<![CDATA[Entra.News - Your weekly dose of Microsoft Entra]]>https://entra.newshttps://substackcdn.com/image/fetch/$s_!4mCy!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b3b3378-703b-4f6a-ab4d-10470336b06f_1280x1280.pngEntra.News - Your weekly dose of Microsoft Entrahttps://entra.newsSubstackFri, 05 Jun 2026 18:01:07 GMT<![CDATA[Entra 🆔 News #151 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-151-this-week-in-microsofthttps://entra.news/p/entra-news-151-this-week-in-microsoftSun, 31 May 2026 12:01:54 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

Build is just around the corner, and I’m excited to see all the new goodies that are going to drop. Microsoft and NVIDIA have also been teasing something, probably a new Arm-based PC. Will it live up to the hype? Let’s find out…

I’ve also heard that we’ll get some new Entra bits at Build 🤞. I’m looking forward to bringing it all to you in next week’s issue.

Don’t forget to listen to or watch this week’s Entra.Chat episode. This week, we looked at what it takes to roll out passkeys to millions of users in a B2C consumer scenario, and the lessons we can apply to our own workforce passkey deployments.

Enjoy!

Sponsored by:

Stop App Credential Expirations Before Outages

Prevent outages caused by expired or expiring certificates and secrets across your Microsoft Entra ID applications. ENow Credential Monitor helps IT teams identify risky credentials before they break integrations, flood the help desk, or trigger late-night troubleshooting.

  • Alert on expired and expiring secrets and certificates

  • Reduce app outages and user disruption

  • Avoid ticket spikes and 2 a.m. firefighting

  • Keep critical business apps running smoothly

Get Your Score + 7-Day Trial

⚡️ Microsoft

🔥 Public Preview

📺 Watch

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

☀️ Learn

💳 Verified ID

🧰 Workload ID

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

🤖 DevOps & PowerShell

🚦 Conditional Access

🏙️ External ID - Guests & Multi-Tenant Organizations

🥷 Security

♻️ Sync

📒 Tenant Configuration

👨🏽‍💻 Merill’s corner

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[5 Lessons from Rolling Out Passkeys to Millions of Users]]>https://entra.news/p/5-lessons-from-rolling-out-passkeyshttps://entra.news/p/5-lessons-from-rolling-out-passkeysSun, 31 May 2026 08:15:55 GMTPasskeys are one of those technologies that sound simple on paper.

Turn them on.
Users register them.
Passwords go away.
Everyone is more secure.

But in the real world, passkey rollouts are not just an authentication setting. They are a product rollout, a user experience change, a support change, and an operational change all at once.

In this episode, I spoke with Vincent Delitz from Corbado, who has worked on large-scale passkey deployments in customer identity scenarios, including public-sector and consumer environments with millions of users. While the examples come from the CIAM world, many of the lessons apply directly to workforce identity and Microsoft Entra deployments as well.

Sponsored by:

Cloud RADIUS built for Entra + Intune environments

EZRADIUS was designed and built by ex-Microsoft engineers with deep Entra and Intune experience. It integrates seamlessly into the Microsoft ecosystem, making it easy to migrate from your on-prem NPS server to a modern, zero-trust network with full support for cloud-first and hybrid environments.

  • Deploy in minutes: no on-prem servers, no Windows updates

  • Certificate-based auth: EAP-TLS support for Microsoft Cloud PKI or any CA

  • Intune compliance checks for zero-trust Wi-Fi and VPN access

  • Built for teams of 10 to 10,000: no minimums, no enterprise gatekeeping

  • Pay only for users that connect with usage-based pricing

Start your 30-day trial (no credit card required) or book a demo to see how “EZ” it is.

Try it Out

Here are five practical lessons from the conversation.

1. Know why you are rolling out passkeys

Before you start the rollout, be clear on the reason.

Most organisations adopt passkeys for one or more of these reasons:

Security
Passkeys are phishing-resistant and remove many of the risks that come with passwords, SMS OTP, and other phishable methods.

User experience
Signing in with Face ID, Touch ID, Windows Hello, or a security key can be faster and easier than typing passwords and completing MFA prompts.

Cost reduction
In customer identity scenarios, passkeys can reduce SMS OTP costs. In workforce scenarios, they can reduce password reset and sign-in related help desk calls.

The key lesson is this: your rollout strategy should match your goal.

If your goal is security, you need to think about when and how to retire phishable methods.
If your goal is adoption, you need to make passkeys the easiest path.
If your goal is cost reduction, you need to measure whether users are actually moving away from the older methods.

Simply enabling passkeys is not the same as achieving the outcome.

2. Use a staged rollout, not a big bang

One of the biggest mistakes is assuming you can turn on passkeys and immediately remove passwords.

That sounds clean from a security perspective, but in reality it can create confusion, support tickets, and failed sign-ins.

A better model is a staged rollout:

Stage 1: Offer passkeys as an option

Start by making passkeys available. Let users register and begin using them without taking away existing methods immediately.

Stage 2: Nudge adoption

Do not leave passkeys buried as “just another sign-in method.” Make them visible. Make them the preferred option where possible. Help users understand why they should use them.

Stage 3: Gradually retire phishable methods

Once you can see that a user or group has been successfully using passkeys for a period of time, then you can start reducing reliance on passwords, SMS, or other weaker methods.

Stage 4: Fix recovery

This is the part many teams forget.

Once passkeys become the primary sign-in method, account recovery becomes the new weak point. If recovery still relies on phishable methods or manual help desk processes, attackers will target that path instead.

A passkey rollout is not complete until recovery is also secure.

3. Passkeys move complexity from the backend to the user’s device

With passwords, SMS OTP, or push notifications, a lot of the complexity sits in the backend.

With passkeys, much more happens on the client side.

That means success depends on things like:

The user’s device.
The browser version.
The operating system.
The credential manager.
Whether Bluetooth is enabled.
Whether the passkey is synced.
Whether the user is on a managed device or BYOD.
Whether a password manager has changed the sign-in experience.

This is a big mindset shift.

For example, cross-device passkey sign-in often relies on Bluetooth proximity checks. That is great when it works. But what happens if Bluetooth is disabled on a kiosk, blocked by policy, or unavailable on a shared device?

In the episode, we discussed a real-world example where a rollout assumed passkeys would work for retail staff using shared kiosks, only to discover later that Bluetooth was disabled in that environment.

That is the sort of issue you want to find before go-live, not after a three-month project.

The practical takeaway: test the real environments your users will sign in from. Not just your own managed test devices.

4. Your backend logs may not tell the full story

This was one of the most important lessons from the episode.

Passkey success rates can look great in backend logs, but still miss a large part of the user experience.

Why?

Because many failures happen before the backend sees anything useful.

A user may not have the passkey on the current device.
The credential manager may not appear.
The browser may have a bug.
The user may cancel the Face ID or Touch ID prompt.
The passkey may have been deleted locally.
The device may try to use the wrong credential manager.
The user may think registration worked, even though the backend blocked it.

From the backend, you might only see the successful challenges. That can make your success rate look much better than the lived experience.

This is why observability matters.

For customer identity platforms, you may be able to add frontend telemetry and track where users get stuck. In workforce scenarios, you may not be able to instrument the Entra sign-in page directly, but you can still look for signals elsewhere:

Which users are passkey-capable?
Which devices and browsers are being used?
Which users registered passkeys but are not using them?
Which support tickets map to specific OS, browser, or credential manager combinations?
Which groups are still falling back to passwords or SMS?

The lesson: do not rely on a single “success rate” number. It may hide the real rollout problems.

5. Support multiple passkeys and explain the mental model

A common mistake is limiting users to one passkey.

That may sound tidy, but it does not match how people actually work.

A user may have a Windows laptop, a Mac, an iPhone, an Android phone, a password manager, and a physical security key. Some passkeys sync. Some do not. Some are device-bound. Some are stored in iCloud Keychain, Google Password Manager, Bitwarden, 1Password, Windows Hello, or on a physical key.

If users can only register one passkey, they may be locked out when they move to another device.

A better approach is to allow multiple passkeys and make it clear what each one is for.

For example:

One passkey in iCloud Keychain.
One in Google Password Manager.
One in an enterprise password manager.
One physical security key.
One backup key for critical accounts.

This also means communication matters.

Users do not always understand terms like “FIDO2,” “WebAuthn,” “AAGUID,” “attestation,” or even “passkey.” They understand things like:

Sign in with your face.
Sign in with your fingerprint.
Use your security key.
Use the passkey saved on this device.

The more technical your language, the more likely users are to get confused.

This applies internally as well. Even project teams need a shared vocabulary. Are you talking about synced passkeys? Device-bound passkeys? Security keys? Windows Hello for Business? Platform credentials? Roaming authenticators?

If the project team is confused, the users definitely will be.

Bonus lesson: Attestation matters, but not for every user

We also discussed attestation, which is one of those topics that can get confusing quickly.

In simple terms, attestation lets an authenticator prove what type of device or security key it is. This is useful when you want to control exactly which authenticators are allowed.

For example, for privileged admins, you may want to require specific physical security keys issued by the organisation. In that case, attestation can help you enforce that only approved keys are used.

But synced passkeys are different.

If a passkey is stored in iCloud Keychain, Google Password Manager, Bitwarden, or another synced credential manager, it can move across devices. That breaks the model where you can prove it belongs to one specific physical authenticator.

So the practical model may be:

Use stricter device-bound passkeys and attestation for privileged users.
Allow synced passkeys for broader user populations where usability and adoption matter more.
Be clear about the trade-off.

Synced passkeys may not give you the same level of device control as a hardware key, but they are still a huge improvement over passwords and many phishable MFA methods.

Final thoughts

The big takeaway from this episode is that passkey success is not just about enabling the feature.

You need to plan for adoption, device readiness, recovery, support, telemetry, and user education.

Passkeys can absolutely improve security and user experience, but only if the rollout is treated as a real change program.

The teams that succeed will be the ones that ask the hard questions early:

Why are we rolling this out?
Which users are ready?
Which devices are not?
What will break on day two?
How will users recover access?
How will we know whether adoption is actually happening?

Passkeys are the future of authentication, but the rollout still needs careful planning.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Vincent Delitz

Vincent Delitz is the Co-founder and Managing Director at Corbado, the passkey intelligence platform designed specifically for enterprise CIAM teams. Based in Munich, Vincent is a software engineer turned founder who has been deeply focused on the technology since the term “passkeys” first emerged in 2022.

Through Corbado, he helps large-scale B2C enterprises understand why passkey adoption might be flat, identify what’s breaking logins, and successfully scale passkeys alongside their existing IDPs (including Entra, Okta, Auth0, Ping, ForgeRock, or in-house solutions). Corbado is trusted by major organizations like VicRoads (supporting 5 million users), as well as leaders in financial services and e-commerce. As a speaker, Vincent frequently shares his expertise on passkey adoption and the often-overlooked “Day 2” passkey problems that don’t appear in standard vendor documentation.

LinkedIn - https://www.linkedin.com/in/vincent-delitz/

🔗 Related Links

📗 Chapters

04:10 The Consumer vs. Workforce Scale

07:49 Uncovering the True Motivations for Passkeys

11:06 The Four Stages of Going Passwordless

12:51 Day 2 Problems and Implementation Hurdles

17:02 Real-World Device and Network Limitations

22:53 Why Passkey Success Rates Are Misleading

27:20 Best Practices for Large-Scale Deployments

32:16 Demystifying Passkey Attestation and AGUIDs

38:48 Handling Support Tickets and Adoption Strategies

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #150 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-150-this-week-in-microsofthttps://entra.news/p/entra-news-150-this-week-in-microsoftSun, 24 May 2026 14:05:48 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

The long-awaited Platform SSO during Automated Device Enrollment (ADE) for macOS is officially generally available! You can now complete device registration right inside the macOS Setup Assistant before a user ever hits the desktop. In other massive news, Microsoft Entra was named a Leader in the Forrester Wave™: Workforce Identity Security Platforms (Q2 2026) securing the highest scores across both the Current Offering and Strategy categories.

Also in this issue: tune into the latest Entra.Chat episode with Jeff Staiman to learn how Microsoft’s own battle with Midnight Blizzard shaped the new Tenant Governance control plane. And if you’re a GSA customer, don’t miss the newly published GSA Ops Guide.

Enjoy!

Sponsored by:

PST Export in One Line of PowerShell (FREE)

Exporting an Exchange Online mailbox to PST traditionally means wrestling with eDiscovery exports, installing Outlook, or paying for third-party tools - hours of work for what should take one command.

EasyEntra’s Invoke-EEMailboxToPst handles the entire export in a single line:

🚀 Export any mailbox to PST with one CmdLet
🚀 Real-time progress reporting and minimal memory burn
🚀 Native PST writer - no Outlook/MAPI tie-in
🚀 Delegate exports to first-line support - zero tribal knowledge
🚀 PowerShell module is free – no license required

Available via EasyEntra GUI and PowerShell (no license required). Download EasyEntra to get started.

“Your product is such a time saver - I love it.”
IT Infrastructure Specialist, MEC Aerial Work Platforms, United States

Free PST Export

⚡️ Microsoft

chart

🏆 General Availability

📖 Read

Sponsored by:

Book a demo

From the community…

👩‍✈️ AI & Copilot

💳 Verified ID

👮‍♂️ ID Governance

🫆 Authentication

👥 User & Group Management

🖥️ Devices

🥷 Security

📒 Tenant Configuration

🛍️ External ID - Customers

👨🏽‍💻 Merill’s corner

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[The New Control Plane for Microsoft Entra Tenant Governance]]>https://entra.news/p/the-new-control-plane-for-microsofthttps://entra.news/p/the-new-control-plane-for-microsoftSat, 23 May 2026 11:54:39 GMTMicrosoft had 7 million internal tenants and almost lost control of their environment and your org might be facing the same problem at a smaller scale. In this episode, we sit down with Jeff Staiman, PM Area Lead for Tenant Governance at Microsoft, to break down the feature born from the Midnight Blizzard attack. We cover discovery, drift detection, governance relationships, secure tenant creation, licensing, and exactly where admins should start.

What Can Your AI Applications Access?

Organizations are investing heavily in AI-powered applications and agents, but many are discovering they lack the operational visibility and governance discipline needed to scale AI confidently and securely.

With continuous visibility into Entra ID applications, permissions, OAuth access, secrets, certificates, and application ownership, ENow App Governance Accelerator can:

  • Reduce uncertainty around what SaaS apps can access

  • Accelerate application reviews and approval processes

  • Strengthen operational trust across security and leadership teams

  • Prevent unmanaged application growth from becoming operational risk

  • Enable lean IT teams to support AI expansion at scale

  • Demonstrate governance maturity required for enterprise AI adoption

Request a Demo + Free Trial

While most admins focus on securing their primary production environment, many organizations are sitting on hundreds of “test” or “shadow” tenants that were created by users with a simple Azure subscription. These unmanaged environments often lack proper security bars and can become entry points for sophisticated attackers.

The Wake-Up Call: Midnight Blizzard

The urgency for these new features was fueled by the 2024 Midnight Blizzard attack. In that instance, attackers compromised a legacy test tenant and used its old access rights to move laterally into Microsoft’s core environment. This highlighted a critical gap: securing one tenant isn’t enough if you don’t even know how many other tenants are connected to your organization.

Three Things You’ll Learn in This Episode:

  1. Automatic Discovery of the “Unknown”: Jeff explains how the Related Tenants feature uses signals like B2B sign-in logs, multi-tenant app consents, and billing relationships to automatically find every tenant connected to your corporate identity.

  2. Configuration Drift Monitoring: You can now define a “Golden Configuration” for your tenants. The service monitors over 200 resource types across Entra, Intune, Teams, and Exchange every six hours, alerting you the moment a security setting is weakened.

  3. The “Three-Step” Handshake: To prevent accidental or malicious takeovers, Microsoft has implemented a rigorous trust process. If two tenants don’t share a billing relationship, the governed tenant must explicitly invite the governing tenant before any control can be established.

A New Approach to Licensing

Something many admins will find surprising is the licensing model. Unlike many Entra features that require a license for every user, Tenant Governance is licensed based on the number of admins interacting with the features. This makes it far more accessible for organizations trying to secure a massive multi-tenant estate without a massive budget.

Why you should listen: Jeff dives deep into how Microsoft managed its own 7 million internal tenants and shares the roadmap for future discovery signals, including using Global Secure Access network telemetry to find tenants being accessed from corporate devices.

Whether you are managing a merger or just trying to clean up years of “test” environments, this episode provides the blueprint for moving from manual, one-tenant-at-a-time management to a deterministic, automated security posture.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Jeff Staiman

Jeff Stammen is the PM Area Lead for Tenant Governance within the Identity and Access Management (IAM) team at Microsoft. A true company veteran of 31 years, Jeff originally joined Microsoft managing engineering compensation and famously architected Microsoft's core engineering leveling framework (Levels 59–61) directly from requirements delivered by Steve Ballmer. Today, he leads engineering and product efforts to secure multi-tenant cloud ecosystems at massive scale.

LinkedIn - https://www.linkedin.com/in/jeffstaiman/

🔗 Related Links

📗 Chapters

00:00 Intro

00:18 Introducing Jeff Stammen

00:41 Jeff’s 31-Year Journey at Microsoft

01:25 The Midnight Blizzard Hack That Started It All

05:07 Tenant Governance: What It Is and Why It Exists

07:12 Where Should Admins Start?

09:57 Configuration Snapshots and Baselines

13:02 The M365 DSC Connection

15:18 What Resources Should You Monitor?

17:07 How Drift Detection Works

19:49 Multi-Tenant Monitoring Strategy

20:02 Related Tenants: Discovering Your Unknown Exposure

20:39 Licensing: Basic vs Premium Explained

22:48 Quotas and Resource Limits

24:27 Governance Relationships and Cross-Tenant Role Assignments

28:26 Two-Step vs Three-Step Governance Flow

31:15 Discovery Signals and Blind Spots

35:17 Tenant Restrictions: A Related Feature Worth Knowing

36:40 Secure Tenant Creation

38:10 Governance Policy Templates

40:01 Licensing Across Multiple Tenants

43:43 Final Recommendations: Where to Start Today

47:54 Wrap Up

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #149 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-149-this-week-in-microsofthttps://entra.news/p/entra-news-149-this-week-in-microsoftSun, 17 May 2026 13:18:03 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

A quick note from Merill: Earlier this week, I shared that I’m leaving Microsoft to start out on my own. The flood of responses has been completely overwhelming. Thank you all so much for the incredible support.

I won’t lie, taking a leap like this is terrifying, and I’ve definitely had moments of second-guessing my sanity! But seeing your kind words reminds me why I need to follow my heart.

Though my day job is changing, my loyalty isn’t: I will always be the #1 Entra fan.

Merill

Sponsored by:

PST Export in One Line of PowerShell (FREE)

Exporting an Exchange Online mailbox to PST traditionally means wrestling with eDiscovery exports, installing Outlook, or paying for third-party tools - hours of work for what should take one command.

EasyEntra’s Invoke-EEMailboxToPst handles the entire export in a single line:

🚀 Export any mailbox to PST with one CmdLet
🚀 Real-time progress reporting and minimal memory burn
🚀 Native PST writer - no Outlook/MAPI tie-in
🚀 Delegate exports to first-line support - zero tribal knowledge
🚀 PowerShell module is free – no license required

Available via EasyEntra GUI and PowerShell (no license required). Download EasyEntra to get started.

“Your product is such a time saver - I love it.”
IT Infrastructure Specialist, MEC Aerial Work Platforms, United States

Free PST Export

⚡️ Microsoft

🏆 General Availability

📖 Read

📺 Watch

🗣️ Message Center

Sponsored by:

Benchmark Entra ID Application Governance

How many enterprise apps, OAuth integrations, and service principals are sitting in your Microsoft Entra ID tenant? In many Microsoft environments, application sprawl builds quietly through:

  • User-consented third-party SaaS integrations

  • Custom and internal applications

  • Test deployments and abandoned dev projects

ENow’s free AppGov Score Assessment uses read-only access to benchmark application governance in Microsoft Entra ID and identify visibility gaps, ownership issues, excessive permissions, expired credentials, and high-privilege access risks.

Get a baseline of enterprise applications, app registrations, ownership gaps, and permission exposure measures across your environment.

Check your AppGov Score

From the community…

☀️ Learn

🧰 Workload ID

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

🤖 DevOps & PowerShell

🚦 Conditional Access

🔐 Credential Management

🖥️ Devices

🥷 Security

📒 Tenant Configuration

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[What’s New in Microsoft Entra - May 2026: Passkeys, Agents & Cloud Sync]]>https://entra.news/p/whats-new-in-microsoft-entra-mayhttps://entra.news/p/whats-new-in-microsoft-entra-maySat, 16 May 2026 07:11:16 GMTFabian and Thomas join the podcast to share their extensive experience and unpack the massive wave of updates coming to Microsoft Entra.

We talk about the massive shift toward Passkeys and registration campaigns, the impending migration from Entra Connect Sync to Cloud Sync, and the rapidly evolving world of Agent IDs and AI workloads. We also cover how Entra admins can leverage new Defender XDR features and Security Copilot agents to secure their environments.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Fabian and Thomas

Fabian Bader is a Microsoft MVP and Cybersecurity Architect at glueckkanja, based in Hamburg, Germany. He is a well-known researcher in the Microsoft identity space, creator of the Cloud Brothers blog, and creator of the Maester and Token Tactics V2 tools. His work focuses on Microsoft Entra and the Defender suite, helping customers secure their cloud environments.

Thomas Naunheim is a Microsoft MVP and a Cybersecurity Architect at glueckkanja. He specializes in Microsoft Entra, identity and access management, and cloud security posture.

🔗 Related Links

📗 Chapters

00:00 Intro

01:18 The Year of Passkeys & Registration Campaigns

08:49 Windows Hello & Passkey Syncing

16:37 Migrating to Entra Cloud Sync

22:27 The Rise of Agent IDs & AI Workloads

28:21 Defender XDR Updates for Entra Admins

38:32 Security Copilot & Conditional Access Agent

45:48 Access Packages & New AI Admin Roles

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News 148 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-148-this-week-in-microsofthttps://entra.news/p/entra-news-148-this-week-in-microsoftSun, 10 May 2026 14:14:35 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

In case you missed it, World Passkey Day was this week, and Microsoft had a few announcements to mark the occasion, including Microsoft Entra ID account recovery reaching GA and the preview of passkey-preferred authentication.

Passkey-preferred authentication in Microsoft Entra ID detects the user’s registered authentication methods and prompts them to use the strongest one first. If a passkey is registered, that’s what the user sees immediately.

This week, I also had a fascinating conversation with Erin Grenlee about a really cool Entra Agent ID tutorial she built. It’s a guided walkthrough covering Agent ID, permissions, and the key concepts you need to understand. You can also use it to visualize all the agent blueprints you have in your tenant.

Watch the full walkthrough below.

Enjoy!

Sponsored by:

User Lifecycle: Onboard and Offboard With a Single CmdLet

Fact: Managing hybrid users across AD, Entra ID, and Exchange Online is a breeding ground for missed steps and security gaps - from day one to last day.

EasyEntra’s PowerShell-enabled workflows handle the entire lifecycle:

🚀 Onboard a fully provisioned user in 30 seconds - UI or two-parameter CmdLet.
🚀 Templates defined from existing users in seconds.
🚀 Offboard completely in 10 seconds - UI or single CmdLet.
🚀 Offboarding settings configured once, applied consistently every time.
🚀 Delegate life-cycle management to first-line support - no senior PowerShell skills or tribal knowledge required.

Start your 30-day trial or book a demo - setup takes under a minute - free for tenants with fewer than 25 licensed users.

“It feels almost like a revolution.”
Head of IT, Arjeplog Municipality, Sweden

Wait… One CmdLet?

⚡️ Microsoft

🏆 General Availability

  • What’s New in Microsoft Entra: May 2026Martin Coetzer

    • Network content filtering by file type in Global Secure Access

    • Prompt injection protection

    • Global Secure Access client on iOS and iPadOS

    • Configure Global Secure Access with Cloud Firewall and remote networks for internet access

    • External user access in the Global Secure Access Windows client

    • Secure branch office Microsoft Entra Internet Access with Global Secure Access remote network connectivity

    • View approver details for access package requests in the My Access portal

    • Enforce Conditional Access policies on Privileged Identity Management role activation

    • Reduce risk with Microsoft Identity Manager 2016 Service Pack 3

    • Issuer Hints streamline certificate selection in certificate-based authentication

    • Certificate-based authentication on iOS

    • Certificate-based authentication elevated in system-preferred MFA list on iOS

    • Certificate Authority scoping for certificate-based authentication

    • Configurable token lifetimes in Microsoft Entra ID

    • Social identity provider support for native authentication in Microsoft Entra External ID

    • Prefetch Workday termination data to customize account disable logic

    • Track and optimize Microsoft Entra license usage in the Microsoft Entra admin center

📖 Read

📺 Watch

🗣️ Message Center

📆 Upcoming Events

Sponsored by:

Book a demo

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🚦 Conditional Access

🖥️ Devices

📈 Reporting and Insights

🥷 Security

♻️ Sync

🛍️ External ID - Customers

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[If You Manage Entra Permissions, Watch This Before Deploying Agents]]>https://entra.news/p/if-you-manage-entra-permissions-watchhttps://entra.news/p/if-you-manage-entra-permissions-watchSat, 09 May 2026 14:10:47 GMTMicrosoft Entra Agent ID Just Went GA Here’s What You Need to Know About Agent Permissions

If you’ve been waiting for the dust to settle on Microsoft Entra Agent ID before diving in, the wait is over. Agent ID hit General Availability on May 1st, and in this episode of Entra Chat, Erin Greenlee, a PM in the the Entra AuthN team joins to break down one of the trickiest parts of the new model: how permissions actually work.

The three-tier model you need to understand

The biggest mental shift with Agent ID is moving from the familiar single app registration model to a three-tier hierarchy. Here’s the short version:

  • Agent Blueprint → the template for your agent. Think of it as a souped-up app registration that lives in one tenant and defines how the agent behaves. Every agent needs one, even if you’re only ever creating a single instance.

  • Blueprint Principle → the identity that represents the blueprint inside each tenant it’s deployed to. This is the middle tier, and it has a superpower: permissions granted here cascade down to all current and future agent identity instances automatically.

  • Agent Identity → the actual running instance of the agent. This is what authenticates, what shows up in your tenant logs, and what can hold its own individual permissions on top of whatever it inherits.

Required Resource Access is a hint, not a grant

One thing that trips people up early: adding permissions to the blueprint’s Required Resource Access (RRA) doesn’t actually grant anything. It’s a signal to admins adopting your agent. A polite list of “here’s what this agent will need to function.” The real grant happens later, either upfront during adoption or dynamically as the agent needs it. Expect agents to lean more on dynamic consent than traditional apps have, since agents evolve and request new permissions as tasks change.

Inheritance only works if you set it up

Permissions granted on the Blueprint Principle will only cascade down to agent identities if the resource app (e.g. Microsoft Graph) is explicitly marked as an inheritable resource on the blueprint. It’s an easy thing to miss, and if you skip it, your Blueprint Principle grants won’t flow through to your instances.

A free tool to visualise all of this

Erin built an interactive web app — using GitHub Copilot, no less — that makes all of the above click visually. It has a no-sign-in tutorial that walks you through the object relationships, a permission matrix view, and even generates the PowerShell or Graph API scripts to apply your configuration in real life. No changes are made to your tenant unless you explicitly ask it to. The source code is being open-sourced too, so you can fork and customise it if you want.

Watch the full episode to see Erin walk through the tool live, including how permission inheritance works in practice and a real-world debugging scenario that inspired the whole thing.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Erin Greenlee

Erin is a member of the Entra AuthN team working on AI and Agent ID at Microsoft. She previously joined Entra Chat to discuss app permissions and consent, and she loves building tools that make complex identity concepts easier to understand.

LinkedIn - https://www.linkedin.com/in/eringreenlee/

Sponsored by:

Find App Access Gaps Before They Break Workflows

In Microsoft Entra ID, small visibility gaps lead to outages and delays. Expired secrets break integrations, while unclear ownership and excessive permissions slow access decisions. Teams still struggle to answer:

  • Which apps access Microsoft 365 data?

  • Is that access still justified?

  • Who owns it?

AppGov Score helps you quickly identify these gaps. ENow App Governance Accelerator then exposes app-specific credential risks, permission issues, and ownership gaps before they disrupt operations.

Start with your AppGov Score, then upgrade to a 7-day free trial to take action.

Request your Score

🔗 Related Links

📗 Chapters

01:11 Agent ID General Availability

04:14 The Agent ID Visualizer Tool

05:35 Defining the Agent Blueprint

08:06 Understanding the Blueprint Principle

10:57 Agent Identity Instances Explained

13:37 Required Resource Access (RRA)

24:07 Inheritable Permissions and Cascading

30:18 Applying Changes with Scripts

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #147 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-147-this-week-in-microsofthttps://entra.news/p/entra-news-147-this-week-in-microsoftSun, 03 May 2026 12:47:31 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

It’s been an eventful week, with Agent ID and Agent 365 going GA, bringing lots of new capabilities for Entra administrators, including enhancements to Identity Governance, Internet and Private Access, Agent Registry, now in the Microsoft 365 admin center, and more.

We also released Maester 2.1, and I had fellow core maintainer Sam Erde on the Entra Chat podcast to talk about all the new Maester tests and features.

Enjoy!

Sponsored by:

How Well Do You Know Your Entra Apps?

Microsoft Entra ID environments often contain hundreds, sometimes thousands, of enterprise applications, service principals, and delegated permissions. The challenge is not just managing them, it’s knowing which apps have access to your Microsoft 365 data, whether permissions are excessive, and where governance gaps may exist.

AppGov Score gives you a fast, data-driven assessment of your Entra application governance and security posture. In minutes, you can:

  • identify risky app permissions

  • uncover overlooked applications

  • benchmark your tenant against proven governance best practices.

See where your application governance stands. Try AppGov Score for free today.

Scan your environment

⚡️ Microsoft

🏆 General Availability

🔥 Public Preview

📖 Read

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

☀️ Learn

⛑️ ID Protection

🌐 Private Access & Internet Access (GSA)

📦 Apps

👥 User & Group Management

🤖 DevOps & PowerShell

🚦 Conditional Access

🖥️ Devices

🏙️ External ID - Guests & Multi-Tenant Organizations

🥷 Security

📒 Tenant Configuration

🛍️ External ID - Customers

⚒️ Toolkit

🔥 Maester

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[How to Secure Copilot Agents, Azure DevOps & Defender (+ more) with Maester 2.1 (Full Breakdown)]]>https://entra.news/p/how-to-secure-copilot-agents-azurehttps://entra.news/p/how-to-secure-copilot-agents-azureSat, 02 May 2026 15:58:15 GMTMaester is back with one of its biggest release since launch. In this episode, we are joined by Sam Erde, Architect at Patriot Consulting and one of Maester’s core maintainers, to walk through everything that’s landed in Maester 2.1.

Since the December release, the community has shipped 540 new commits, grown the test suite from 128 to 168 tests, and added coverage across entirely new product areas.

Here’s a taste of what’s covered:

🤖 Securing Your AI Agents (Copilot Studio) With Microsoft’s Agent 365 going GA and organisations rapidly deploying Copilot Studio agents, Maester now includes tests based directly on Microsoft’s own recommendations for securing agents. Think orphaned agents with no owner, missing authentication on MCP connections, dormant agents, risky HTTP configurations, and agents shared too broadly. If you’re deploying agents in your tenant, these tests should be running.

🔧 AI That Writes Its Own Security Tests One of the most exciting developments in this release isn’t a test, it’s a custom AI skill that writes Maester tests for you. Sam built a GitHub Copilot agent skill that understands Maester’s structure, coding conventions, and contributor guide. You describe a security check in plain English, and within minutes you get a properly structured test, helpers, and documentation. No VS Code required! You can do it straight from GitHub’s Agents tab or even the mobile app. The barrier to contributing to Maester just got a lot lower.

🛡️ Defender for Endpoint Coverage Maester now includes 24 community-contributed MDE tests covering antivirus configuration, endpoint policy posture, cloud protection, behaviour monitoring, and PUA protection. Getting these tests into shape required the new AI skill to refactor months of pending work and it delivered.

🔑 Azure DevOps Security (37+ New Tests) With AI-generated code accelerating supply chain risks, securing your DevOps pipeline has never been more critical. Maester 2.1 ships with 37+ new Azure DevOps tests, checking OAuth config, PAT token policies, external guest access, collection admin hygiene, and more.

🔗 Linked Identity Checks for Privileged Accounts A new test surfaces a common blind spot: privileged admin accounts that remain active after their linked standard user account is disabled. If someone leaves your organisation and their cloud admin account stays enabled, Maester will now catch it.

📋 CIS Benchmark Refresh & Conditional Access Improvements Community contributor Morten has refreshed the CIS benchmark tests to reflect the latest changes, plus improved the logic behind several conditional access policy checks — including automated tracking of Entra ID roles used in XSPM and commercial access quality checks.

There’s a lot more covered in the full episode, including multi-tenant reporting updates, the new dev container for contributors, a surprisingly entertaining story about two AI models dissing each other’s code reviews, and a teaser for what’s coming in the next release.

👉 Listen to the full episode for the deep dives, the war stories behind getting community PRs across the line, and Merill and Sam’s take on where AI fits into the future of security testing.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Sam Erde

Sam is an Architect at Patriot Consulting who focuses on performing security assessments, securing and deploying Microsoft 365, and writing PowerShell. He has been a critical pillar for the Maester community over the last year, helping heavily refactor the codebase and streamlining community contributions.

LinkedIn - https://www.linkedin.com/in/samerde/

Sponsored by:

Would you bet your reputation on your current Microsoft 365 security posture?

Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.

But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.

You could assume it’s fine.

Or you could run the Microsoft 365 Security Posture Check.

It’s free.

It runs locally.

And no, it doesn’t send your tenant data back to us.

We’ll even help you set it up.

Get yours here

🔗 Related Links

📗 Chapters

00:00 Intro

05:49 Securing Copilot Studio & AI Agents

08:53 The Challenge with Defender for Endpoint Tests

013:39 Using AI to Automate Writing Security Tests

22:30 Dev Containers for Easy Contributions

24:58 New Azure DevOps Security Checks

31:02 Multi-Tenant Reporting & Xbox’s Secret

37:00 Active Directory Tests & The Future of Hybrid

43:00 The Long-Term Vision for Maester

54:48 CIS Benchmarks & Linked Identity Tests

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #146 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-146-this-week-in-microsofthttps://entra.news/p/entra-news-146-this-week-in-microsoftSun, 26 Apr 2026 12:39:09 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

There’s a little bit of everything this week from GSA to Account Recovery and everything in between.

Don’t forget to check out this week’s Entra Chat with Sandra Saluti who shared quite a few ID Governance gems and best practices and some lively discussions on LinkedIn and X on the topic.

Enjoy!

Sponsored by:

User Lifecycle: Onboard and Offboard With a Single CmdLet

Fact: Managing hybrid users across AD, Entra ID, and Exchange Online is a breeding ground for missed steps and security gaps - from day one to last day.

EasyEntra’s PowerShell-enabled workflows handle the entire lifecycle:

🚀 Onboard a fully provisioned user in 30 seconds - UI or two-parameter CmdLet.
🚀 Templates defined from existing users in seconds.
🚀 Offboard completely in 10 seconds - UI or single CmdLet.
🚀 Offboarding settings configured once, applied consistently every time.
🚀 Delegate life-cycle management to first-line support - no senior PowerShell skills or tribal knowledge required.

Start your 30-day trial or book a demo - setup takes under a minute - free for tenants with fewer than 25 licensed users.

“It feels almost like a revolution.”
Head of IT, Arjeplog Municipality, Sweden

Wait… One CmdLet?

⚡️ Microsoft

🏆 General Availability

📖 Read

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

Sponsored by:

Book a demo

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🤖 DevOps & PowerShell

🚦 Conditional Access

🔐 Credential Management

🖥️ Devices

📈 Reporting and Insights

🥷 Security

♻️ Sync

📒 Tenant Configuration

🛍️ External ID - Customers

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[What an ID Governance Consultant Wishes You Knew About Entra]]>https://entra.news/p/what-an-id-governance-consultanthttps://entra.news/p/what-an-id-governance-consultantSat, 25 Apr 2026 12:29:26 GMTIdentity Governance is often treated as a “nice-to-have” compliance checkbox, but as ID Governance expert Sandra Saluti reveals, it is actually the foundation of a secure, scalable environment. In this technical deep dive, we move past the marketing slides to discuss some of the common real-world “gotchas” that break Entra ID deployments.

In this episode, you will learn:

  • The Golden Rule of Automation: Why you must stop using “presentation data” (like UPNs or Email addresses) as your anchor. We explain why the Object ID is the only immutable truth for your automation.

  • The “Marriage Bug”: A cautionary tale of how a simple name change can break hybrid joins and lead to accidental laptop wipes and how to prevent it.

  • The “Unsexy” Side of Governance: Why the most important part of your job isn’t writing PowerShell, but interviewing HR and stakeholders to map out process flow diagrams before you ever touch the portal.

  • Closing the “Rehire Gap”: How to solve the common crisis where contractors lose access for 48 hours during a renewal because of lifecycle synchronization delays.

  • Directory Extensions vs. Exchange Attributes: Technical advice on where to store your identity metadata for the most reliable governance.

Sponsored by:

Entra ID Gaps That Cause Outages

In Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.

Teams are left asking:

  • Which applications can access Microsoft 365 data?

  • Is that access still appropriate?

  • Who owns the app?

Unclear answers stall reviews, weaken accountability, and slow delivery.

ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.

Explore Entra ID Gaps

Subscribe with your favorite podcast player or watch on YouTube 👇

About Sandra Saluti

Sandra Saluti is a consultant at Epical working with Microsoft Entra ID and identity governance. She helps organisations design secure and practical identity solutions with a focus on governance, access management, and Zero Trust.

LinkedIn - https://www.linkedin.com/in/sandra-saluti-6866a686/

🔗 Related Links

📗 Chapters

00:00 Welcome to Entra Chat

03:18 Explaining Identity Governance

08:51 Handling Late Hires and Rehires

11:25 Using Directory Extensions Effectively

18:50 Stop Targeting UPNs for Automation

25:18 Managing Chaos with Guest Access Reviews

30:56 Deciding Who Approves App Access

33:51 Replacing Nested Groups with Access Packages

39:29 Closing Thoughts and Community

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #145 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-145-this-week-in-microsofthttps://entra.news/p/entra-news-145-this-week-in-microsoftSun, 19 Apr 2026 12:30:25 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

There are some important updates in this week’s Message Center posts, so be sure to check them out and prepare for the changes.

Don’t forget to queue up this week’s Entra Chat featuring the legendary Sean Metcalf, and hear his top tips for hardening Entra ID in 2026.

Enjoy!

Sponsored by:

Uncover Risky Entra ID Apps Faster

Most Microsoft 365 tenants accumulate hundreds of enterprise applications, with OAuth permissions granted over time and ownership left undefined. Security teams often lack visibility into which apps access mailboxes, files, or user data, and which introduce risk.

Native tools provide pieces of this data, but not a unified view. That gap makes consistent application governance hard to maintain.

AppGov Score assesses your Entra ID application landscape. Identify high-risk permissions, detect unused or overprivileged apps, and surface ownership gaps so you can prioritize remediation based on real exposure.

Attending the Microsoft 365 Community Conference in Orlando? Visit ENow at booth #617 to see how teams are strengthening application governance while enabling their users.

Get Your App Risk Score

⚡️ Microsoft

🔥 Public Preview

📖 Read

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

Sponsored by:

Would you bet your reputation on your current Microsoft 365 security posture?

Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.

But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.

You could assume it’s fine.

Or you could run the Microsoft 365 Security Posture Check.

It’s free.

It runs locally.

And no, it doesn’t send your tenant data back to us.

We’ll even help you set it up.

Get yours here

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🤖 DevOps & PowerShell

🚦 Conditional Access

🏙️ External ID - Guests & Multi-Tenant Organizations

📒 Tenant Configuration

🔥 Maester

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[Stop Leaving the Door Open: The Entra ID Hardening Checklist Security Experts Actually Use]]>https://entra.news/p/stop-leaving-the-door-open-the-entrahttps://entra.news/p/stop-leaving-the-door-open-the-entraSat, 18 Apr 2026 13:11:49 GMTMicrosoft Entra security is evolving and the way organizations think about identity protection needs to evolve with it. In this episode, I’m joined by Sean Metcalf, one of the foremost identity security experts in the industry, whose work has helped shape how many organizations approach securing both Active Directory and Microsoft Entra.

Sean shares the hardening steps many teams still overlook, and why advances in AI are making it easier for both defenders and attackers to work faster than ever before. From MFA and application controls to protecting privileged accounts and reducing unnecessary exposure, this conversation offers a practical look at where strong identity security starts and why getting the fundamentals right matters more than ever.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Sean Metcalf

Sean Metcalf is the Identity Security Architect at TrustedSec and a renowned expert in Microsoft identity security. He holds the rare Certified Master in Active Directory certification and has spoken at major security conferences including Black Hat, DEF CON, and BlueHat on how to defend cloud and hybrid environments.

LinkedIn - https://www.linkedin.com/in/seanmmetcalf/

🔗 Related Links

📗 Chapters

00:04:05 AI and the Evolution of Attacks

00:06:42 The Importance of Hardening Fundamentals

00:12:03 Securing Entra ID Quickly

00:16:24 Protecting Tokens with VBS and TPM

00:19:58 Restricting Consent and Guest Users

00:23:40 Managing Rogue Tenants

00:27:36 Cloud Admin Workstation Strategies

00:34:14 Delegated Admin Privileges

00:44:32 The Danger of Application Permissions

00:57:06 Artemis Mission Trivia

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #144 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-144-this-week-in-microsofthttps://entra.news/p/entra-news-144-this-week-in-microsoftSun, 12 Apr 2026 12:07:01 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

There’s quite a bit from the community this week, including a mix of agents, some solid deep dives into Conditional Access gaps and identity attack paths, and a few practical security findings from the field.

From Microsoft: the planned rollout for passkeys in Microsoft registration campaigns (MC1253746) has been paused for now. Read the post below for more info.

Also, this week’s Entra Chat podcast is with Per-Torben Sørensen. We go deep on designing Conditional Access policies. You’ll likely come away with at least one new idea to apply. Worth adding to your podcast queue.

Enjoy!

Sponsored by:

User Lifecycle: Onboard and Offboard With a Single CmdLet

Fact: Managing hybrid users across AD, Entra ID, and Exchange Online is a breeding ground for missed steps and security gaps - from day one to last day.

EasyEntra’s PowerShell-enabled workflows handle the entire lifecycle:

🚀 Onboard a fully provisioned user in 30 seconds - UI or two-parameter CmdLet.
🚀 Templates defined from existing users in seconds.
🚀 Offboard completely in 10 seconds - UI or single CmdLet.
🚀 Offboarding settings configured once, applied consistently every time.
🚀 Delegate life-cycle management to first-line support - no senior PowerShell skills or tribal knowledge required.

Start your 30-day trial or book a demo - setup takes under a minute - free for tenants with fewer than 25 licensed users.

“It feels almost like a revolution.”
Head of IT, Arjeplog Municipality, Sweden

Wait… One CmdLet?

⚡️ Microsoft

🏆 General Availability

📖 Read

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

Sponsored by:

Book a demo

☀️ Learn

👩‍✈️ AI & Copilot

💳 Verified ID

⛑️ ID Protection

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🚦 Conditional Access

🏙️ External ID - Guests & Multi-Tenant Organizations

🥷 Security

♻️ Sync

📒 Tenant Configuration

🛍️ External ID - Customers

🔥 Maester

👨🏽‍💻 Merill’s corner

In Melbourne this week? I’ll be presenting a short session on MCP auth at the Identity Management Day Summit.

Come say hi! Register here.

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[How to Design Bullet-Proof Conditional Access Policies in Microsoft Entra ID]]>https://entra.news/p/how-to-design-bullet-proof-conditionalhttps://entra.news/p/how-to-design-bullet-proof-conditionalSat, 11 Apr 2026 14:36:17 GMTIf you can’t immediately name your break glass accounts and the last time you tested them → you’re already at risk.

In this episode of Entra Chat, Microsoft MVP Per Torben walks through the conditional access mistakes he sees even large enterprises making, and the practical framework he actually uses with customers.

You’ll learn how to set up emergency access accounts the right way, why your CA policies should be built more like a firewall than a checklist, and the one naming convention that makes managing dozens of policies actually manageable.

🎧 Hit play, your tenant will thank you.

Sponsored by:

Entra ID Gaps That Cause Outages

In Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.

Teams are left asking:

  • Which applications can access Microsoft 365 data?

  • Is that access still appropriate?

  • Who owns the app?

Unclear answers stall reviews, weaken accountability, and slow delivery.

ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.

Explore Entra ID Gaps

Subscribe with your favorite podcast player or watch on YouTube 👇

About Per Torben

Per Torben is a Senior Architect at Crayon and a Microsoft MVP for Identity and Access. Based in Norway, he frequently writes highly-read posts featured on Entra.News and runs the collaborative tech blog “Agder in the Cloud”.

LinkedIn - https://www.linkedin.com/in/pertorbensorensen/

🔗 Related Links

📗 Chapters

06:22 The importance of Break Glass accounts

09:02 Securing emergency access with FIDO2 and RMAUs

18:10 Configuring Conditional Access: The “Block by Default” strategy

27:26 Managing scope and preventing accidental lockouts

29:31 Persona-based naming conventions for CA policies

35:38 Grouping settings and avoiding bloated policies

41:54 Handling exceptions and travel access with Access Packages

44:55 The flaw in Protected Actions for Conditional Access

53:38 Using the new Entra Backup feature for quick restores

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #143 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-143-this-week-in-microsofthttps://entra.news/p/entra-news-143-this-week-in-microsoftSun, 05 Apr 2026 12:29:42 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

Well folks, there’s a lot happening in the Entra world, we have over seven features becoming GA, a bunch of new public preview features, and an upcoming change to enforce CA policies during WHfB registration. Check them all out below.

BTW, I caught up with some Microsoft Entra MVPs to get their take on the big updates—queue it up on Spotify, Apple Podcasts, or watch on YouTube 👇

Enjoy!

Sponsored by:

Announcing the Month of Azure Red Teaming 2026

Altered Security Month of Azure Red Teaming is an initiative to raise awareness and spark discussion around one of the most critical and in-demand skillsets: Azure Red Teaming. Throughout the month we want to keep the community engaged to help infosec professionals and students understand, practice and analyze attack vectors in Azure.

What to expect during the month:

- Four Free Azure Red Team Webinars with hands-on labs (April 10th, 17th, 24th and 30th).

- Flat 20% OFF on the accoladed Azure Red Team certifications: CARTP and CARTE.

- Free labs on Altered Security’s Red Labs Platform

Get ready for a month full of free labs, webinars, blog posts, giveaways and discounts!

Know More

⚡️ Microsoft

🏆 General Availability

🔥 Public Preview

📖 Read

📺 Watch

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

Sponsored by:

Uncover Entra App Risk in Minutes

Most Entra ID tenants contain hundreds of applications with unclear ownership, excessive OAuth permissions, and long-lived secrets. These gaps are difficult to identify using native tools alone, especially at scale.

ENow’s AppGov Score provides a read-only assessment of your Entra environment using 24 Microsoft-aligned checks. It surfaces risky consent grants, privileged service principals, expired credentials, and ownerless apps, then translates findings into a clear, defensible risk score.

Instead of manual reviews or scripting, administrators gain immediate visibility into application sprawl and permission exposure, making it easier to prioritize remediation and improve governance across Microsoft 365.

Get Your App Risk Score

☀️ Learn

👩‍✈️ AI & Copilot

🧰 Workload ID

👮‍♂️ ID Governance

🌐 Private Access & Internet Access (GSA)

📦 Apps

🫆 Authentication

👥 User & Group Management

🚦 Conditional Access

🖥️ Devices

🏙️ External ID - Guests & Multi-Tenant Organizations

📈 Reporting and Insights

🥷 Security

♻️ Sync

📒 Tenant Configuration

🔥 Maester

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[5 Entra ID Updates You Can’t Afford to Ignore in 2026 (Backup, Governance, CA Agent & Risk Score Exposed)]]>https://entra.news/p/5-entra-id-updates-you-cant-affordhttps://entra.news/p/5-entra-id-updates-you-cant-affordSat, 04 Apr 2026 11:57:26 GMTMicrosoft just dropped a massive wave of features for Entra, and the rules of Tenant Governance have officially changed.

Join us as we talk to three world-class MVPs about their hands-on experience with the new Entra Backup and Recovery and Tenant Governance features.

Our Microsoft MVP guests Nathan McNulty, Ru Campbell, and Thomas Naunheim break down the most exciting new features in Microsoft Entra.

In this episode, we explore:

  • The “Shadow Tenant” Problem: One org found 700+ Entra tenants they didn’t know they had.

  • Version Control for Admins: Why “Difference Reports” are a total game-changer for troubleshooting.

  • Recovery Safeguards: How to protect your tenant from accidental deletions and “sneaky” background changes.

  • Backup & Recovery: The truth about Entra Backup vs. Third-Party ISV tools.

Subscribe with your favorite podcast player or watch on YouTube 👇

About The Guests

Nathan, Ru, and Thomas are highly experienced MVPs specializing in identity security, governance, and Microsoft Entra.

Nathan McNulty - LinkedIn - https://www.linkedin.com/in/nathanmcnulty/

Ru Campbell - LinkedIn - https://www.linkedin.com/in/rlcam/

Thomas Naunheim LinkedIn - https://www.linkedin.com/in/thomasnaunheim/

🔗 Related Links

  • Microsoft Entra Backup and Recovery Documentation - https://learn.microsoft.com/en-us/entra/backup/overview

  • Microsoft Entra Tenant Governance - https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview

  • Synced Passkeys - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-passkeys-fido2

  • Microsoft Work IQ CLI (Public Preview) - https://learn.microsoft.com/en-us/microsoft-365/copilot/extensibility/workiq-overview

  • Playwright https://playwright.dev/

  • Entra Auth Tracer (Chrome Extension) - https://github.com/darrenjrobinson/EntraAuthTracer

  • Unified Risk Score - https://learn.microsoft.com/en-us/defender-xdr/investigate-users#risk-score-tab-preview

📗 Chapters

00:00 Intro to New Entra Features

02:04 Entra Backup and Recovery Deep Dive

10:41 Difference Reports Explained

15:54 Intro to Tenant Governance

23:34 Managing Multi-Tenant Organizations

33:31 Conditional Access Optimization Agent

36:55 The Great Passkey Debate

47:22 Retirements: SP-less Auth & ACS for SharePoint

48:46 Unified Risk Score in Defender

52:38 MVP Tips of the Week

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]><![CDATA[Entra 🆔 News #142 → This week in Microsoft Entra]]>https://entra.news/p/entra-news-142-this-week-in-microsofthttps://entra.news/p/entra-news-142-this-week-in-microsoftSun, 29 Mar 2026 12:15:56 GMT👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

The big news this week is the official launch of Entra Backup and Recovery and Entra Tenant Governance, along with new updates to the CA Optimization Agent.

There’s an upcoming change that may impact applications using Microsoft Graph app-only permissions. Check out the blog post Designing for Eventual Consistency for more details.

Don’t forget to catch up on this week’s Entra Chat podcast with Emilien Socchi, where we dig into two of his interesting projects.

Enjoy!

Sponsored by:

User Lifecycle: Onboard and Offboard With a Single CmdLet

Fact: Managing hybrid users across AD, Entra ID, and Exchange Online is a breeding ground for missed steps and security gaps - from day one to last day.

EasyEntra’s PowerShell-enabled workflows handle the entire lifecycle:

🚀 Onboard a fully provisioned user in 30 seconds - UI or two-parameter CmdLet.
🚀 Templates defined from existing users in seconds.
🚀 Offboard completely in 10 seconds - UI or single CmdLet.
🚀 Offboarding settings configured once, applied consistently every time.
🚀 Delegate life-cycle management to first-line support - no senior PowerShell skills or tribal knowledge required.

Start your 30-day trial or book a demo - setup takes under a minute - free for tenants with fewer than 25 licensed users.

“It feels almost like a revolution.”
Head of IT, Arjeplog Municipality, Sweden

Wait… One CmdLet?

⚡️ Microsoft

🏆 General Availability

🔥 Public Preview

📖 Read

🗣️ Message Center

From the community…

🚀 Most popular posts from last week

☀️ Learn

👩‍✈️ AI & Copilot

💳 Verified ID

⛑️ ID Protection

📦 Apps

🫆 Authentication

🤖 DevOps & PowerShell

🚦 Conditional Access

🖥️ Devices

🏙️ External ID - Guests & Multi-Tenant Organizations

🥷 Security

♻️ Sync

📒 Tenant Configuration

🛍️ External ID - Customers

👨🏽‍💻 Merill’s corner

Entra.News - Your weekly dose of Microsoft Entra is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.

]]><![CDATA[Finding Every MFA Gap: Testing 250 Million Conditional Access Combinations in Under 20 Minutes]]>https://entra.news/p/finding-every-mfa-gap-testing-250https://entra.news/p/finding-every-mfa-gap-testing-250Sat, 28 Mar 2026 10:45:12 GMTEmilien Socchi, Cloud Security Research Engineer at Storebrand, joins us to discuss CA Insight and AZTier.

Two open-source tools Emilien built to find gaps in Conditional Access policies and categorize Azure/Entra roles based on attack paths.

Learn how CA Insight evaluates 250 million sign-in combinations offline in minutes instead of days, why the What If API doesn't scale, and how AZTier helps defenders and pen testers understand privilege escalation risks across Entra ID, Azure, and Microsoft Graph.

Together, these projects help security teams move from reactive log monitoring to a proactive defense strategy.

What’s Breaking and Slowing Your Entra ID Environment?

In Microsoft Entra ID, the same visibility gaps cause two problems:

  • Things break

  • Work slows down

Expired client secrets disrupt integrations. Certificates lapse and authentication fails. New apps appear with excessive permissions and no clear ownership. At the same time, teams struggle to answer basic questions, which applications have access to Microsoft 365 data, whether that access is still required, and who is responsible for it.

When answers are not immediate, reviews stall and projects slow down.

ENow App Governance Accelerator Credential Guard helps identify expiring credentials and expose permission and ownership gaps.

For organizations under 10,000 users, pricing ranges from $3,500 to $9,500 annually through March 31, 2026.

Find App Access Gaps

Subscribe with your favorite podcast player or watch on YouTube 👇

About Emilien Socchi

Emilien Socchi is a Cloud Security Research Engineer at Storebrand (Oslo, Norway) focusing on the proactive discovery of security issues. With an extensive background in application and cloud penetration testing, Emilien has published practical research and tooling used by defenders. He also maintains several open‑source projects, including Azure administrative tiering models and Entra ID role‑monitoring utilities.

LinkedIn - https://www.linkedin.com/in/emilien-socchi

🔗 Related Links

📗 Chapters

00:00 The Story Behind CA Insights

16:52 Why the ‘What If’ API Doesn’t Scale

21:09 Building an Offline Evaluation Engine

45:22 Deep Dive into AZTier: A Red Team Perspective

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

]]>