Hey folks, I have to start with a massive shout-out to Morten Knudsen and his entire team at Experts Live Denmark where I’m just returning from.

Organizing an event for over 1,200+ attendees is no small feat, and they pulled it off with incredible energy and precision. It was easily one of the most impressive community gatherings I’ve been a part of.

Amidst that massive crowd, I had the privilege of co-leading a deep-dive Identity Masterclass alongside four exceptional Microsoft MVPs: Jan Vidar Elven, Pim Jacobs, Thomas Naunheim, and Klaus Bierschenk.

We weren’t sure what to expect, but the response was overwhelming. We had over 120 dedicated attendees who stayed with us for the full 7-hour session - diving deep into the weeds of Entra ID, governance, privileged access, Agent ID and more. Instead of theory-heavy slides, we built a practical, end-to-end governance story.

Because we believe this knowledge should be accessible, we are now giving away the labs for free so everyone can skill up, learn, and implement these patterns in their own environments.

Here’s the core of what we covered, and what you will learn in this podcast walk through of the labs and what you can try out yourself today!

Links to GitHub repo and YouTube video below.

Sponsored by:

If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy?

Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity.

And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachat

So, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”.

1️⃣ Inbound Provisioning: Start with a Source of Truth

Most identity problems start with one issue:

There is no clean, authoritative identity source.

We demonstrated how to use Inbound Provisioning in Entra to:

* Accept identity payloads via Microsoft Graph

* Create users in a disabled state

* Capture attributes like hire date, leave date, department

* Treat HR (or another system) as the lifecycle authority

Why this matters

If identities are manually created:

* Joiners are inconsistent

* Leavers are missed

* Privileged accounts become orphaned

Inbound provisioning allows you to:

* Standardize creation

* Attach lifecycle automation immediately

* Reduce manual admin overhead

Key concept:Provision first. Enable later. Automate everything in between.

2️⃣ Lifecycle Workflows: Automate Joiner / Mover / Leaver

Once a user is provisioned, lifecycle workflows take over.

We implemented:

* Pre-hire workflow

* Day-one onboarding workflow

* Post-onboarding actions

Triggers included:

* Employee hire date

* Creation time

* Group membership

* Attribute changes

Real-world onboarding pattern

* Account is created disabled

* Workflow enables the account at the correct time

* Temporary Access Pass (TAP) is generated

* TAP is sent securely

* Access is assigned automatically

This reduces:

* Manual enablement

* Helpdesk load

* Security gaps

Design principle:Automation should enforce timing — not people.

3️⃣ Privileged Account Design: Separate the Identities

We had a strong opinion in the session:

Admin accounts should be separate and cloud-only.

Why?

* Syncing privileged accounts from on-prem introduces risk

* HR systems should not directly control privileged identities

* Governance features work best with cloud-native identities

We explored three creation patterns:

* Inbound provisioning for privileged accounts

* Access Packages (with auto-assignment or request model)

* Lifecycle workflows + custom Logic Apps

Each has trade-offs.

What matters most:Privileged identities must be:

* Separately authenticated

* Phishing-resistant (FIDO2 or passkeys)

* Independently governed

* Linked for offboarding

4️⃣ Linking Identities for Investigation

One challenge in Entra:

There’s no native “this person owns these 3 accounts” view.

We explored identity linking in Microsoft Defender XDR, where:

* Multiple accounts can be associated to one identity

* Incident investigations become clearer

* Privileged activity can be correlated with user context

This becomes critical during:

* Compromise investigations

* Insider threat analysis

* Lateral movement tracking

Security takeaway:If you can’t correlate identities, you can’t fully investigate them.

5️⃣ Backup & Restore: The Truth About Entra

There is no traditional backup system in Entra.

Instead, you have:

* Soft-delete (with recycle bin)

* Hard-delete (irreversible)

* API-based recovery

* Configuration export strategies

We discussed:

* Protecting deleted items with Protected Actions

* Using Conditional Access to restrict destructive operations

* Exporting configuration JSON regularly

* Monitoring configuration drift

Reality:If you aren’t exporting your tenant configuration, recovery becomes manual and painful.

Governance is not just about creation — it’s about resilience.

6️⃣ Protected Actions + Conditional Access

A powerful but underused feature:

Protected Actions.

You can require Conditional Access enforcement before allowing:

* Hard deletes

* Sensitive configuration changes

Example:

* Only allow permanent deletion from a compliant device

* Only allow from a trusted location

* Require phishing-resistant authentication

Even Global Admins must pass policy.

Security mindset shift:Admin role ≠ unlimited ability.

7️⃣ Agent ID & Blueprints: The Future of Identity for AI

We also explored Agent ID — one of the newer capabilities in Entra.

Why not just use a service principal?

Because agents:

* Need stronger guardrails

* Must support per-user instances

* Require conditional access enforcement

* Must be auditable at scale

Blueprints allow:

* A parent definition of permissions

* Individual agent instances per user

* Centralized governance over many agents

As AI agents scale, identity must scale securely with them.

Forward-looking insight:Agent governance will soon be as important as user governance.

8️⃣ Design Philosophy Behind the Lab

The entire masterclass was built around one principle:

Identity is a lifecycle, not a login.

We covered:

Provision → Enable → Assign → Elevate → Monitor → Protect → Offboard → Recover

If any step is manual, inconsistent, or undocumented — risk increases.

The labs give you a complete pattern you can implement in your own tenant.

🎯 What You Should Do Next

* Watch/listen to the full podcast where we walk you through the labs.

* Go try out the labs at github.com/IdentityMan/MasterclassELDK26 in your own tenant.

Subscribe with your favorite podcast player or watch on YouTube 👇

About us

* Jan Vidar Elven, Security MVP - https://www.linkedin.com/in/janvidarelven

* Pim Jacobs, Security MVP - https://www.linkedin.com/in/pimjacobs89

* Thomas Naunheim, Security MVP - https://www.linkedin.com/in/thomasnaunheim

* Klaus Bierschenk, Security MVP - https://www.linkedin.com/in/klabier

🔗 Related Links

* https://github.com/IdentityMan/MasterclassELDK26

* https://discord.entra.news

* https://on.action1.com/entrachat

📗 Chapters

00:00 Intro

00:50 Open Sourcing the Entra Lab

03:42 Entra ID Inbound Provisioning

08:05 Lifecycle Workflows and Governance

10:57 Securing Privileged Admin Accounts

16:21 Offboarding and Linked Identities

19:51 Sponsor: ActionOne

21:02 Entra ID Backup, Restore & Protected Actions

26:08 Exploring Agent ID and Blueprints

30:28 How to Access the Open Source Lab

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

What does it take to migrate 40,000 devices to a cloud-native environment in a massive, complex enterprise? For most IT leaders, the prospect of moving away from 20 years of legacy infrastructure is enough to cause a sleepless night.

In our latest episode of Entra Chat, we sat down with enterprise veterans Michael Brunker and Prem Kothandapani to deconstruct their recent, massive rollout. They successfully converted nearly 40,000 devices from on-premises Active Directory to Entra Joined in just nine to ten months—all with a lean team of 10–15 people.

Here are the high-stakes lessons they learned from the trenches of modern management.

The “Nuclear Option”: Cleaning Up 20 Years of GPO Debt

One of the most controversial decisions the team made was what they called the “nuclear option” regarding Group Policy Objects (GPOs). Instead of porting over decades of legacy policies that no one fully understood, they chose to start from scratch.

By building a new security baseline from the ground up in Intune, they ensured the new environment was clean, modern, and free from the “stale” configurations that often plague legacy estates.

Killing the “VPN Tax”

For the end user, the primary driver for this migration was a radically improved experience. In a cloud-native world, the dependency on legacy VPN technology disappears.

* Work from Anywhere: Users can sign on and get access without the friction of starting a VPN or worrying about office cabling.

* Security at the Edge: Moving to Entra ID shrinks the attack surface by removing devices as a direct entry point to your core on-prem Active Directory.

Sponsored by:

If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy?

Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity.

And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachat

So, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”.

The “Gnarly” Problems: What Breaks First?

Success wasn’t just about the big picture; it was about mastering the “fundamental basic building blocks”. Michael and Prem highlighted several technical hurdles that can derail a migration if not handled early:

* The Proxy Trap: Many organizations fail to update their proxy server allow-lists with the specific Microsoft URLs required for cloud authentication.

* App Authentication: Moving from Kerberos-based device auth to OAuth and modern cloud flows requires rigorous testing across different “personas,” such as front line workers versus corporate office users.

The Secret to Scaling: Small Teams, Big Strategy

Perhaps the most surprising takeaway was that a project of this scale didn’t require an army. By focusing on a “small team” of highly skilled engineers and dedicated communications experts, they maintained momentum and avoided “stop-start” migration fatigue.

Want to hear the full technical breakdown, including how they handled zero-downtime requirements for front line workers?

Subscribe with your favorite podcast player or watch on YouTube 👇

About Michael Brunker

Michael Brunker has approaching 40 years in the IT industry and has operated as an enterprise architect across major organizations like BP, Woodside, and Telstra.

LinkedIn - https://www.linkedin.com/in/michaelbrunker/

About Prem Kothandapani

Prem Kothandapani is an EndPoint Architect with over 14 years of experience in endpoint computing and major migrations, having worked at NBN, Australian Unity, and Telstra.

LinkedIn - https://www.linkedin.com/in/premnath-kothandapani-41744153/

📗 Chapters

00:00 Cloud-Native Device Management

02:58 The True Cost of Legacy Infrastructure

07:47 Moving to Modern Management

11:13 The Blueprint for a 40,000 Device Migration

20:07 Handling Complex App Dependencies

28:07 Crafting a Seamless User Migration Experience

33:28 Automating with Graph API and Autopilot

43:09 Avoiding the Co-Management Trap

55:01 The New Starter Experience

57:24 Migration Velocity and Lessons Learned

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

March 2026 is shaping up to be one of the most important months for Microsoft Entra ID administrators in recent memory.

Microsoft is automatically enabling passkey profiles in Entra ID, and if you don’t configure them yourself, your tenant will be migrated with default settings.

In this episode of Entra Chat, I sat down with Microsoft Security MVPs Daniel Bradley and Ewelina Paskowska to break down what this really means for Microsoft 365 administrators.

But passkeys aren’t the only story this month.

1️⃣ Passkey Profiles Are Becoming the Default

Starting March 2026:

* Passkey profiles will be auto-enabled

* Tenants that haven’t configured profiles will be migrated

* Registration campaigns will shift from Authenticator-first to passkey-first

This is a major shift toward phishing-resistant authentication.

You’ll now be able to:

* Separate hardware-backed vs synced passkeys

* Apply granular group-based controls

* Enforce stronger authentication for privileged users

2️⃣ Source of Authority Conversion Is Finally GA

For years, admins used messy delete-and-restore hacks to convert synced users to cloud-only.

Now it’s officially supported.

You can convert individual users from on-premises authority to cloud-managed — without breaking hybrid entirely.

Why this matters:

* Easier M&A transitions

* Full access to Entra ID Governance features

* Cleaner lifecycle management

* Reduced dependency on legacy infrastructure

For hybrid environments moving toward cloud-first identity, this is huge.

Sponsored by:

If you are a systems administrator managing endpoints every day, you’ve probably postponed patching at least once — not because you forgot… But because you didn’t feel like gambling with uptime. Meanwhile, the backlog grows, vulnerabilities pile up, and patching stays stuck in manual mode.

Action1  fixes that.

Action1 is a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps — all from one place, no VPN needed. Curious how easy it is to start? You can use it on your first 200 endpoints, for free, forever, with no functional limits. It’s not a disguised free trial. No credit card required, no hidden limits, no tricks.

All you have to do is visit on.action1.com/entrachat and get started today.

So, if you’re looking to automate patching at scale and get weeks— even months—of your time back, go to on.action1.com/entrachat and sign up for patching—that—just—works.

3️⃣ App Registration Deactivation (A Quietly Powerful Feature)

Microsoft added the ability to deactivate app registrations.

Instead of deleting an app (and losing configuration), you can now:

* Immediately stop token issuance

* Preserve metadata and permissions

* Investigate safely

* Re-enable without rebuilding

For incident response scenarios — especially in multi-tenant or MSP environments — this is a big step forward.

4️⃣ Conditional Access Behavior Changes

There’s also a change impacting tenants with Conditional Access policies targeting “All resources” but excluding certain apps.

Previously, certain minimal-scope apps could bypass enforcement under specific conditions.

That loophole is closing.

Admins should:

* Review message center notifications

* Audit legacy apps

* Validate MFA handling before rollout

As always with identity changes: being proactive is critical.

5️⃣ Sync Security Hardening (Hard Match Protection)

Microsoft is adding additional validation to protect against malicious hard matching scenarios in hybrid environments.

This reduces the risk of identity takeover via manipulated on-prem objects.

It’s automatic — but important to understand if you manage hybrid identity or MSP transitions.

Watch the full episode for the deep technical breakdown and real-world implications.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Daniel Bradley

Daniel is a Senior Solution Architect for CDW and Microsoft MVP in Identity & Graph API. He is a avid writer who enjoys investigating new features and building practical tools to share with the community through his blog. He also is one of the moderators for the r/entra subreddit.

* Website: https://ourcloudnetwork.com

* LinkedIn: https://www.linkedin.com/in/danielbradley2

* X: https://x.com/DanielatOCN

About Ewelina Paczkowska

Ewelina is a Solution Architect at Theatscape and a Microsoft Security MVP. She is a content creator and speaker who enjoys breaking down complex solutions into clear, practical guidance. Ewelina is also an organiser of the Microsoft 365 Security & Compliance user group and the creator behind Welka’s World, where she shares insights and real-world knowledge around Microsoft security and compliance.

* Website: https://welkasworld.com

* LinkedIn: https://www.linkedin.com/in/ewelinapaczkowska

* X: https://x.com/WelkasWorld

🔗 Related Links

* MC1221452 - Microsoft Entra ID: Auto-enabling passkey profiles - https://mc.merill.net/message/MC1221452

* Ability to convert Source of Authority of synced on-prem AD users to cloud users is now available - https://learn.microsoft.com/en-us/entra/identity/hybrid/user-source-of-authority-overview

* Service Principal creation audit logs for alerting & monitoring - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/understand-service-principal-creation-with-new-audit-log-properties

* Deactivate an app registration - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/deactivate-app-registration

* MC1223829 - Upcoming Conditional Access change: Improved enforcement for policies with resource exclusions - https://mc.merill.net/message/MC1223829

* Microsoft Entra Connect security hardening to prevent user account takeover - https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#general-availability---microsoft-entra-connect-security-hardening-to-prevent-user-account-takeover

📗 Chapters

06:16 Converting Source of Authority to Cloud

15:37 Auto-Enabling Passkey Profiles

24:33 Deactivating App Registrations

31:56 Conditional Access for Excluded Apps

38:48 Sync Jacking Protection

41:45 Unified Tenant Configuration Management

46:31 Service Principal Creation Logs

Podcast Apps

🎙️ Entra.Chat → https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Governance in Microsoft 365 has always been hard. Not because the tools didn’t exist, but because scale, complexity, and change made consistency almost impossible. As tenants grow, so do the challenges of configuration drift, manual admin changes, and inconsistent environments.

For years, admins have relied on scripts, tribal knowledge, and community-led solutions like Microsoft 365 Desired State Configuration (M365DSC) to manage this “policy sprawl”. While M365DSC was a groundbreaking open-source effort, it often faced a steep learning curve and lacked official Microsoft support.

Until now.

In this episode of Entra Chat, we sit down with Nik Charlebois, Principal Program Manager at Microsoft and the original visionary behind M365DSC. Nik now leads the charge for one of the most significant platform shifts in Microsoft 365 administration: Tenant Configuration Management (TCM).

Shadow IT and SaaS sprawl are outpacing IT teams

It can feel impossible to tackle these app governance challenges:📦 Entra ID isn’t secure by default💥 SaaS adoption & sprawl isn’t slowing down⌨️ Citizen Development keeps rising (hello, Copilot Studio!)🗑️ Vendors often don’t remove apps after uninstall🔃 Offboarding is inconsistent or doesn’t happen at all🥔 App governance is passed around like a hot potato

ENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.

What is Tenant Configuration Management?

TCM is Microsoft’s official “Config as Code” platform for M365. Built directly on top of the Microsoft Graph, it represents a new operating model for how tenants are governed.

Key features discussed in this episode include:

* Official Support: Moving beyond best-effort community maintenance to a fully supported Microsoft solution.

* Simplified Experience: Transitioning from cryptic MOF files to human-readable JSON templates, significantly lowering the learning curve for admins.

* Snapshot & Drift Detection: The ability to capture “snapshots” of your tenant’s current state and monitor for unauthorized changes.

* Automatic Remediation: Automatically reverting detected configuration drifts back to your defined “gold standard” state.

* Broad Coverage: Support for core workloads including Entra ID, Exchange, Intune, Purview, Defender, and Teams with more to come.

This isn’t just a new feature; it’s the evolution of tenant governance into a native, API-driven platform. Tune in to hear Nik explain how TCM is bridging the gap between community innovation and official enterprise-grade management.

Listen to the full episode now to learn how to start your journey with the TCM public preview!

Subscribe with your favorite podcast player or watch on YouTube 👇

About Nik Charlebois

Nik is a Principal Program Manager at Microsoft leading the Microsoft 365 configuration-as-code efforts. Ex-MVP, speaker, blogger, and author, he leads the configuration-as-code efforts for Microsoft 365.

LinkedIn - https://linkedin.com/in/nikcharlebois

🔗 Related Links

* Nik’s Blog - https://nikcharlebois.com/

* Overview of the unified tenant configuration management APIs - https://learn.microsoft.com/en-us/graph/unified-tenant-configuration-management-concept-overview

📗 Chapters

00:00 Intro

03:44 Origin of M365DSC

07:51 Introducing Tenant Config Management

09:24 Supported Workloads

11:15 Control Plane vs Data Plane

14:26 DSC vs TCM Architecture

15:22 Snapshots and Monitors

18:56 Managing Drift Across Environments

28:03 Licensing and Limits

32:48 Authentication and Permissions

37:53 Getting Started

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, we sit down with Eric Woodruff, Chief Identity Architect at Semperis, to discuss the reality of achieving a 100% phishing-resistant environment. Over the course of just three months, Eric led a 600-person organization through a complete rollout of passkeys, Windows Hello for Business, and Platform SSO. This conversation moves beyond the technical “knobs and dials” to explore why organizational change management and C-suite buy-in are the true foundations of a successful identity modernization project.

Eric shares the creative strategies his team used to drive adoption, including a custom self-enrollment portal built with Power Platform that allowed early adopters to “dogfood” the technology. We dive into the “voluntold” phase of the rollout, where voluntary participation transitioned into mandatory policy, and how they used Power BI to track progress and identify “stragglers”. The episode also provides a transparent look at the technical hurdles encountered, from legacy application exclusions to troubleshooting older Android devices and niche browsers.

Looking ahead, we discuss the critical importance of protecting against “downgrade attacks,” where sophisticated phishing attempts try to bypass modern security by tricking users into traditional password entries. Eric emphasizes that the final mile of this journey—removing passwords entirely—is as much about supporting your helpdesk and documenting processes as it is about the technology itself. Whether you are managing a cloud-only tenant or navigating complex hybrid scenarios, this episode offers a practical roadmap for the future of enterprise identity.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Eric Woodruff

Throughout his 25-year career in the IT field, Eric has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity Architect at Microsoft partners, spent time working at Microsoft as a Sr. Premier Field Engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager.

LinkedIn - https://www.linkedin.com/in/ericonidentity/

🔗 Related Links

* Phishing-resistant passwordless authentication deployment in Microsoft Entra ID

* Semperis Research Uncovers Ongoing Risk from nOAuth Vulnerability in Microsoft Entra ID, Affecting Enterprise SaaS Applications

* ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants

* Meet Silver SAML: Golden SAML in the Cloud

* Manage tokens for Zero Trust

📗 Chapters

02:50 Rolling Out Passkeys

06:47 Application and Device Issues

09:49 Identifying Password Users

12:15 Lessons Learned for 2026

15:14 Understanding Downgrade Attacks

20:10 The NoAuth Vulnerability

27:08 Silver SAML Explained

32:56 Managing Service Principals

38:15 The Consent Fix Attack

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Service principals worked for static apps, but AI agents are different—they make autonomous decisions using LLMs and require a new approach to identity and security.

In this episode of Entra Chat, Padma Parthasarathy, Product Manager for Microsoft Entra Agent Registry, explains why Microsoft created Entra Agent Registry and Agent ID, and how they provide identity, governance, and security for AI agents.

We cover agent collections, discovery policies, integration with identity protection, and how custom security attributes automate AI agent governance at scale. You’ll also see how agents discover other agents by skills, how global and quarantine collections control visibility, and why these capabilities are critical for enterprise AI security.

This is a must-watch (listen) for identity, security, and platform architects preparing for AI at scale.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Padma

With close to 20 years of experience in Identity, Security, and enterprise platforms, Padma Prasad Parthasarathy currently leads product and architecture for Security for AI and Agent Identity at Microsoft. He has built and scaled IAM and Zero Trust solutions across some of the world’s largest organizations, bridging deep technical expertise with real-world product impact.

LinkedIn - https://www.linkedin.com/in/padmaprasadp/

🔗 Related Links

* What is the Microsoft Entra Agent Registry? - https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/what-is-agent-registry

📗 Chapters

00:00 Intro

02:14 The Rise of Digital Workers

07:13 Static Apps vs. AI Agents

12:43 Introducing Entra Agent Registry

17:28 Agent ID vs. Registry

24:08 How Agents Collaborate

30:29 Emerging Agent Standards

35:24 Understanding Agent Collections

42:05 Managing Risky Agents

46:01 Automating Agent Security

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I’m joined by Christopher Brumm from glueckkanja to discuss real-world experiences deploying Microsoft Entra Global Secure Access (GSA).We go beyond the docs to talk about actual customer rollouts, scaling challenges, retiring VPNs, and what teams often underestimate when moving to Zero Trust Network Access.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Christopher Brumm

Christopher Brumm is a Cyber Security Architect at glueckkanja AG in Germany. With more than 15 years of experience in IT security, Chris brings deep expertise and hands-on knowledge across the Microsoft Security portfolio and beyond. His career journey spans from network and data center technologies to Active Directory and Entra ID, with a strong focus on identity security.

As a Microsoft MVP and CISSP, Chris is an active voice in the security community, regularly speaking at events and sharing insights through blog posts on identity and security topics. His latest passion is Global Secure Access, where identity, security, and networking converge to deliver a holistic Zero Trust approach.

* LinkedIn - https://www.linkedin.com/in/christopherbrumm

🔗 Related Links

* Blog - https://chris-brumm.com

📗 Chapters

04:46 Proof of Concept vs Pilot

12:19 Deployment Strategy: The Blue Pill Approach

16:03 Solving Performance with Intelligent Local Access

17:49 Navigating Networking Challenges

25:14 The Hardest Part: Shutting Down Legacy VPNs

27:38 Handling External Access and BYOD

32:15 B2B Features and Tenant Switching

46:05 Why You Need the Microsoft 365 Profile

50:49 The Ultimate Admin Workstation Security

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Nicolas Blank, Founder of NBConsult and a 20-year Microsoft MVP, joins the show to dismantle the complexity around Zero Trust.Most Zero Trust conversations fail because they start with technology. Nicolas flips the script by using powerful everyday analogies (locking your car, protecting your newborn) to land the three core principles with executives.

Essential watching for anyone implementing Zero Trust, securing Microsoft 365/Entra ID, or needing leadership support in 2026.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Nicholas Blank

Nicolas is the founder, as well an architect, author and speaker focused on Office 365 and Azure at NBConsult in South Africa, England and Hong Kong. Nicolas is a Microsoft Certified Master, Dual Microsoft MVP - Microsoft Office Apps and Services, Microsoft Azure since March 2007.​

Nicolas has co-authored the Microsoft Zero Trust Adoption Framework https://aka.ms/zero-trust-adopt, published by Microsoft; “Microsoft Exchange Server 2013: Design, Deploy and Deliver an Enterprise Messaging Solution”, published by Sybex and available on Amazon; as well as authoring “Azure Site Recovery: IaaS Migration and Disaster Recovery”, published by Pluralsight.

Nicolas can be found on LinkedIn: https://www.linkedin.com/in/nicolasblank/

Or via his Company Website:​ https://www.nbconsult.co

🔗 Related Links

* Microsoft Zero Trust Workshop - https://aka.ms/ztworkshop

* Zero Trust Adoption Framework - https://aka.ms/zero-trust-adopt

* Microsoft Digital Defense Report - http://aka.ms/mddr

📗 Chapters

01:52 The Why Behind Zero Trust

04:17 The Baby Analogy: Explaining Least Privilege

07:41 Debunking Security Myths

11:43 Assume Breach vs Being Secure

15:28 Getting Stakeholder Buy-in

20:24 The Immune System Approach

21:45 Ruining Attacker ROI 25:50 The

96% Statistic You Can’t Ignore

33:24 Where to Start: Practical Tools

37:54 The Zero Trust Adoption Framework

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Is the traditional VPN dead? In the latest episode of Entra Chat, we dive deep Microsoft Entra Global Secure Access (GSA).Joined by Karen Simmel from the GSA product team and Thomas from the Entra CXE Architecture team, we explore how Microsoft is bridging the gap between identity and network security.The Shift from VPN to SASEThe "good old days" of spinning up firewalls and DMZs are fading. Traditional controls are often too coarse-grained and lack identity awareness. As Thomas explains, the COVID-19 pandemic accelerated the need for change when traditional VPN gateways physically couldn't handle the load of remote workforces.This has paved the way for SASE (Secure Access Service Edge) and SSE (Security Service Edge), which move security controls to the cloud at hyperscale.What is Global Secure Access?The team breaks down the confusing terminology to help you understand the core products:* Microsoft Entra Private Access: This is the ZTNA (Zero Trust Network Access) solution, replacing the classic VPN for accessing on-prem and private resources.* Microsoft Entra Internet Access: This acts as a Secure Web Gateway (SWG), protecting outbound access to SaaS apps and the internet with URL filtering and DLP controls.* Microsoft Entra Suite: A bundle that combines these network capabilities with Verified ID, Identity Governance, and Identity Protection for a comprehensive solution.The "Secret Sauce"Why choose Microsoft's solution? The differentiator is that GSA isn't just integrated with the Identity Provider (IdP)—it *is* part of the IdP.This deep integration allows for near real-time security. For example, if a user's device is compromised, the SOC team can revoke the token, and Entra can immediately terminate the network tunnel or prompt for step-up authentication. It brings the power of Conditional Access directly to network traffic.Better Performance, Better PrivacyContrary to the belief that security slows things down, GSA often improves performance. By leveraging Microsoft's massive global private fiber network, traffic is intelligently routed to the closest point of presence rather than being backhauled to a headquarters.From a privacy standpoint, admins have granular control. You decide what traffic is tunneled and inspected, ensuring you can meet compliance requirements (like those in the EU) without over-monitoring employee activity.Ready to Deploy?Deployment doesn't have to take months. Some customers are getting up and running with a Proof of Concept (PoC) in a single day. Whether you use the client-based agent or need client-less access for contractors, Microsoft provides detailed deployment plans to guide you.

Subscribe with your favorite podcast player or watch on YouTube 👇

About the Guests

Keren SemelKeren leads visibility and data insights for the Global Secure Access product group. Based in Tel Aviv, she brings deep experience from the SASE/SSE market to Microsoft.

LinkedIn: https://www.linkedin.com/in/keren-semel-4876383/Thomas Detzner Thomas is a lead architect in the Entra CxE team, specializing in Global Secure Access and Zero Trust. A former network engineer based near Munich, he helps organizations bridge the gap between traditional networking and modern identity security.

LinkedIn: https://www.linkedin.com/in/thomasdetzner/

🔗 Related Links

* Microsoft Global Secure Access Documentation - https://learn.microsoft.com/en-us/entra/global-secure-access/

* Zero Trust Workshop - https://aka.ms/ztworkshop

📗 Chapters

00:00 Intro

05:17 The Limitations of Legacy VPNs

12:49 SASE vs SSE vs ZTNA Explained

21:26 The Identity-Network Secret Sauce

29:42 Unpacking Entra Suite

33:20 Microsoft’s Global Network Architecture

38:19 Client and Clientless Connectivity

41:26 Deployment and POC Process

45:31 Migrating from Zscaler to GSA

47:15 Privacy and Compliance Controls

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Louis Mastelinck, a Microsoft MVP and Security Consultant at Proximus NXT, joins me to discuss the critical journey of moving organizations away from SMS-based MFA.

We deep dive into a practical strategy for migrating users to the Authenticator app, starting with “stopping the bleed” and managing user groups. We also explore a significant security blind spot regarding Email OTP for SharePoint guest access and how to resolve it.

Finally, we debate the future of authentication with device-bound versus synced Passkeys and how to defend against downgrade attacks.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Louis Mastelinck

Louis Mastelinck is a Security Consultant at Proximus NXT and a recognized Microsoft MVP based in Belgium. Specializing in Incident Response and the full Microsoft Security stack (including MDE, MDO, Sentinel, and Identity Management), he is dedicated to neutralizing threats and securing digital environments. A GCFA-certified professional, Louis is known for his deep technical expertise in areas like Conditional Access and authentication methods.

LinkedIn - https://www.linkedin.com/in/louismastelinck/

🔗 Related Links

* Microsoft: Hang up on SMS - http://aka.ms/hangup

📗 Chapters

00:00 Intro

00:52 Props and PIM

01:41 The Dangers of SMS MFA

04:51 Strategy: Stopping the Bleed

10:06 Migrating Existing Users off SMS

19:20 Impact on Self-Service Password Reset

22:39 The SharePoint Email OTP Security Gap

25:13 Enabling Entra B2B Integration

34:28 Passkeys: Device-Bound vs Synced

44:40 Defending Against MFA Downgrade Attacks

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill