Not every admin in your tenant is a person. Service principals, app registrations, and the new wave of agent identities can quietly hold permissions powerful enough to own your entire environment and most orgs can’t even see them. In this episode of Entra Chat, we sits down again with Erika Zellig to expose the “shadow admins” hiding in your Entra tenant, and what to do about them.
What we get into:
Application vs. delegated API permissions and why both can be shadow admins
The most dangerous permissions to hunt for:
Files.ReadWrite.All,Sites.FullControl.Alland more.How Midnight Blizzard turned secrets buried in email into full tenant compromise
Credential and secret sprawl why you should vault everything and move to managed identities
Agent identities explained, and why a “sponsor” is safer than an “owner”
App ownership as an attack path: lateral movement and privilege escalation
Locking down workload identities with conditional access
Deadlines that bite: EWS retirement and the ID CRL protocol retirement
Managed devices, and going from Zero Trust to “hero trust” without burying your help desk
Subscribe with your favorite podcast player or watch on YouTube 👇
Sponsored by:
Avoiding Entra Credential Outages & Security Risks
June 24 | Live Webinar | RegisterAn expired client secret or certificate can break SSO, automation, integrations, and business-critical applications without warning.
Do you know:
✔️ Which credentials have already expired?
✔️ Which applications depend on them?
✔️Which credentials will expire next?
✔️Who owns those applications, and are they still used?Which applications should use Managed Identities instead of secrets?
As organizations deploy more apps, automations, and AI-powered services, credential sprawl continues to grow across Entra. Join MVPs Alistair Pugin and Nicolas Blank as they walk through real-world credential failures, hidden risks, and practical strategies for identifying and remediating Entra credential issues before they lead to outages, security exposures, or audit findings.
About Erika Zelic
Erika Zelic is a well-known voice in the Microsoft security and identity community, bringing years of offensive security experience to help admins secure their cloud infrastructure.
With roots in offensive security and consulting, she now works on remediating configuration-based vulnerabilities and is known for sharing practical, no-nonsense security insights with the Entra community.
LinkedIn - https://www.linkedin.com/in/erica-z-b4169598/
🔗 Related Links
• MS Identity Tools - https://aka.ms/msid
📗 Chapters
02:05 The High Cost of DIY AI & Small Language Models
06:17 Why AI is Forcing Everyone to Harden Their Infrastructure
14:12 The Hidden Dangers of API Permissions
20:59 How Midnight Blizzard Exploited App Secrets
27:21 The Magic of Managed Identities & Azure Arc
33:38 The Nightmare of Multiple App Owners
43:32 Sneaky API Permissions You Need to Monitor
51:48 Crucial Protocol Retirements: EWS & ID CRL
55:24 Zero Trust: Why You MUST Enforce Managed Devices
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill
