<![CDATA[Entra.News - Your weekly dose of Microsoft Entra]]>https://entra.newshttps://substackcdn.com/image/fetch/$s_!4mCy!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b3b3378-703b-4f6a-ab4d-10470336b06f_1280x1280.pngEntra.News - Your weekly dose of Microsoft Entrahttps://entra.newsSubstackTue, 21 Apr 2026 10:56:32 GMT<![CDATA[Entra 🆔 News #145 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-145-this-week-in-microsofthttps://entra.news/p/entra-news-145-this-week-in-microsoftSun, 19 Apr 2026 12:30:25 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

There are some important updates in this week’s Message Center posts, so be sure to check them out and prepare for the changes.

Don’t forget to queue up this week’s Entra Chat featuring the legendary Sean Metcalf, and hear his top tips for hardening Entra ID in 2026.

Enjoy!

Sponsored by:

Uncover Risky Entra ID Apps Faster

Most Microsoft 365 tenants accumulate hundreds of enterprise applications, with OAuth permissions granted over time and ownership left undefined. Security teams often lack visibility into which apps access mailboxes, files, or user data, and which introduce risk.

Native tools provide pieces of this data, but not a unified view. That gap makes consistent application governance hard to maintain.

AppGov Score assesses your Entra ID application landscape. Identify high-risk permissions, detect unused or overprivileged apps, and surface ownership gaps so you can prioritize remediation based on real exposure.

Attending the Microsoft 365 Community Conference in Orlando? Visit ENow at booth #617 to see how teams are strengthening application governance while enabling their users.

Get Your App Risk Score

⚡️ Microsoft

🔥 Public Preview

📖 Read

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

Sponsored by:

Would you bet your reputation on your current Microsoft 365 security posture?

Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.

But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.

You could assume it’s fine.

Or you could run the Microsoft 365 Security Posture Check.

It’s free.

It runs locally.

And no, it doesn’t send your tenant data back to us.

We’ll even help you set it up.

Get yours here

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🤖 DevOps & PowerShell

🚦 Conditional Access

🏙️ External ID - Guests & Multi-Tenant Organizations

📒 Tenant Configuration

🔥 Maester

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[Stop Leaving the Door Open: The Entra ID Hardening Checklist Security Experts Actually Use]]>https://entra.news/p/stop-leaving-the-door-open-the-entrahttps://entra.news/p/stop-leaving-the-door-open-the-entraSat, 18 Apr 2026 13:11:49 GMTMicrosoft Entra security is evolving and the way organizations think about identity protection needs to evolve with it. In this episode, I’m joined by Sean Metcalf, one of the foremost identity security experts in the industry, whose work has helped shape how many organizations approach securing both Active Directory and Microsoft Entra.

Sean shares the hardening steps many teams still overlook, and why advances in AI are making it easier for both defenders and attackers to work faster than ever before. From MFA and application controls to protecting privileged accounts and reducing unnecessary exposure, this conversation offers a practical look at where strong identity security starts and why getting the fundamentals right matters more than ever.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Sean Metcalf

Sean Metcalf is the Identity Security Architect at TrustedSec and a renowned expert in Microsoft identity security. He holds the rare Certified Master in Active Directory certification and has spoken at major security conferences including Black Hat, DEF CON, and BlueHat on how to defend cloud and hybrid environments.

LinkedIn - https://www.linkedin.com/in/seanmmetcalf/

🔗 Related Links

📗 Chapters

00:04:05 AI and the Evolution of Attacks

00:06:42 The Importance of Hardening Fundamentals

00:12:03 Securing Entra ID Quickly

00:16:24 Protecting Tokens with VBS and TPM

00:19:58 Restricting Consent and Guest Users

00:23:40 Managing Rogue Tenants

00:27:36 Cloud Admin Workstation Strategies

00:34:14 Delegated Admin Privileges

00:44:32 The Danger of Application Permissions

00:57:06 Artemis Mission Trivia

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #144 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-144-this-week-in-microsofthttps://entra.news/p/entra-news-144-this-week-in-microsoftSun, 12 Apr 2026 12:07:01 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

There’s quite a bit from the community this week, including a mix of agents, some solid deep dives into Conditional Access gaps and identity attack paths, and a few practical security findings from the field.

From Microsoft: the planned rollout for passkeys in Microsoft registration campaigns (MC1253746) has been paused for now. Read the post below for more info.

Also, this week’s Entra Chat podcast is with Per-Torben Sørensen. We go deep on designing Conditional Access policies. You’ll likely come away with at least one new idea to apply. Worth adding to your podcast queue.

Enjoy!

Sponsored by:

User Lifecycle: Onboard and Offboard With a Single CmdLet

Fact: Managing hybrid users across AD, Entra ID, and Exchange Online is a breeding ground for missed steps and security gaps - from day one to last day.

EasyEntra’s PowerShell-enabled workflows handle the entire lifecycle:

🚀 Onboard a fully provisioned user in 30 seconds - UI or two-parameter CmdLet.
🚀 Templates defined from existing users in seconds.
🚀 Offboard completely in 10 seconds - UI or single CmdLet.
🚀 Offboarding settings configured once, applied consistently every time.
🚀 Delegate life-cycle management to first-line support - no senior PowerShell skills or tribal knowledge required.

Start your 30-day trial or book a demo - setup takes under a minute - free for tenants with fewer than 25 licensed users.

“It feels almost like a revolution.”
Head of IT, Arjeplog Municipality, Sweden

Wait… One CmdLet?

⚡️ Microsoft

🏆 General Availability

📖 Read

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

Sponsored by:

Book a demo

☀️ Learn

👩‍✈️ AI & Copilot

💳 Verified ID

⛑️ ID Protection

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🚦 Conditional Access

🏙️ External ID - Guests & Multi-Tenant Organizations

🥷 Security

♻️ Sync

📒 Tenant Configuration

🛍️ External ID - Customers

🔥 Maester

👨🏽‍💻 Merill’s corner

In Melbourne this week? I’ll be presenting a short session on MCP auth at the Identity Management Day Summit.

Come say hi! Register here.

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[How to Design Bullet-Proof Conditional Access Policies in Microsoft Entra ID]]>https://entra.news/p/how-to-design-bullet-proof-conditionalhttps://entra.news/p/how-to-design-bullet-proof-conditionalSat, 11 Apr 2026 14:36:17 GMTIf you can’t immediately name your break glass accounts and the last time you tested them → you’re already at risk.

In this episode of Entra Chat, Microsoft MVP Per Torben walks through the conditional access mistakes he sees even large enterprises making, and the practical framework he actually uses with customers.

You’ll learn how to set up emergency access accounts the right way, why your CA policies should be built more like a firewall than a checklist, and the one naming convention that makes managing dozens of policies actually manageable.

🎧 Hit play, your tenant will thank you.

Sponsored by:

Entra ID Gaps That Cause Outages

In Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.

Teams are left asking:

  • Which applications can access Microsoft 365 data?

  • Is that access still appropriate?

  • Who owns the app?

Unclear answers stall reviews, weaken accountability, and slow delivery.

ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.

Explore Entra ID Gaps

Subscribe with your favorite podcast player or watch on YouTube 👇

About Per Torben

Per Torben is a Senior Architect at Crayon and a Microsoft MVP for Identity and Access. Based in Norway, he frequently writes highly-read posts featured on Entra.News and runs the collaborative tech blog “Agder in the Cloud”.

LinkedIn - https://www.linkedin.com/in/pertorbensorensen/

🔗 Related Links

📗 Chapters

06:22 The importance of Break Glass accounts

09:02 Securing emergency access with FIDO2 and RMAUs

18:10 Configuring Conditional Access: The “Block by Default” strategy

27:26 Managing scope and preventing accidental lockouts

29:31 Persona-based naming conventions for CA policies

35:38 Grouping settings and avoiding bloated policies

41:54 Handling exceptions and travel access with Access Packages

44:55 The flaw in Protected Actions for Conditional Access

53:38 Using the new Entra Backup feature for quick restores

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #143 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-143-this-week-in-microsofthttps://entra.news/p/entra-news-143-this-week-in-microsoftSun, 05 Apr 2026 12:29:42 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

Well folks, there’s a lot happening in the Entra world, we have over seven features becoming GA, a bunch of new public preview features, and an upcoming change to enforce CA policies during WHfB registration. Check them all out below.

BTW, I caught up with some Microsoft Entra MVPs to get their take on the big updates—queue it up on Spotify, Apple Podcasts, or watch on YouTube 👇

Enjoy!

Sponsored by:

Announcing the Month of Azure Red Teaming 2026

Altered Security Month of Azure Red Teaming is an initiative to raise awareness and spark discussion around one of the most critical and in-demand skillsets: Azure Red Teaming. Throughout the month we want to keep the community engaged to help infosec professionals and students understand, practice and analyze attack vectors in Azure.

What to expect during the month:

- Four Free Azure Red Team Webinars with hands-on labs (April 10th, 17th, 24th and 30th).

- Flat 20% OFF on the accoladed Azure Red Team certifications: CARTP and CARTE.

- Free labs on Altered Security’s Red Labs Platform

Get ready for a month full of free labs, webinars, blog posts, giveaways and discounts!

Know More

⚡️ Microsoft

🏆 General Availability

🔥 Public Preview

📖 Read

📺 Watch

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

Sponsored by:

Uncover Entra App Risk in Minutes

Most Entra ID tenants contain hundreds of applications with unclear ownership, excessive OAuth permissions, and long-lived secrets. These gaps are difficult to identify using native tools alone, especially at scale.

ENow’s AppGov Score provides a read-only assessment of your Entra environment using 24 Microsoft-aligned checks. It surfaces risky consent grants, privileged service principals, expired credentials, and ownerless apps, then translates findings into a clear, defensible risk score.

Instead of manual reviews or scripting, administrators gain immediate visibility into application sprawl and permission exposure, making it easier to prioritize remediation and improve governance across Microsoft 365.

Get Your App Risk Score

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🚦 Conditional Access

🖥️ Devices

🏙️ External ID - Guests & Multi-Tenant Organizations

📈 Reporting and Insights

🥷 Security

♻️ Sync

📒 Tenant Configuration

🔥 Maester

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[5 Entra ID Updates You Can’t Afford to Ignore in 2026 (Backup, Governance, CA Agent & Risk Score Exposed)]]>https://entra.news/p/5-entra-id-updates-you-cant-affordhttps://entra.news/p/5-entra-id-updates-you-cant-affordSat, 04 Apr 2026 11:57:26 GMTMicrosoft just dropped a massive wave of features for Entra, and the rules of Tenant Governance have officially changed.

Join us as we talk to three world-class MVPs about their hands-on experience with the new Entra Backup and Recovery and Tenant Governance features.

Our Microsoft MVP guests Nathan McNulty, Ru Campbell, and Thomas Naunheim break down the most exciting new features in Microsoft Entra.

In this episode, we explore:

  • The “Shadow Tenant” Problem: One org found 700+ Entra tenants they didn’t know they had.

  • Version Control for Admins: Why “Difference Reports” are a total game-changer for troubleshooting.

  • Recovery Safeguards: How to protect your tenant from accidental deletions and “sneaky” background changes.

  • Backup & Recovery: The truth about Entra Backup vs. Third-Party ISV tools.

Subscribe with your favorite podcast player or watch on YouTube 👇

About The Guests

Nathan, Ru, and Thomas are highly experienced MVPs specializing in identity security, governance, and Microsoft Entra.

Nathan McNulty - LinkedIn - https://www.linkedin.com/in/nathanmcnulty/

Ru Campbell - LinkedIn - https://www.linkedin.com/in/rlcam/

Thomas Naunheim LinkedIn - https://www.linkedin.com/in/thomasnaunheim/

🔗 Related Links

  • Microsoft Entra Backup and Recovery Documentation - https://learn.microsoft.com/en-us/entra/backup/overview

  • Microsoft Entra Tenant Governance - https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview

  • Synced Passkeys - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-passkeys-fido2

  • Microsoft Work IQ CLI (Public Preview) - https://learn.microsoft.com/en-us/microsoft-365/copilot/extensibility/workiq-overview

  • Playwright https://playwright.dev/

  • Entra Auth Tracer (Chrome Extension) - https://github.com/darrenjrobinson/EntraAuthTracer

  • Unified Risk Score - https://learn.microsoft.com/en-us/defender-xdr/investigate-users#risk-score-tab-preview

📗 Chapters

00:00 Intro to New Entra Features

02:04 Entra Backup and Recovery Deep Dive

10:41 Difference Reports Explained

15:54 Intro to Tenant Governance

23:34 Managing Multi-Tenant Organizations

33:31 Conditional Access Optimization Agent

36:55 The Great Passkey Debate

47:22 Retirements: SP-less Auth & ACS for SharePoint

48:46 Unified Risk Score in Defender

52:38 MVP Tips of the Week

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #142 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-142-this-week-in-microsofthttps://entra.news/p/entra-news-142-this-week-in-microsoftSun, 29 Mar 2026 12:15:56 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

The big news this week is the official launch of Entra Backup and Recovery and Entra Tenant Governance, along with new updates to the CA Optimization Agent.

There’s an upcoming change that may impact applications using Microsoft Graph app-only permissions. Check out the blog post Designing for Eventual Consistency for more details.

Don’t forget to catch up on this week’s Entra Chat podcast with Emilien Socchi, where we dig into two of his interesting projects.

Enjoy!

Sponsored by:

User Lifecycle: Onboard and Offboard With a Single CmdLet

Fact: Managing hybrid users across AD, Entra ID, and Exchange Online is a breeding ground for missed steps and security gaps - from day one to last day.

EasyEntra’s PowerShell-enabled workflows handle the entire lifecycle:

🚀 Onboard a fully provisioned user in 30 seconds - UI or two-parameter CmdLet.
🚀 Templates defined from existing users in seconds.
🚀 Offboard completely in 10 seconds - UI or single CmdLet.
🚀 Offboarding settings configured once, applied consistently every time.
🚀 Delegate life-cycle management to first-line support - no senior PowerShell skills or tribal knowledge required.

Start your 30-day trial or book a demo - setup takes under a minute - free for tenants with fewer than 25 licensed users.

“It feels almost like a revolution.”
Head of IT, Arjeplog Municipality, Sweden

Wait… One CmdLet?

⚡️ Microsoft

🏆 General Availability

🔥 Public Preview

📖 Read

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

☀️ Learn

👩‍✈️ AI & Copilot

💳 Verified ID

⛑️ ID Protection

📦 Apps

🫆 Authentication

🤖 DevOps & PowerShell

🚦 Conditional Access

🖥️ Devices

🏙️ External ID - Guests & Multi-Tenant Organizations

🥷 Security

♻️ Sync

📒 Tenant Configuration

🛍️ External ID - Customers

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[Finding Every MFA Gap: Testing 250 Million Conditional Access Combinations in Under 20 Minutes]]>https://entra.news/p/finding-every-mfa-gap-testing-250https://entra.news/p/finding-every-mfa-gap-testing-250Sat, 28 Mar 2026 10:45:12 GMTEmilien Socchi, Cloud Security Research Engineer at Storebrand, joins us to discuss CA Insight and AZTier.

Two open-source tools Emilien built to find gaps in Conditional Access policies and categorize Azure/Entra roles based on attack paths.

Learn how CA Insight evaluates 250 million sign-in combinations offline in minutes instead of days, why the What If API doesn't scale, and how AZTier helps defenders and pen testers understand privilege escalation risks across Entra ID, Azure, and Microsoft Graph.

Together, these projects help security teams move from reactive log monitoring to a proactive defense strategy.

What’s Breaking and Slowing Your Entra ID Environment?

In Microsoft Entra ID, the same visibility gaps cause two problems:

  • Things break

  • Work slows down

Expired client secrets disrupt integrations. Certificates lapse and authentication fails. New apps appear with excessive permissions and no clear ownership. At the same time, teams struggle to answer basic questions, which applications have access to Microsoft 365 data, whether that access is still required, and who is responsible for it.

When answers are not immediate, reviews stall and projects slow down.

ENow App Governance Accelerator Credential Guard helps identify expiring credentials and expose permission and ownership gaps.

For organizations under 10,000 users, pricing ranges from $3,500 to $9,500 annually through March 31, 2026.

Find App Access Gaps

Subscribe with your favorite podcast player or watch on YouTube 👇

About Emilien Socchi

Emilien Socchi is a Cloud Security Research Engineer at Storebrand (Oslo, Norway) focusing on the proactive discovery of security issues. With an extensive background in application and cloud penetration testing, Emilien has published practical research and tooling used by defenders. He also maintains several open‑source projects, including Azure administrative tiering models and Entra ID role‑monitoring utilities.

LinkedIn - https://www.linkedin.com/in/emilien-socchi

🔗 Related Links

📗 Chapters

00:00 The Story Behind CA Insights

16:52 Why the ‘What If’ API Doesn’t Scale

21:09 Building an Offline Evaluation Engine

45:22 Deep Dive into AZTier: A Red Team Perspective

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #141 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-141-this-week-in-microsofthttps://entra.news/p/entra-news-141-this-week-in-microsoftSun, 22 Mar 2026 13:08:10 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

With the RSA Conference around the corner, we’ve had some major Entra-related announcements this week.

The biggest new features just announced are the Microsoft Entra Backup and Recovery service and the Entra Tenant Governance feature.

Microsoft also introduced a new AI pillar in their Zero Trust Workshop, along two new (Data and Networking) pillar additions to the Zero Trust Assessment. This now includes a range of automated tests to verify your Entra Private Access and Internet Access configurations.

Don’t forget to add this week’s Entra Chat podcast to your queue. Darren has plenty of tricks up his sleeve when it comes to Entra Provisioning Services, making this a great opportunity to learn from a true expert.

Enjoy!

⚡️ Microsoft

🔥 Public Preview

📖 Read

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

Sponsored by:

What’s Slowing Decisions in Your Entra ID Tenant?

In Microsoft Entra ID environments, application sprawl and uncertainty slow decisions, not just visibility. Hundreds of enterprise applications and service principals with persistent OAuth permissions and unclear ownership make it difficult to answer basic questions. Which apps have access to Microsoft 365 data? Is that access still justified? Who owns it?

When those answers are not immediate, reviews take longer, approvals stall, projects slow down, and your team is seen as a blocker rather than a technology enabler.

ENow’s AppGov Score provides a clear view of permission risk, consent practices, and ownership gaps across your tenant. With that visibility, teams can make faster decisions, reduce unnecessary access, and keep work moving without added risk.

Find App Access Blockers

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

  • 🛠️ Privileged App Path Auditor - Audit Entra ID for privilege escalation paths through application permissions, role assignments, and app ownership • Nicolas Blank

🫆 Authentication

🤖 DevOps & PowerShell

🚦 Conditional Access

🖥️ Devices

🏙️ External ID - Guests & Multi-Tenant Organizations

📈 Reporting and Insights

🥷 Security

♻️ Sync

📒 Tenant Configuration

🛍️ External ID - Customers

⚒️ Toolkit

👨🏽‍💻 Merill’s corner

Thanks for reading Entra.News - Your weekly dose of Microsoft Entra! This post is public so feel free to share it.

Share

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[From FIM/MIM to Cloud Sync: Complete Identity Journey with Australia’s Top Identity MVP Darren “Doc” Robinson]]>https://entra.news/p/from-fimmim-to-cloud-sync-completehttps://entra.news/p/from-fimmim-to-cloud-sync-completeSat, 21 Mar 2026 11:14:31 GMTDarren Robinson, Identity and Zero Trust Strategy and Architecture Capability Lead at Increment, shares his extensive experience in identity governance and administration.

In this episode Merill sits down with Darren “Doc” Robinson – Microsoft MVP since 2017, former SailPoint Ambassador and one of Australia’s most experienced identity architects.

Darren takes us on a 25+ year journey from Novell networks to modern Microsoft Entra ID, reveals why he’s building custom ECMA2 connectors, and shares the exact PowerShell tools he just open-sourced (Granfeldt uplift, ECMA2 Host Tools, Provision On-Demand module).

We also compare Entra ID Governance vs SailPoint and dive into his latest obsession: MCPs for Entra News and personal AI agents.

Whether you’re migrating legacy apps or levelling up your IGA strategy, this episode is pure gold.

Sponsored by CoreView:


Would you bet your reputation on your current Microsoft 365 security posture?

Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.

But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.

You could assume it’s fine.

Or you could run the Microsoft 365 Security Posture Check.

It’s free.

It runs locally.

And no, it doesn’t send your tenant data back to us.

We’ll even help you set it up.

Get yours here

Subscribe with your favorite podcast player or watch on YouTube 👇

About Darren Robinson

Darren is highly accomplished in digital identity and cybersecurity specialising in Identity & Access Management for over three decades. Darren is renowned for driving Digital Identity innovation, building global offerings, and leading high-impact teams to deliver cutting-edge solutions that enhance security posture, operational efficiency, and business value.

🔗 Related Links

In this episode…

1. Understanding the “Metaverse”

The foundation of Microsoft’s identity strategy dates back to the acquisition of Zoomit in 2000. This introduced the Metaverse—not a VR world, but a “hologram” or central representation of a user that exists across multiple systems like SQL databases and LDAP directories. By correlating these identities into one object, organizations can maintain consistency across a fragmented environment.

2. The Modern Bridge: ECMA and SCIM

As organizations move to the cloud, the “heavy” sync engines like MIM (Microsoft Identity Manager) are being replaced by Entra Cloud Sync. The modern approach uses:

  • A Light Shim: A small on-premises component that acts as a member of the domain.

  • SCIM Instructions: The Entra provisioning service sends instructions via the SCIM protocol to this shim.

  • ECMA Connectors: The Extensible Connector Management Agent (ECMA) translates these cloud instructions into a language legacy on-prem apps can understand, such as SQL or Oracle updates.

3. Scaling with PowerShell 7

One of the biggest hurdles in legacy identity management was performance. Darren Robinson recently uplifted the popular Granfeldt PowerShell Management Agent to support PowerShell 7. This update allows for:

  • 64-bit Processing: Handling larger datasets with ease.

  • Parallelism: Sending multiple identity updates in parallel rather than waiting for individual “gets,” significantly speeding up sync times.

4. Managing the “Cache”

A common pain point for administrators is the lack of visibility into the ECMA host cache. To solve this, Darren developed a new module that allows practitioners to programmatically query the cache, back up configurations, and document every connector and parameter in the system.

Key Takeaway: Whether you are migrating from legacy solutions like Novell or managing a complex hybrid Entra environment, the goal remains the same: automated, secure, and visible identity lifecycles.

📗 Chapters

00:00 Intro

02:22 The Evolution of Directory Services and Synchronization

08:05 Understanding Sync Engines and the Metaverse

14:45 Modern Identity Provisioning with Entra

17:39 Developing Custom PowerShell ECMA Connectors

20:53 Automating Provisioning with New PowerShell Modules

28:53 The Current Landscape of Identity Governance

31:37 Solving the Disconnected Apps Challenge

35:46 Exploring Model Context Protocol (MCP)

45:34 Leveraging Local AI and LLMs for Identity Tasks

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #140 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-140-this-week-in-microsofthttps://entra.news/p/entra-news-140-this-week-in-microsoftSun, 15 Mar 2026 10:26:47 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

This week brings another step forward in the journey toward phishing-resistant identity. Make sure to check the latest Message Center update on passkey profiles and registration, which includes new details about upcoming changes to passkey registration. There’s also big news around the new Microsoft 365 E7 license, which now includes the Entra Suite.

There’s plenty from the community as well. One highlight is the Entra News MCP Server created by fellow Aussie Darren ‘Doc’ Robinson, an incredibly useful way to tap into the collective knowledge of the Microsoft Entra community.

Finally, I caught up with Richard Hicks for the Entra Chat podcast. Having worked through every major era of remote access, from DirectAccess and Always On VPN to Microsoft Entra Private Access, Richard shares the hard-earned lessons he’s learned helping enterprises modernize their VPN strategy. Definitely one to add to your podcast listening queue! 🎧

Enjoy!

Sponsored by:

User Lifecycle: Onboard and Offboard With a Single CmdLet

Fact: Managing hybrid users across AD, Entra ID, and Exchange Online is a breeding ground for missed steps and security gaps - from day one to last day.

EasyEntra’s PowerShell-enabled workflows handle the entire lifecycle:

🚀 Onboard a fully provisioned user in 30 seconds - UI or two-parameter CmdLet.
🚀 Templates defined from existing users in seconds.
🚀 Offboard completely in 10 seconds - UI or single CmdLet.
🚀 Offboarding settings configured once, applied consistently every time.
🚀 Delegate life-cycle management to first-line support - no senior PowerShell skills or tribal knowledge required.

Start your 30-day trial or book a demo - setup takes under a minute - free for tenants with fewer than 25 licensed users.

“It feels almost like a revolution.”
Head of IT, Arjeplog Municipality, Sweden

Wait… One CmdLet?

⚡️ Microsoft

🏆 General Availability

🔥 Public Preview

📖 Read

📺 Watch

🗣️ Message Center

📆 Upcoming Events

Microsoft Security Webinars

From the community…

🚀 Most popular posts from last week

Sponsored by:

Benchmark Your Entra App Governance

Enterprise applications and service principals accumulate rapidly in Microsoft Entra ID. Over time, many retain OAuth permissions and access to corporate data without clear ownership or regular review.

This creates a growing governance gap. Administrators often lack visibility into which applications hold high-risk permissions and whether those permissions are still justified.

ENow AppGov Score evaluates your Entra ID application environment against 24 governance checks and benchmarks your governance posture. Identify risky permissions, orphaned apps, role assignments, and credential risks that require review. Get your AppGov Score to see where your environment stands and access free community resources for practical guidance. 🛡️🔍

Access Your Score

☀️ Learn

👩‍✈️ AI & Copilot

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🚦 Conditional Access

🖥️ Devices

🏙️ External ID - Guests & Multi-Tenant Organizations

📈 Reporting and Insights

🥷 Security

♻️ Sync

📒 Tenant Configuration

🛍️ External ID - Customers

⚒️ Toolkit

🎙️ Podcasts

👨🏽‍💻 Merill’s corner

New homepage in the unified portal for myaccount.microsoft.com

Microsoft just made a big improvement to the end-user identity experience.

The new homepage in the unified portal for myaccount.microsoft.com is now in public preview.

For the first time, users have a single front door for identity tasks.

Instead of navigating multiple pages, the homepage brings everything together

graphical user interface, text, email

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[How to Migrate from Legacy VPNs to Entra Private Access (Real Strategies from a Veteran)]]>https://entra.news/p/how-to-migrate-from-legacy-vpns-tohttps://entra.news/p/how-to-migrate-from-legacy-vpns-toSat, 14 Mar 2026 07:45:29 GMTRichard Hicks wrote the book on DirectAccess. Then he wrote the one on Always On VPN. Now he’s here to tell you it’s time to move on from both (and other legacy VPNs). Over the last two years, Richard has helped numerous enterprise customers navigate the shift from legacy VPN to Microsoft Entra Private Access, and he’s collected some hard-learnt lessons along the way that most migration guides won’t tell you.

In this episode, Richard - enterprise security consultant and early Entra Private Access insider - breaks down why traditional VPN is fundamentally broken for today’s threat landscape, how Entra Private Access works under the hood, and the exact crawl-walk-run playbook he uses to migrate enterprise customers without disruption. Plus: his hot take on the Microsoft E7 announcement and why it just changed the pricing conversation forever.

In this episode you’ll learn:

  • Why your VPN tunnel is a security liability — and how a single compromised device can expose your entire corporate network

  • How Entra Private Access works differently to traditional VPN, and why that architectural shift matters for security

  • The “Quick Access” migration strategy that lets you get off legacy VPN fast, without locking everything down on day one

  • How to deploy the Global Secure Access client alongside your existing VPN — so you can migrate field-based workers without a single disconnection

  • What most teams get wrong about the Entra Private Network Connector — and the scaling pitfalls that catch enterprises off guard

  • Why Conditional Access knowledge, not connectivity, is the real key to a successful zero trust migration

  • The current limitations of Entra Private Access and how to plan around them

  • We also discuss the new ‘E7’ which includes Entra Private Access

Subscribe with your favorite podcast player or watch on YouTube 👇

About Richard Hicks

Richard Hicks is the founder and principal consultant at Richard M. Hicks Consulting, Inc. A Microsoft Most Valuable Professional (MVP) with more than 30 years of experience implementing secure remote access and public key infrastructure (PKI) solutions, he is a widely recognized enterprise mobility and security infrastructure expert sought after by organizations worldwide. His mission is to help companies provide visibility, control, and assurance for their field-based users and devices, ensuring the highest level of security and productivity for today’s highly mobile workforce.

LinkedIn - https://www.linkedin.com/in/richardhicks/

🔗 Related Links

📗 Chapters

00:00 Intro

01:10 The History of Direct Access and Always On VPN

05:59 Transitioning to Zero Trust and Entra Private Access

11:34 Seamless Side-by-Side VPN Migration

17:37 Using Quick Access to Kickstart Zero Trust

23:43 Changing Mindsets: Identity over IP Addresses

27:55 The New Zero Trust Network Assessment Tool

29:17 Avoiding Pitfalls with the Entra Private Network Connector

33:11 Feature Wishlist: IPv6 and Process Binding

38:46 Hot Takes on the New Entra E7 Suite

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #139 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-139-this-week-in-microsofthttps://entra.news/p/entra-news-139-this-week-in-microsoftSun, 08 Mar 2026 13:53:21 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

It’s been a busy week in the Entra community — with new GA and Public Preview features, a flurry of Message Center updates, handy community tools, and much more.

Below is a visual snapshot of this week’s highlights.

🎙️ Also, don’t miss this week’s podcast episode with Nathan McNulty and Daniel Bradley, where we dive into the latest features and upcoming changes.

Enjoy!

Sponsored by:

Would you bet your reputation on your current Microsoft 365 security posture?

Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.

But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.

You could assume it’s fine.

Or you could run the Microsoft 365 Security Posture Check.

It’s free.

It runs locally.

And no, it doesn’t send your tenant data back to us.

We’ll even help you set it up.

Get yours here:

⚡️ Microsoft

🏆 General Availability

🔥 Public Preview

📖 Read

📺 Watch

🗣️ Message Center

📆 Upcoming Events

From the community…

🚀 Most popular posts from last week

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🤖 DevOps & PowerShell

🚦 Conditional Access

🔐 Credential Management

🖥️ Devices

🏙️ External ID - Guests & Multi-Tenant Organizations

🥷 Security

📒 Tenant Configuration

⚒️ Toolkit

🔥 Maester

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[Passkeys, Conditional Access, Hard-match updates, GSA BYOD: What Entra Admins Need To Know]]>https://entra.news/p/passkeys-conditional-access-hardhttps://entra.news/p/passkeys-conditional-access-hardSat, 07 Mar 2026 13:38:51 GMTI am back home in Melbourne today, and joining me are Nathan McNulty from Alaska and Daniel Bradley from the UK as we dive into all the massive Entra updates that dropped last month. We are breaking down the controversial shift to syncable passkeys , why your Conditional Access policies might suddenly start blocking apps , and the absolute necessity of moving privileged accounts away from on-prem AD. We’re also geeking out over some incredible new Global Secure Access (GSA) features and how AI is completely transforming the way we work with Graph API. You won’t want to miss the under-the-radar changes that could impact your tenant’s security architecture overnight.

Here’s a quick overview of all the topics we covered in this episode (links below).

Sponsored by:

Scan, Score, and Secure Your Applications in Entra

Application identities represent one of the largest attack surfaces in Entra and are often among the least consistently governed. AppGov Score helps IT and Security teams understand where risk exists. The 24-check assessment evaluates Entra ID application integrations against Microsoft-recommended governance practices, analyzing:

  • App registrations and enterprise apps for excessive permissions

  • Expired or unmanaged secrets

  • Ownerless apps

  • Risky consent grants, and

  • Privileged service principals

Results are delivered as a clear, defensible risk score with actionable findings. No scripts. No manual inventory. Just a fast, read-only scan that reveals app sprawl, identity misconfigurations, and blast radius so you can prioritize remediation and strengthen your security posture with confidence.

Scan Your Tenant – No Cost

Subscribe with your favorite podcast player or watch on YouTube 👇

About Nathan McNulty

Senior Security Solutions Architect at Patriot Consulting and Microsoft MVP in security. Nathan is the practice lead for identity and has extensive experience with endpoint deployments and everything Entra.

LinkedIn - https://www.linkedin.com/in/nathanmcnulty/

About Daniel Bradley

Senior Solution Architect for CDW down in the UK and an MVP in Identity Security and M365 for Graph API. Daniel specializes in pre-sales, mergers, acquisitions, and the highly technical migration space.

LinkedIn - https://www.linkedin.com/in/danielbradley2/

🔗 Related Links

📗 Chapters

03:01 Syncable Passkeys & Registration Changes

18:10 Conditional Access Policy Updates

26:35 Blocking Hard Match for Privileged Roles

35:42 External Authentication Methods GA

43:04 Lifecycle Workflows & Admin Units

48:01 Global Secure Access (GSA) BYOD Preview

53:06 New My Account Portal & Authenticator Updates

58:43 AI Skills & Automating Graph API

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #138 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-138-this-week-in-microsofthttps://entra.news/p/entra-news-138-this-week-in-microsoftSun, 01 Mar 2026 11:28:13 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

I’m finally back in Melbourne after an incredible week at Experts Live Denmark in Copenhagen. As Rod Trent beautifully put it in his latest post, it truly felt like a “Tech Family Reunion Like No Other.”

The highlight for me wasn’t just the tech, it was the people. There is something so special about finally shaking hands with folks I’ve only ever known through LinkedIn, Twitter/X, and blog posts. Turning those digital handles into real-world friendships is what makes this community so vibrant.

A massive shoutout to Morten Knudsen and his entire team for organizing such a seamless and high-energy event.

The Gift for You: Open-Source Labs 🔓

I had the honor of hosting a one-day Identity Masterclass with MVPs Thomas, Jan, Klaus, and Pim. We didn’t want the learning to stay in the room, so we’ve open-sourced our labs! You can find the links and hear the behind-the-scenes stories in this week’s Entra Chat podcast.

Let’s get into it ⚡️

Enjoy!

Sponsored by:

Hybrid User Onboarding: One CmdLet – Two Parameters

Fact: Hybrid user onboarding across AD, Entra ID, and Exchange Online is time-consuming and error-prone.

EasyEntra’s new Invoke-EECreateHybridUserFromTemplate CmdLet changes that:

🚀 One command creates a fully provisioned hybrid user in ~30 secs.
🚀 Just two parameters: DisplayName and TemplateName.
🚀 Templates are defined from existing users with an intuitive UI in seconds.
🚀 Schedule onboarding in advance or bulk-create users with a one-liner.
🚀 EasyEntra is free for tenants with fewer than 25 licensed users.

No more context switching between consoles. No more provisioning drift between new hires.
Just fast, consistent, automated onboarding from a single command.

“This product has been a miracle for our Helpdesk.”
Manager of IT Customer Support, Junior Achievement, United States

Learn More

⚡️ Microsoft

🔥 Public Preview

📺 Watch

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

Sponsored by:

Scan, Score, and Secure Your Applications in Entra

Application identities represent one of the largest attack surfaces in Entra and are often among the least consistently governed. AppGov Score helps Entra & M365 teams understand where risk exists. The 24-check assessment evaluates Entra ID application integrations against Microsoft-recommended governance practices, analyzing:

  • App registrations and enterprise apps for excessive permissions

  • Expired or unmanaged secrets

  • Ownerless apps

  • Risky consent grants, and

  • Privileged service principals

Results are delivered as a clear, defensible risk score with actionable findings. No scripts. No manual inventory. Just a fast, read-only scan that reveals app sprawl, identity misconfigurations, and blast radius so you can prioritize remediation and strengthen your security posture with confidence.

Get Your Baseline Score

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🤖 DevOps & PowerShell

🚦 Conditional Access

🔐 Credential Management

🖥️ Devices

🥷 Security

📒 Tenant Configuration

🛍️ External ID - Customers

⚒️ Toolkit

🎙️ Podcasts

🔥 Maester

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[We Gave Away Our Microsoft Entra Masterclass Labs → Full Governance, Privileged Access & Agent ID Labs Walkthrough]]>https://entra.news/p/we-gave-away-our-microsoft-entrahttps://entra.news/p/we-gave-away-our-microsoft-entraSat, 28 Feb 2026 12:41:05 GMTHey folks, I have to start with a massive shout-out to Morten Knudsen and his entire team at Experts Live Denmark where I’m just returning from.

Organizing an event for over 1,200+ attendees is no small feat, and they pulled it off with incredible energy and precision. It was easily one of the most impressive community gatherings I’ve been a part of.

Amidst that massive crowd, I had the privilege of co-leading a deep-dive Identity Masterclass alongside four exceptional Microsoft MVPs: Jan Vidar Elven, Pim Jacobs, Thomas Naunheim, and Klaus Bierschenk.

We weren’t sure what to expect, but the response was overwhelming. We had over 120 dedicated attendees who stayed with us for the full 7-hour session - diving deep into the weeds of Entra ID, governance, privileged access, Agent ID and more. Instead of theory-heavy slides, we built a practical, end-to-end governance story.

Because we believe this knowledge should be accessible, we are now giving away the labs for free so everyone can skill up, learn, and implement these patterns in their own environments.

Here’s the core of what we covered, and what you will learn in this podcast walk through of the labs and what you can try out yourself today!

Links to GitHub repo and YouTube video below.

Sponsored by:

If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy?

Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity.

And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachat

So, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”.

Sign up!

1️⃣ Inbound Provisioning: Start with a Source of Truth

Most identity problems start with one issue:

There is no clean, authoritative identity source.

We demonstrated how to use Inbound Provisioning in Entra to:

  • Accept identity payloads via Microsoft Graph

  • Create users in a disabled state

  • Capture attributes like hire date, leave date, department

  • Treat HR (or another system) as the lifecycle authority

Why this matters

If identities are manually created:

  • Joiners are inconsistent

  • Leavers are missed

  • Privileged accounts become orphaned

Inbound provisioning allows you to:

  • Standardize creation

  • Attach lifecycle automation immediately

  • Reduce manual admin overhead

Key concept:
Provision first. Enable later. Automate everything in between.

2️⃣ Lifecycle Workflows: Automate Joiner / Mover / Leaver

Once a user is provisioned, lifecycle workflows take over.

We implemented:

  • Pre-hire workflow

  • Day-one onboarding workflow

  • Post-onboarding actions

Triggers included:

  • Employee hire date

  • Creation time

  • Group membership

  • Attribute changes

Real-world onboarding pattern

  1. Account is created disabled

  2. Workflow enables the account at the correct time

  3. Temporary Access Pass (TAP) is generated

  4. TAP is sent securely

  5. Access is assigned automatically

This reduces:

  • Manual enablement

  • Helpdesk load

  • Security gaps

Design principle:
Automation should enforce timing — not people.

3️⃣ Privileged Account Design: Separate the Identities

We had a strong opinion in the session:

Admin accounts should be separate and cloud-only.

Why?

  • Syncing privileged accounts from on-prem introduces risk

  • HR systems should not directly control privileged identities

  • Governance features work best with cloud-native identities

We explored three creation patterns:

  1. Inbound provisioning for privileged accounts

  2. Access Packages (with auto-assignment or request model)

  3. Lifecycle workflows + custom Logic Apps

Each has trade-offs.

What matters most:
Privileged identities must be:

  • Separately authenticated

  • Phishing-resistant (FIDO2 or passkeys)

  • Independently governed

  • Linked for offboarding

4️⃣ Linking Identities for Investigation

One challenge in Entra:

There’s no native “this person owns these 3 accounts” view.

We explored identity linking in Microsoft Defender XDR, where:

  • Multiple accounts can be associated to one identity

  • Incident investigations become clearer

  • Privileged activity can be correlated with user context

This becomes critical during:

  • Compromise investigations

  • Insider threat analysis

  • Lateral movement tracking

Security takeaway:
If you can’t correlate identities, you can’t fully investigate them.

5️⃣ Backup & Restore: The Truth About Entra

There is no traditional backup system in Entra.

Instead, you have:

  • Soft-delete (with recycle bin)

  • Hard-delete (irreversible)

  • API-based recovery

  • Configuration export strategies

We discussed:

  • Protecting deleted items with Protected Actions

  • Using Conditional Access to restrict destructive operations

  • Exporting configuration JSON regularly

  • Monitoring configuration drift

Reality:
If you aren’t exporting your tenant configuration, recovery becomes manual and painful.

Governance is not just about creation — it’s about resilience.

6️⃣ Protected Actions + Conditional Access

A powerful but underused feature:

Protected Actions.

You can require Conditional Access enforcement before allowing:

  • Hard deletes

  • Sensitive configuration changes

Example:

  • Only allow permanent deletion from a compliant device

  • Only allow from a trusted location

  • Require phishing-resistant authentication

Even Global Admins must pass policy.

Security mindset shift:
Admin role ≠ unlimited ability.

7️⃣ Agent ID & Blueprints: The Future of Identity for AI

We also explored Agent ID — one of the newer capabilities in Entra.

Why not just use a service principal?

Because agents:

  • Need stronger guardrails

  • Must support per-user instances

  • Require conditional access enforcement

  • Must be auditable at scale

Blueprints allow:

  • A parent definition of permissions

  • Individual agent instances per user

  • Centralized governance over many agents

As AI agents scale, identity must scale securely with them.

Forward-looking insight:
Agent governance will soon be as important as user governance.

8️⃣ Design Philosophy Behind the Lab

The entire masterclass was built around one principle:

Identity is a lifecycle, not a login.

We covered:

Provision → Enable → Assign → Elevate → Monitor → Protect → Offboard → Recover

If any step is manual, inconsistent, or undocumented — risk increases.

The labs give you a complete pattern you can implement in your own tenant.

🎯 What You Should Do Next

  1. Watch/listen to the full podcast where we walk you through the labs.

  2. Go try out the labs at github.com/IdentityMan/MasterclassELDK26 in your own tenant.

Subscribe with your favorite podcast player or watch on YouTube 👇

About us

🔗 Related Links

📗 Chapters

00:00 Intro

00:50 Open Sourcing the Entra Lab

03:42 Entra ID Inbound Provisioning

08:05 Lifecycle Workflows and Governance

10:57 Securing Privileged Admin Accounts

16:21 Offboarding and Linked Identities

19:51 Sponsor: ActionOne

21:02 Entra ID Backup, Restore & Protected Actions

26:08 Exploring Agent ID and Blueprints

30:28 How to Access the Open Source Lab

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #137 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-137-this-week-in-microsofthttps://entra.news/p/entra-news-137-this-week-in-microsoftSun, 22 Feb 2026 16:32:35 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news in Microsoft Entra from around the globe 🌍

This edition is coming to you from Copenhagen, Denmark 🇩🇰 where I’m spending the week at Experts Live Denmark. I’m looking forward to catching up with the incredible Entra community here and hearing how organizations across the region are approaching identity and device modernization.

In this week’s Entra Chat, I sat down with Michael and Prem to unpack how large enterprises are moving to cloud-native devices using Entra Join and Intune and what it really takes to make that transition successful at scale.

Enjoy!

⚡️ Microsoft

🔥 Public Preview

📺 Watch

From the community…

🚀 Most popular posts from last week

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

⛑️ ID Protection

👮‍♂️ ID Governance

📦 Apps

🫆 Authentication

👥 User & Group Management

🤖 DevOps & PowerShell

🚦 Conditional Access

🖥️ Devices

🥷 Security

♻️ Sync

📒 Tenant Configuration

🛍️ External ID - Customers

⚒️ Toolkit

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[They migrated 40,000 devices to Entra Join in 9 months]]>https://entra.news/p/they-migrated-40000-devices-to-entrahttps://entra.news/p/they-migrated-40000-devices-to-entraSat, 21 Feb 2026 09:47:07 GMTWhat does it take to migrate 40,000 devices to a cloud-native environment in a massive, complex enterprise? For most IT leaders, the prospect of moving away from 20 years of legacy infrastructure is enough to cause a sleepless night.

In our latest episode of Entra Chat, we sat down with enterprise veterans Michael Brunker and Prem Kothandapani to deconstruct their recent, massive rollout. They successfully converted nearly 40,000 devices from on-premises Active Directory to Entra Joined in just nine to ten months—all with a lean team of 10–15 people.

Here are the high-stakes lessons they learned from the trenches of modern management.

The “Nuclear Option”: Cleaning Up 20 Years of GPO Debt

One of the most controversial decisions the team made was what they called the “nuclear option” regarding Group Policy Objects (GPOs). Instead of porting over decades of legacy policies that no one fully understood, they chose to start from scratch.

By building a new security baseline from the ground up in Intune, they ensured the new environment was clean, modern, and free from the “stale” configurations that often plague legacy estates.

Killing the “VPN Tax”

For the end user, the primary driver for this migration was a radically improved experience. In a cloud-native world, the dependency on legacy VPN technology disappears.

  • Work from Anywhere: Users can sign on and get access without the friction of starting a VPN or worrying about office cabling.

  • Security at the Edge: Moving to Entra ID shrinks the attack surface by removing devices as a direct entry point to your core on-prem Active Directory.

Sponsored by:

If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy?

Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity.

And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachat

So, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”.

Sign up now!

The “Gnarly” Problems: What Breaks First?

Success wasn’t just about the big picture; it was about mastering the “fundamental basic building blocks”. Michael and Prem highlighted several technical hurdles that can derail a migration if not handled early:

  • The Proxy Trap: Many organizations fail to update their proxy server allow-lists with the specific Microsoft URLs required for cloud authentication.

  • App Authentication: Moving from Kerberos-based device auth to OAuth and modern cloud flows requires rigorous testing across different “personas,” such as front line workers versus corporate office users.

The Secret to Scaling: Small Teams, Big Strategy

Perhaps the most surprising takeaway was that a project of this scale didn’t require an army. By focusing on a “small team” of highly skilled engineers and dedicated communications experts, they maintained momentum and avoided “stop-start” migration fatigue.

Want to hear the full technical breakdown, including how they handled zero-downtime requirements for front line workers?

Subscribe with your favorite podcast player or watch on YouTube 👇

About Michael Brunker

Michael Brunker has approaching 40 years in the IT industry and has operated as an enterprise architect across major organizations like BP, Woodside, and Telstra.

LinkedIn - https://www.linkedin.com/in/michaelbrunker/

About Prem Kothandapani

Prem Kothandapani is an EndPoint Architect with over 14 years of experience in endpoint computing and major migrations, having worked at NBN, Australian Unity, and Telstra.

LinkedIn - https://www.linkedin.com/in/premnath-kothandapani-41744153/

📗 Chapters

00:00 Cloud-Native Device Management

02:58 The True Cost of Legacy Infrastructure

07:47 Moving to Modern Management

11:13 The Blueprint for a 40,000 Device Migration

20:07 Handling Complex App Dependencies

28:07 Crafting a Seamless User Migration Experience

33:28 Automating with Graph API and Autopilot

43:09 Avoiding the Co-Management Trap

55:01 The New Starter Experience

57:24 Migration Velocity and Lessons Learned

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #136 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-136-this-week-in-microsofthttps://entra.news/p/entra-news-136-this-week-in-microsoftSun, 15 Feb 2026 08:56:24 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

The End of an Era: Alex Simons is Retiring

The biggest news this week is that Alex Simons, who has led the Entra product team for years, announced his retirement from Microsoft.

It’s hard to overstate Alex’s impact. While many have contributed to the org over the years, if there is one person who truly shaped and molded Entra into what it is today, it’s him. From fostering the unique culture of the Identity team to serving as the primary face of the brand, Alex is one of those rare “unicorns” who did it all. His passion for the product and the customer never wavered. Even in his final month, I saw him personally reviewing docs and proposals for the standards specs we are contributing toward Agentic AI.

I’ve even heard that my own team, the Microsoft Identity Customer Experience Engineering (CxE) org, was something he personally championed to create.

To give you an idea of his “customer-obsessed” mindset: back in 2017, long before I joined Microsoft, I started following Alex on Twitter. Out of the blue, he sent me a DM offering to help if I ever ran into trouble with Azure AD. That wasn’t an anomaly; it was the culture he built. While we’re sad to see him go, please join us in wishing him incredible fun and success in his “second career” as a volleyball coach! 🏐

A Piece of Entra Lore

Fun fact: Did you know there is a tweet memorializing the actual birth of Azure Active Directory (now Entra ID) by Alex himself? I can’t believe it’s now February 2026, 13 years later, and that historic post only has one like!

Let’s change that. Go smash the like button on it and become a part of Entra ID history!

This Week on Entra Chat

We tried something a little different this week. Ewelina Paczkowska and Daniel Bradley joined me to count down the top five Entra stories of the month, including some critical changes admins need to prep for right now.

I’m planning to do this monthly wrap-up moving forward. Watch the episode and let me know what you think!

Enjoy!

Sponsored by:

Hybrid User Onboarding: One CmdLet – Two Parameters

Fact: Hybrid user onboarding across AD, Entra ID, and Exchange Online is time-consuming and error-prone.

EasyEntra’s new Invoke-EECreateHybridUserFromTemplate CmdLet changes that:

🚀 One command creates a fully provisioned hybrid user in ~30 secs.
🚀 Just two parameters: DisplayName and TemplateName.
🚀 Templates are defined from existing users with an intuitive UI in seconds.
🚀 Schedule onboarding in advance or bulk-create users with a one-liner.
🚀 EasyEntra is free for tenants with fewer than 25 licensed users.

No more context switching between consoles. No more provisioning drift between new hires.
Just fast, consistent, automated onboarding from a single command.

“This product has been a miracle for our Helpdesk.”
Manager of IT Customer Support, Junior Achievement, United States

Learn More

⚡️ Microsoft

🔥 Public Preview

📺 Watch

From the community…

🚀 Most popular posts from last week

Sponsored by:

Live Entra Webinar: Application Security Roadmap

[ Feb 25, 2026 | 1 PM ET ] Most organizations know they have application risk in Entra ID. Far fewer know where to start, what to prioritize, or how to operationalize governance without slowing the business. In this expert-led session we’ll lay out a practical, phased roadmap for securing applications in Entra ID. You’ll learn:

  • How to inventory and classify applications by risk, access, and business impact

  • How to apply least privilege and lifecycle ownership to apps at scale

  • A realistic roadmap for reducing app attack surface without breaking integrations

This webinar is designed for teams who are past awareness and ready for execution. Join us to build a roadmap toward continuous control in Entra. All registrants will receive the recording.

Register Now

☀️ Learn

👩‍✈️ AI & Copilot

⛑️ ID Protection

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

🤖 DevOps & PowerShell

🚦 Conditional Access

🖥️ Devices

🏙️ External ID - Guests & Multi-Tenant Organizations

🥷 Security

📒 Tenant Configuration

🛍️ External ID - Customers

🔥 Maester

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[Microsoft Is Auto-Enabling Passkeys in March 2026]]>https://entra.news/p/microsoft-is-auto-enabling-passkeyshttps://entra.news/p/microsoft-is-auto-enabling-passkeysSat, 14 Feb 2026 09:00:12 GMTMarch 2026 is shaping up to be one of the most important months for Microsoft Entra ID administrators in recent memory.

Microsoft is automatically enabling passkey profiles in Entra ID, and if you don’t configure them yourself, your tenant will be migrated with default settings.

In this episode of Entra Chat, I sat down with Microsoft Security MVPs Daniel Bradley and Ewelina Paskowska to break down what this really means for Microsoft 365 administrators.

But passkeys aren’t the only story this month.

1️⃣ Passkey Profiles Are Becoming the Default

Starting March 2026:

  • Passkey profiles will be auto-enabled

  • Tenants that haven’t configured profiles will be migrated

  • Registration campaigns will shift from Authenticator-first to passkey-first

This is a major shift toward phishing-resistant authentication.

You’ll now be able to:

  • Separate hardware-backed vs synced passkeys

  • Apply granular group-based controls

  • Enforce stronger authentication for privileged users

2️⃣ Source of Authority Conversion Is Finally GA

For years, admins used messy delete-and-restore hacks to convert synced users to cloud-only.

Now it’s officially supported.

You can convert individual users from on-premises authority to cloud-managed — without breaking hybrid entirely.

Why this matters:

  • Easier M&A transitions

  • Full access to Entra ID Governance features

  • Cleaner lifecycle management

  • Reduced dependency on legacy infrastructure

For hybrid environments moving toward cloud-first identity, this is huge.

Sponsored by:

If you are a systems administrator managing endpoints every day, you’ve probably postponed patching at least once — not because you forgot… But because you didn’t feel like gambling with uptime. Meanwhile, the backlog grows, vulnerabilities pile up, and patching stays stuck in manual mode.

Action1  fixes that.

Action1 is a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps — all from one place, no VPN needed. Curious how easy it is to start? You can use it on your first 200 endpoints, for free, forever, with no functional limits. It’s not a disguised free trial. No credit card required, no hidden limits, no tricks.

All you have to do is visit on.action1.com/entrachat and get started today.

So, if you’re looking to automate patching at scale and get weeks— even months—of your time back, go to on.action1.com/entrachat and sign up for patching—that—just—works.

Visit Action1 and get started today

3️⃣ App Registration Deactivation (A Quietly Powerful Feature)

Microsoft added the ability to deactivate app registrations.

Instead of deleting an app (and losing configuration), you can now:

  • Immediately stop token issuance

  • Preserve metadata and permissions

  • Investigate safely

  • Re-enable without rebuilding

For incident response scenarios — especially in multi-tenant or MSP environments — this is a big step forward.

4️⃣ Conditional Access Behavior Changes

There’s also a change impacting tenants with Conditional Access policies targeting “All resources” but excluding certain apps.

Previously, certain minimal-scope apps could bypass enforcement under specific conditions.

That loophole is closing.

Admins should:

  • Review message center notifications

  • Audit legacy apps

  • Validate MFA handling before rollout

As always with identity changes: being proactive is critical.

5️⃣ Sync Security Hardening (Hard Match Protection)

Microsoft is adding additional validation to protect against malicious hard matching scenarios in hybrid environments.

This reduces the risk of identity takeover via manipulated on-prem objects.

It’s automatic — but important to understand if you manage hybrid identity or MSP transitions.

Watch the full episode for the deep technical breakdown and real-world implications.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Daniel Bradley

Daniel is a Senior Solution Architect for CDW and Microsoft MVP in Identity & Graph API. He is a avid writer who enjoys investigating new features and building practical tools to share with the community through his blog. He also is one of the moderators for the r/entra subreddit.

About Ewelina Paczkowska

Ewelina is a Solution Architect at Theatscape and a Microsoft Security MVP. She is a content creator and speaker who enjoys breaking down complex solutions into clear, practical guidance. Ewelina is also an organiser of the Microsoft 365 Security & Compliance user group and the creator behind Welka’s World, where she shares insights and real-world knowledge around Microsoft security and compliance.

🔗 Related Links

📗 Chapters

06:16 Converting Source of Authority to Cloud

15:37 Auto-Enabling Passkey Profiles

24:33 Deactivating App Registrations

31:56 Conditional Access for Excluded Apps

38:48 Sync Jacking Protection

41:45 Unified Tenant Configuration Management

46:31 Service Principal Creation Logs

Podcast Apps

🎙️ Entra.Chat → https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]>