eringreenlee/🔗 Related Links* MC1097272 - Microsoft 365 Upcoming Secure by Default Settings Changes - https://mc.merill.net/message/MC1097272 * Entra Admin Consent Workflow - https://docs.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow * Configure how users consent to applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent* Manage app consent policies - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies* Review App Consent audit logs - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/app-perms-audit-logs📗 Chapters02:15 What is App Consent?03:22 Delegated vs. Application Permissions07:45 The User Consent Balancing Act13:58 How Consent is Evaluated17:33 Understanding Tenant Consent Policies22:28 The Admin Consent Workflow31:18 The Big Change: Microsoft's Secure-by-Default Update41:35 How to Prepare for the Change49:05 Advanced Delegation with Custom PoliciesPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, we talk with an identity expert, ex-Microsoftie and Principal Domain Architect, Mark Renoden, about creating a modern Privileged Access Management (PAM) solution for on-premises Active Directory. Discover how to build a secure "Bastion Forest" architecture using Microsoft Entra. We talk about PIM for Groups, group write-back, phish-resistant credentials, Privileged Access Workstations (PAW), securing an Entra tenant from the ground up, and navigating challenges with Cloud Solution Provider (CSP) permissions.Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - MerillAbout MarkAs Principal Domain Architect for Identity at Increment, Mark leads the design and delivery of secure, scalable identity architectures grounded in Microsoft Entra ID and aligned with Zero Trust principles. He specializes in helping organisations modernise their infrastructure and navigate complex identity transformations.Previous to Increment, Mark spent over 20 years at Microsoft in support, field engineering, mission critical and customer experience roles focused on Identity across a wide spectrum of industries in Australia and New Zealand, including Finance, Healthcare, Government, Education and Retail.LinkedIn - https://www.linkedin.com/in/markrenoden/🔗 Related Links* DirectoryShield | Increment - https://www.increment.inc/directoryshield* Entra Security Recommendations - https://aka.ms/EntraSecurityRecommendations* Securing privileged access overview - https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-overview* MIM - Bastion environment - https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment📗 Chapters00:46 Securing Your Entra Tenant02:09 The Quest for a Microsoft-Only PAM Solution04:21 What is a "Bastion Forest"?07:50 Reimagining the Bastion Forest for the Cloud12:53 Architecting a "Secure-by-Default" Tenant17:41 Phish-Resistant On-Prem Admins19:50 The Modern Privileged Access Workstation (PAW)27:04 The Tiered Administration Model Explained29:51 The Hidden Dangers of CSP Admin Access34:29 How Fast is PIM for Groups?Podcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this very special episode, I sit down with the "Yoda of Entra" himself, Tarek Dawoud, who also happens to be my manager!We dig deep into the fascinating and often surprising history of Microsoft's identity platforms. Tarek, who has been on the team since 2007, takes us on a journey from the revolutionary launch of Active Directory in 1999, through the creation of the cloud services that battled Google Apps, to the formation of the identity division and the eventual rebrand to Entra.You'll hear the inside story on how our customer experience team became a "secret weapon" and, most excitingly, we'll look at what the future holds for Identity and Access Management in the new age of AI agents.Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - MerillAbout Tarek DawoudTarek Dawoud is a long-time veteran at Microsoft, having been with the company for over 18 years. Tarek currently leads the architecture team within the customer engineering (CXE) organization, where he helps customers deploy Entra, gathers insights for the product group, and works to solve the hardest identity problems.LinkedIn - https://www.linkedin.com/in/tarekdawoud/🔗 Related Links📗 Chapters00:00 Intro08:58 The Beginning: The Vision of Active Directory (AD)14:51 The Consumer Side: Microsoft Passport & The Standards Debate18:29 A Defensive Play: How Google Apps Sparked Microsoft's Cloud Identity27:21 The First Merger: Active Directory & Cloud Teams Unite32:03 The Birth of Conditional Access & The Authenticator App42:52 The Security Re-org: Identity Moves to a New Home45:30 A New Era: Rebranding to Entra48:52 The Future is Now: AI, Agentic Identities, and the End of PowerShell?Podcast Apps🎙️ Entra.Chat → https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, we are joined by Maqsood Bhatti, the IAM Principal Engineer at Elkjøp Nordic, who takes us through their incredible journey of migrating from the legacy NetIQ platform to Microsoft Entra. What's fascinating is how they accomplished this years ago, completely bypassing traditional tools like Entra Connect and adopting a "production-only" environment. Maqsood shares how they built a truly cloud-native identity solution from the ground up, leveraging custom connectors, app roles, and automating everything, including moving off the legacy platform entirely.You’ll also hear about their advanced use of Microsoft Identity Governance, Logic Apps for custom provisioning, and a strict modern authentication policy that has shaped their identity and access management (IAM) for nearly a decade.Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - MerillAbout MaqsoodMaqsood is the IAM Principal Engineer at Elkjøp Nordic, a company that was an early adopter of access automation since 2006. He has been instrumental in their journey from legacy systems like NetIQ to a modern, cloud-native Microsoft Entra infrastructure , championing innovative approaches like custom API integrations and a "prod-only" development environment.LinkedIn - https://www.linkedin.com/in/maqsoodbhatti/🔗 Related Links* Elkjøp Nordic unngår IT-floker med storskala automatisering📗 Chapters00:00 Intro01:10 Early Days & NetIQ Automation03:34 The Journey to Public Cloud & Microsoft 36508:23 Custom Connectors and Real-Time Sync15:08 Embracing Azure, App Roles & Modern Auth19:29 Password Sync & Skipping Entra Connect22:57 Decommissioning NetIQ: Challenges & Motivations27:27 Leveraging Entra ID Domain Services as a Bridge33:28 Mastering App Roles & Guiding Developers44:27 Migrating to Entra ID Governance & Logic Apps52:57 The "Prod-Only" Philosophy & Cloud-Native MindsetPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Tobias Binkert, Head of IT at We Are Era, and Yusuke Kodama, Product Manager at Microsoft (who specialises in cloud-first identity, among many other things), join us to discuss We Are Era’s successful migration from on-premises Active Directory to a fully cloud-native Microsoft Entra ID environment.We delve into the motivations behind this significant shift with practical strategies for migrating devices using Microsoft Autopilot, modernizing applications, managing user accounts and groups in the cloud, and overcoming challenges like legacy RADIUS dependencies. Tobias shares the tangible benefits We Are Era experienced, including enhanced security, a superior user experience and increased agility for adopting new technologies.LinkedIn* Tobias Binkert - https://www.linkedin.com/in/tobias-binkert-83844810a/ * Yusuke Kodama - https://www.linkedin.com/in/yusukekodama85/On a related note we ran a poll a few weeks ago asking what your Identity plans were for 2030 and beyond. Nearly 90% of you were looking to go Entra ID first with more than half planning to go full cloud native with Entra ID.So hopefully this episode with Tobias and Yusuke will help shed some light and help you start your journey to going cloud-first/cloud-native.Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill🔗 Related Links* Road to the cloud: Introduction* Cloud transformation posture* Establish a Microsoft Entra footprint* Implement a cloud-first approach* Transition to the cloud📗 Chapters00:00 Intro03:20 The Motivation: Why Decommission On-Prem Active Directory?06:23 Gaining Buy-In: Negotiating with Business Units09:56 The ROI & Cost Impact: Saving 70% on Infrastructure14:47 Device Migration: Tackling Windows Workstations with Autopilot25:31 Server & Application Challenges: RADIUS, Printing, and More32:06 User Accounts & Groups: The Shift to Cloud-Only Identities44:19 Addressing Security & Availability Concerns of Full Cloud49:43 Life After AD: Next Steps and Future Identity Initiatives51:45 Lessons Learned & Key Advice for Your Cloud MigrationPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode we chat with Sapir Federovsky, a Security Researcher at CrowdStrike, who shares her journey from military service to becoming an identity threat researcher.She discusses her learning methods, the importance of community, and the challenges of keeping up in the fast-paced world of Azure and Entra ID security.Sapir also delves into specific Entra ID features she focuses on, the critical role of prevention alongside detection, and her experiences as a woman in the tech industry.LinkedIn - https://www.linkedin.com/in/sapir-federovsky-a687491b0/Watch on YouTubePS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill🔗 Related Links* Sapir's blog - https://sapirxfed.com/* Reportly - https://github.com/sap8899/reportly📗 Chapters00:00 Intro01:17 Early Career Perspectives & Learning Journey03:25 Transitioning from Military to Civilian Tech04:25 Learning Cloud Security & The Power of Talks/Blogs08:19 Building a Tool for Log Analysis12:26 A Typical Day: Continuous Learning & Community Sharing15:08 Balancing Learning Old & New in a Fast-Evolving Field17:38 The Power of Teaching to Master a Topic19:37 Learning by Answering Questions21:17 Vision: Becoming the Ultimate Defender & Community Building23:48 Deep Dive: Graph Activity Logs in Entra ID27:33 Focusing on Hybrid Environments & Synchronization29:37 Experiences as a Woman in Tech36:29 The Shift from Detection to Prevention & Hardening39:13 The Challenge of Updating Tenant Configurations45:57 Navigating Organizational Change Management Cycles50:29 Final Advice: Always Say Yes & Create OpportunitiesPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode we chat with Microsoft PM Jordan Gross about the exciting world of Entra Kerberos.Discover how this crucial feature bridges the gap between traditional on-premises Active Directory and the modern cloud, enabling seamless authentication for legacy applications in hybrid environments.Jordan delves into the mechanics of Entra Kerberos, its different operational modes (up-level and down-level trust), and its significance for organizations migrating to the cloud.We also explore MAM (Mobile Application Management) on Edge, another innovative solution Jordan worked on, which helps secure browser access on personal devices.LinkedIn - https://www.linkedin.com/in/jordangross61/PS. Can I ask a favor? If you enjoy this podcast please leave a review and rating on your podcast app! This helps more folks discover Entra.Chat - Thank you 🙏 - MerillWatch on YouTube or get the podcast from the links below 👇🔗 Related LinksEntra Kerboros* How Azure AD Kerberos Works • Steve Syfuhs* Cloud Kerberos trust deployment guide* Use Kerberos for single sign-on (SSO) to your resources with Microsoft Entra Private Access* Kerberos Constrained Delegation for single sign-on (SSO) to your apps with application proxy* Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files* How Windows Authentication for Azure SQL Managed Instance is implemented with Microsoft Entra ID and Kerberos* Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID* Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources in Platform SSO (MacOS)MAM* Data protection for Windows MAM📗 Chapters00:00 Intro01:24 Introducing Entra Kerberos & MAM on Edge03:13 What is Entra Kerberos?04:14 Understanding Traditional Kerberos06:39 Why Entra Didn't Just Use Kerberos Initially07:36 The Lingering Importance of On-Prem AD09:08 Where Entra Kerberos Fits: Solving Hybrid Problems10:06 Use Cases: Regulations & File Sharing (SMB Protocol)11:55 How Entra Kerberos Works: Two Styles13:36 Modern Auth vs. Down-Level Trust Explained14:04 The Convenience of Cloud TGTs with Windows Hello15:26 Accessing Resources: TGT to TGS Exchange17:03 How Apps Trust Entra Kerberos Tickets18:00 Admin Setup for Trust Relationship19:22 Supporting Legacy Apps in a Modern World21:24 Benefits Over NTLM & Conditional Access23:04 Future of Entra Kerberos: Cloud-Only Users26:28 Expanding Support: Mac, Linux & Mobile Devices29:13 Current Big Use Cases: Azure Files & AVD30:06 Understanding Down-Level Scenarios31:42 Interaction with Global Secure Access33:57 Transition to MAM for Edge34:27 What Problem Does MAM for Edge Solve?36:12 How MAM for Edge Protects Personal Devices38:11 Security Scope: Benign User Mistakes vs. Hackers40:23 Combining MDM and MAM for Enhanced Security41:20 Deployment: Intune Policies & Entra Configuration43:18 Windows-Only Feature for Now44:10 Benefits: Security, User Empowerment & Visibility48:13 Intune Dependency & Flexibility with Other MDMs49:50 The Fun of Cross-Team Collaboration50:48 Concluding Thoughts & Thank YouPodcast Apps🎙️ Entra.Chat - https://entra.chat 🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this episode, Simon Gottschlag, CTO of Co-native and a Microsoft MVP in Azure, discusses his innovative prototype for implementing Azure service principal impersonation using Azure Functions and Key Vault.We explore the challenges of managing service principals, the journey to building a solution, and the potential for improving developer experience in platform building. Simon shares insights on the four-eyes principle, Entra ID's newer attribute-based access control (ABAC) vs the traditional RBAC model, and how his solution can enhance security and auditability in Azure environments.LinkedIn - https://www.linkedin.com/in/simongottschlag🔗 Related Links* Azure Service Principal Impersonation - https://github.com/co-native-ab/azure-service-principal-impersonation* pimctl - https://github.com/co-native-ab/pimctl📗 Chapters00:00 Intro00:42 Meet Simon: CTO & Azure MVP01:51 The Project: Azure Service Principal Impersonation02:11 The Problem: Challenges in Managing Service Principals03:47 Journey to the Solution: Building Platforms & Terraform Pain Points06:50 The Challenge with Graph Permissions & Least Privilege08:27 Improving Developer Experience in Platform Building11:05 The Core Issue: Running Operations Locally vs. Service Principals13:43 The Idea: Service Principal Impersonation13:50 Four-Eyes Principle and PIM in Azure15:40 Understanding Attribute-Based Access Control (ABAC)18:58 Enforcing Role Delegation with ABAC and PIM20:12 Clarifying Service Principal Access with PIM and Four-Eyes21:26 The Local Development Dilemma with Security Principles22:02 PIM CTL: A CLI Tool for PIM22:42 New Challenge: Azure Managed Grafana & Terraform Authentication23:36 AC Identity Terraform Provider: Getting Tokens from Entra24:42 The Big Question: Securely Getting Service Principal Tokens Locally25:21 What is Impersonation in This Context?26:27 Building the Solution: Federated Credentials & Custom Token Exchange28:42 How the Azure Function Works: Authentication & Token Issuance29:26 The Result: Consistent Workflow & Auditability31:05 Open Source: How to Set Up and Try the Prototype33:31 Use Cases: DevOps Automation & Time-Limited Access35:15 Potential: Multi-Cloud Deployments & Extending EntraPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe