👋 Hi, Merill and Joshua here with this week’s roundup of the latest news on Microsoft Entra from around the globe 🌍.

I’m finally back in Melbourne after an incredible week at Experts Live Denmark in Copenhagen. As Rod Trent beautifully put it in his latest post, it truly felt like a “Tech Family Reunion Like No Other.”

The highlight for me wasn’t just the tech, it was the people. There is something so special about finally shaking hands with folks I’ve only ever known through LinkedIn, Twitter/X, and blog posts. Turning those digital handles into real-world friendships is what makes this community so vibrant.

A massive shoutout to Morten Knudsen and his entire team for organizing such a seamless and high-energy event.

The Gift for You: Open-Source Labs 🔓

I had the honor of hosting a one-day Identity Masterclass with MVPs Thomas, Jan, Klaus, and Pim. We didn’t want the learning to stay in the room, so we’ve open-sourced our labs! You can find the links and hear the behind-the-scenes stories in this week’s Entra Chat podcast.

Let’s get into it ⚡️

Enjoy!

Sponsored by:

Hybrid User Onboarding: One CmdLet – Two Parameters

Fact: Hybrid user onboarding across AD, Entra ID, and Exchange Online is time-consuming and error-prone.

EasyEntra’s new Invoke-EECreateHybridUserFromTemplate CmdLet changes that:

🚀 One command creates a fully provisioned hybrid user in ~30 secs.
🚀 Just two parameters: DisplayName and TemplateName.
🚀 Templates are defined from existing users with an intuitive UI in seconds.
🚀 Schedule onboarding in advance or bulk-create users with a one-liner.
🚀 EasyEntra is free for tenants with fewer than 25 licensed users.

No more context switching between consoles. No more provisioning drift between new hires.
Just fast, consistent, automated onboarding from a single command.

“This product has been a miracle for our Helpdesk.”
Manager of IT Customer Support, Junior Achievement, United States

Learn More

⚡️ Microsoft

🔥 Public Preview

• Microsoft Entra hybrid join using Microsoft Entra Kerberos (preview) • Microsoft Learn

📺 Watch

• Identity Control Plane Under Attack: Consent Abuse and Hybrid Sync Risks (42 min) • Dima Zinkevich, Nestori Syynimaa, Tal Guetta, and Luc van den Ende

• Explore Microsoft Agent 365 security and governance capabilities (7 min) • Irina Nechaeva

• Integrating verification in your app with Microsoft Entra Verified ID – Part I (14 min) Part II (16 min) • Jas Suri, Yoel Horvitz

• How to Set Up Account Recovery with Microsoft Entra (2 min) • Microsoft Security

🗣️ Message Center

• MC1179154 - Microsoft Authenticator app: Upcoming changes to jailbreak and root detection

From the community…

🚀 Most popular posts from last week

• 🥇Microsoft Introduces Entra Hybrid Join using Entra Kerberos • Daniel Bradley

• 🥈What admins can learn from the new Entra ID Groups Insights blade • Jan Bakker

• 🥉PIM for Groups Are You Still Assigning Roles to Users? • Control Alt Delete Tech Bits

Sponsored by:

Scan, Score, and Secure Your Applications in Entra

Application identities represent one of the largest attack surfaces in Entra and are often among the least consistently governed. AppGov Score helps Entra & M365 teams understand where risk exists. The 24-check assessment evaluates Entra ID application integrations against Microsoft-recommended governance practices, analyzing:

• App registrations and enterprise apps for excessive permissions

• Expired or unmanaged secrets

• Ownerless apps

• Risky consent grants, and

• Privileged service principals

Results are delivered as a clear, defensible risk score with actionable findings. No scripts. No manual inventory. Just a fast, read-only scan that reveals app sprawl, identity misconfigurations, and blast radius so you can prioritize remediation and strengthen your security posture with confidence.

Get Your Baseline Score

☀️ Learn

👩‍✈️ AI & Copilot

• Understanding Microsoft Entra Agent ID • Will Velida

• 📺 Agent 365 and Agent ID Overview (48 min) • John Savill

🧰 Workload ID

• Microsoft Graph – Remembered to restict Mail.Send Application Permission? (App Access Policies) • Michael Morten Sonne

👮‍♂️ ID Governance

• Admin Account Lifecycle Management – Part 2: Security and Accesses • Christian Frohn

• Late Hires, Rehires, and Lifecycle Automation Beyond the Happy Path • Sandra Saluti

• 📺 Entra ID Access Reviews The beginners Guide (19 min) • Andy Malone

• 📺 Simplifying Access Governance with Microsoft Entra ID Access Packages (33 min) • David Nudelman

🌐 Private Access & Internet Access (GSA)

• 📺 Zero Trust, GSA & Defender Automation: Breaking Up with VPNs (feat. Brumm & Bader) (30 min) • Christopher Brumm, Fabian Bader, Frans Oudendorp and Michel van Vliet

📦 Apps

• How to Use Scoped Graph Permissions with SharePoint Lists • Tony Redmond

• Difference Between App Registrations and Enterprise Apps • Dhinesh

• Stop Unintended Tenant-Wide App Access in Microsoft Entra ID • Sreejith Reghunathan Pillai

• 📺 The 1 MISTAKE Everyone is Making with Entra Enterprise Apps (16 min) • Ru Campbell

🫆 Authentication

• Windows Hello for Business Multi Factor Unlock • Marco Wohler

👥 User & Group Management

• Microsoft Entra: One Person One License, Now What? • Daniel Bradley

🤖 DevOps & PowerShell

• Microsoft Graph Delta Query in PowerShell • Alf Løkken

🚦 Conditional Access

• Conditional Access Demo: Time-Bound Access • Jon Hope

• How to Build a Log Analytics Workbook for Unused CA Policies • Klaus Bierschenk

• Troubleshooting Windows First Sign‑in Restore When Conditional Access Gets in the Way • Simon Skotheimsvik

• 📺 Does Your Conditional Access Actually Work? Here’s How to Check (12 min) • Jonathan Edwards

🔐 Credential Management

• Passkey onboarding in Entra: What Microsoft doesn’t tell you! • Per-Torben Sørensen

🖥️ Devices

• Delegating LAPS password retrieval at device level • Dániel Kovács

• Disable MDM Enrollment When Adding a Work or School Account on Windows • Rudy Ooms

• Entra Hybrid-Join Devices Using Microsoft Entra Kerberos • Blesslin Rinu

• How to Disable ‘Allow My Organization to Manage My Device’ Prompt • AIMA

🥷 Security

• Intune Administrator Is the New Domain Admin • James Robinson

• Please, please, please stop using passkeys for encrypting user data • Tim Cappalli

• Step by step guide for getting up and running with least privileged msgraph • Morten Mynster

• The Zero Trust Workshop - Your Free Nitro-Boosted Cybersecurity Strategy Virtualization Review • Paul Schnackenburg

• Untangling Microsoft Graph’s $batch requests in Burp • Katie Knowles

📒 Tenant Configuration

• New Cloud Licensing API in Microsoft Graph for License Management in Public Preview • Dhinesh

🛍️ External ID - Customers

• Azure AD B2C to Entra External ID (EEID) Migration Kit — Attribute Mapping • Rory Braybrook

⚒️ Toolkit

• SamlCertRotation: An automation tool to rotate and set as active Saml certificates in Entra ID • Jeff Bley

• emiliensocchi/entra-ca-insight: Discover gaps in Entra Conditional Access policies before attackers do • Emilien Socchi

🎙️ Podcasts

• Episode 421: Microsoft 365 Mergers and Divestitures with Frank Lesniak • Frank Lesniak, Scott Hoag

• Breaking into Microsoft security as a career • Jussi Roine & Tobias Zimmergren

🔥 Maester

👨🏽‍💻 Merill’s corner

• Want to get featured on Entra.News? → Submit your content 😎

• Want us to say nice things about your company? Sponsor entra.news 🤩

• Love the newsletter? Tell us 💚❤️💜

🪃 Acknowledgement of Country

Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. We pay our respect to them and their cultures and to elders both past and present.