In this episode, I chat with the legendary Tony Redmond, a prolific writer and author of "Office 365 for IT Pros". Tony shares unfiltered insights from his career, critiques the state of technical writing and AI, and discusses the challenges with PowerShell and the future of AI agents in the Microsoft ecosystem.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Tony Redmond

Tony Redmond is a well-known and prolific writer in the Microsoft 365 space. After a long career in large tech companies like Digital, Compaq, and HP, where he rose to the level of Vice President, he became an independent consultant and author in 2010. He is the lead author of the widely respected and continuously updated e-book, "Office 365 for IT Pros," and "Automating Microsoft 365 with PowerShell."

LinkedIn - https://www.linkedin.com/in/tonyredmond/

🔗 Related Links

* Office 365 for IT Pros (Book) - https://office365itpros.com

* Practical 365 - https://practical365.com

📗 Chapters

00:00 Intro

03:50 Tony's career and lessons from corporate life

09:06 The story behind the "Office 365 for IT Pros" book

21:35 Tony's rules for great technical writing

25:31 The problem with duplicate content and AI summaries

36:31 A critique of the Graph PowerShell SDK

45:15 The dangers of AI and the need for guardrails

50:57 Microsoft's mistake: Rushing tech without guardrails

55:04 The cyclical nature of technology and IT challenges

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, I sit down with Erin Greenlee, the Product Manager for App Consent on Microsoft’s App Platform Team. We dive into the critical world of app consent and the upcoming Microsoft 365 secure-by-default changes. We explore the nuances of user and admin consent, the impact of the mid-July 2025, policy shift, and how admins can prepare for a more secure Entra environment.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Erin Greenlee

Erin Greenlee is a Product Manager at Microsoft, specializing in the App Platform Team within the Identity and Network Access division. With a decade of experience at Microsoft, including roles in B2C and domain services, Erin now focuses on consent, authorization, and app roles, helping organizations secure their applications while enabling productivity.

LinkedIn - https://www.linkedin.com/in/eringreenlee/

🔗 Related Links

* MC1097272 - Microsoft 365 Upcoming Secure by Default Settings Changes - https://mc.merill.net/message/MC1097272

* Entra Admin Consent Workflow - https://docs.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow

* Configure how users consent to applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent

* Manage app consent policies - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-app-consent-policies

* Review App Consent audit logs - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/app-perms-audit-logs

📗 Chapters

02:15 What is App Consent?

03:22 Delegated vs. Application Permissions

07:45 The User Consent Balancing Act

13:58 How Consent is Evaluated

17:33 Understanding Tenant Consent Policies

22:28 The Admin Consent Workflow

31:18 The Big Change: Microsoft's Secure-by-Default Update

41:35 How to Prepare for the Change

49:05 Advanced Delegation with Custom Policies

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, we talk with an identity expert, ex-Microsoftie and Principal Domain Architect, Mark Renoden, about creating a modern Privileged Access Management (PAM) solution for on-premises Active Directory. Discover how to build a secure "Bastion Forest" architecture using Microsoft Entra. We talk about PIM for Groups, group write-back, phish-resistant credentials, Privileged Access Workstations (PAW), securing an Entra tenant from the ground up, and navigating challenges with Cloud Solution Provider (CSP) permissions.

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

About Mark

As Principal Domain Architect for Identity at Increment, Mark leads the design and delivery of secure, scalable identity architectures grounded in Microsoft Entra ID and aligned with Zero Trust principles. He specializes in helping organisations modernise their infrastructure and navigate complex identity transformations.

Previous to Increment, Mark spent over 20 years at Microsoft in support, field engineering, mission critical and customer experience roles focused on Identity across a wide spectrum of industries in Australia and New Zealand, including Finance, Healthcare, Government, Education and Retail.

LinkedIn - https://www.linkedin.com/in/markrenoden/

🔗 Related Links

* DirectoryShield | Increment - https://www.increment.inc/directoryshield

* Entra Security Recommendations - https://aka.ms/EntraSecurityRecommendations

* Securing privileged access overview - https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-overview

* MIM - Bastion environment - https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment

📗 Chapters

00:46 Securing Your Entra Tenant

02:09 The Quest for a Microsoft-Only PAM Solution

04:21 What is a "Bastion Forest"?

07:50 Reimagining the Bastion Forest for the Cloud

12:53 Architecting a "Secure-by-Default" Tenant

17:41 Phish-Resistant On-Prem Admins

19:50 The Modern Privileged Access Workstation (PAW)

27:04 The Tiered Administration Model Explained

29:51 The Hidden Dangers of CSP Admin Access

34:29 How Fast is PIM for Groups?

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this very special episode, I sit down with the "Yoda of Entra" himself, Tarek Dawoud, who also happens to be my manager!

We dig deep into the fascinating and often surprising history of Microsoft's identity platforms. Tarek, who has been on the team since 2007, takes us on a journey from the revolutionary launch of Active Directory in 1999, through the creation of the cloud services that battled Google Apps, to the formation of the identity division and the eventual rebrand to Entra.

You'll hear the inside story on how our customer experience team became a "secret weapon" and, most excitingly, we'll look at what the future holds for Identity and Access Management in the new age of AI agents.

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

About Tarek Dawoud

Tarek Dawoud is a long-time veteran at Microsoft, having been with the company for over 18 years. Tarek currently leads the architecture team within the customer engineering (CXE) organization, where he helps customers deploy Entra, gathers insights for the product group, and works to solve the hardest identity problems.

LinkedIn - https://www.linkedin.com/in/tarekdawoud/

🔗 Related Links

📗 Chapters

00:00 Intro

08:58 The Beginning: The Vision of Active Directory (AD)

14:51 The Consumer Side: Microsoft Passport & The Standards Debate

18:29 A Defensive Play: How Google Apps Sparked Microsoft's Cloud Identity

27:21 The First Merger: Active Directory & Cloud Teams Unite

32:03 The Birth of Conditional Access & The Authenticator App

42:52 The Security Re-org: Identity Moves to a New Home

45:30 A New Era: Rebranding to Entra

48:52 The Future is Now: AI, Agentic Identities, and the End of PowerShell?

Podcast Apps

🎙️ Entra.Chat → https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, we are joined by Maqsood Bhatti, the IAM Principal Engineer at Elkjøp Nordic, who takes us through their incredible journey of migrating from the legacy NetIQ platform to Microsoft Entra.

What's fascinating is how they accomplished this years ago, completely bypassing traditional tools like Entra Connect and adopting a "production-only" environment. Maqsood shares how they built a truly cloud-native identity solution from the ground up, leveraging custom connectors, app roles, and automating everything, including moving off the legacy platform entirely.

You’ll also hear about their advanced use of Microsoft Identity Governance, Logic Apps for custom provisioning, and a strict modern authentication policy that has shaped their identity and access management (IAM) for nearly a decade.

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

About Maqsood

Maqsood is the IAM Principal Engineer at Elkjøp Nordic, a company that was an early adopter of access automation since 2006. He has been instrumental in their journey from legacy systems like NetIQ to a modern, cloud-native Microsoft Entra infrastructure , championing innovative approaches like custom API integrations and a "prod-only" development environment.

LinkedIn - https://www.linkedin.com/in/maqsoodbhatti/

🔗 Related Links

* Elkjøp Nordic unngår IT-floker med storskala automatisering

📗 Chapters

00:00 Intro

01:10 Early Days & NetIQ Automation

03:34 The Journey to Public Cloud & Microsoft 365

08:23 Custom Connectors and Real-Time Sync

15:08 Embracing Azure, App Roles & Modern Auth

19:29 Password Sync & Skipping Entra Connect

22:57 Decommissioning NetIQ: Challenges & Motivations

27:27 Leveraging Entra ID Domain Services as a Bridge

33:28 Mastering App Roles & Guiding Developers

44:27 Migrating to Entra ID Governance & Logic Apps

52:57 The "Prod-Only" Philosophy & Cloud-Native Mindset

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Tobias Binkert, Head of IT at We Are Era, and Yusuke Kodama, Product Manager at Microsoft (who specialises in cloud-first identity, among many other things), join us to discuss We Are Era’s successful migration from on-premises Active Directory to a fully cloud-native Microsoft Entra ID environment.

We delve into the motivations behind this significant shift with practical strategies for migrating devices using Microsoft Autopilot, modernizing applications, managing user accounts and groups in the cloud, and overcoming challenges like legacy RADIUS dependencies. Tobias shares the tangible benefits We Are Era experienced, including enhanced security, a superior user experience and increased agility for adopting new technologies.

LinkedIn

* Tobias Binkert - https://www.linkedin.com/in/tobias-binkert-83844810a/

* Yusuke Kodama - https://www.linkedin.com/in/yusukekodama85/

On a related note we ran a poll a few weeks ago asking what your Identity plans were for 2030 and beyond. Nearly 90% of you were looking to go Entra ID first with more than half planning to go full cloud native with Entra ID.

So hopefully this episode with Tobias and Yusuke will help shed some light and help you start your journey to going cloud-first/cloud-native.

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

🔗 Related Links

* Road to the cloud: Introduction

* Cloud transformation posture

* Establish a Microsoft Entra footprint

* Implement a cloud-first approach

* Transition to the cloud

📗 Chapters

00:00 Intro

03:20 The Motivation: Why Decommission On-Prem Active Directory?

06:23 Gaining Buy-In: Negotiating with Business Units

09:56 The ROI & Cost Impact: Saving 70% on Infrastructure

14:47 Device Migration: Tackling Windows Workstations with Autopilot

25:31 Server & Application Challenges: RADIUS, Printing, and More

32:06 User Accounts & Groups: The Shift to Cloud-Only Identities

44:19 Addressing Security & Availability Concerns of Full Cloud

49:43 Life After AD: Next Steps and Future Identity Initiatives

51:45 Lessons Learned & Key Advice for Your Cloud Migration

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode we chat with Sapir Federovsky, a Security Researcher at CrowdStrike, who shares her journey from military service to becoming an identity threat researcher.

She discusses her learning methods, the importance of community, and the challenges of keeping up in the fast-paced world of Azure and Entra ID security.

Sapir also delves into specific Entra ID features she focuses on, the critical role of prevention alongside detection, and her experiences as a woman in the tech industry.

LinkedIn - https://www.linkedin.com/in/sapir-federovsky-a687491b0/

Watch on YouTube

PS. Can I ask a favor? If you enjoyed this episode please leave a review and rating! Thank you 🙏 - Merill

🔗 Related Links

* Sapir's blog - https://sapirxfed.com/

* Reportly - https://github.com/sap8899/reportly

📗 Chapters

00:00 Intro

01:17 Early Career Perspectives & Learning Journey

03:25 Transitioning from Military to Civilian Tech

04:25 Learning Cloud Security & The Power of Talks/Blogs

08:19 Building a Tool for Log Analysis

12:26 A Typical Day: Continuous Learning & Community Sharing

15:08 Balancing Learning Old & New in a Fast-Evolving Field

17:38 The Power of Teaching to Master a Topic

19:37 Learning by Answering Questions

21:17 Vision: Becoming the Ultimate Defender & Community Building

23:48 Deep Dive: Graph Activity Logs in Entra ID

27:33 Focusing on Hybrid Environments & Synchronization

29:37 Experiences as a Woman in Tech

36:29 The Shift from Detection to Prevention & Hardening

39:13 The Challenge of Updating Tenant Configurations

45:57 Navigating Organizational Change Management Cycles

50:29 Final Advice: Always Say Yes & Create Opportunities

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode we chat with Microsoft PM Jordan Gross about the exciting world of Entra Kerberos.

Discover how this crucial feature bridges the gap between traditional on-premises Active Directory and the modern cloud, enabling seamless authentication for legacy applications in hybrid environments.

Jordan delves into the mechanics of Entra Kerberos, its different operational modes (up-level and down-level trust), and its significance for organizations migrating to the cloud.

We also explore MAM (Mobile Application Management) on Edge, another innovative solution Jordan worked on, which helps secure browser access on personal devices.

LinkedIn - https://www.linkedin.com/in/jordangross61/

PS. Can I ask a favor? If you enjoy this podcast please leave a review and rating on your podcast app! This helps more folks discover Entra.Chat - Thank you 🙏 - Merill

Watch on YouTube or get the podcast from the links below 👇

🔗 Related Links

Entra Kerboros

* How Azure AD Kerberos Works • Steve Syfuhs

* Cloud Kerberos trust deployment guide

* Use Kerberos for single sign-on (SSO) to your resources with Microsoft Entra Private Access

* Kerberos Constrained Delegation for single sign-on (SSO) to your apps with application proxy

* Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files

* How Windows Authentication for Azure SQL Managed Instance is implemented with Microsoft Entra ID and Kerberos

* Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID

* Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources in Platform SSO (MacOS)

MAM

* Data protection for Windows MAM

📗 Chapters

00:00 Intro

01:24 Introducing Entra Kerberos & MAM on Edge

03:13 What is Entra Kerberos?

04:14 Understanding Traditional Kerberos

06:39 Why Entra Didn't Just Use Kerberos Initially

07:36 The Lingering Importance of On-Prem AD

09:08 Where Entra Kerberos Fits: Solving Hybrid Problems

10:06 Use Cases: Regulations & File Sharing (SMB Protocol)

11:55 How Entra Kerberos Works: Two Styles

13:36 Modern Auth vs. Down-Level Trust Explained

14:04 The Convenience of Cloud TGTs with Windows Hello

15:26 Accessing Resources: TGT to TGS Exchange

17:03 How Apps Trust Entra Kerberos Tickets

18:00 Admin Setup for Trust Relationship

19:22 Supporting Legacy Apps in a Modern World

21:24 Benefits Over NTLM & Conditional Access

23:04 Future of Entra Kerberos: Cloud-Only Users

26:28 Expanding Support: Mac, Linux & Mobile Devices

29:13 Current Big Use Cases: Azure Files & AVD

30:06 Understanding Down-Level Scenarios

31:42 Interaction with Global Secure Access

33:57 Transition to MAM for Edge

34:27 What Problem Does MAM for Edge Solve?

36:12 How MAM for Edge Protects Personal Devices

38:11 Security Scope: Benign User Mistakes vs. Hackers

40:23 Combining MDM and MAM for Enhanced Security

41:20 Deployment: Intune Policies & Entra Configuration

43:18 Windows-Only Feature for Now

44:10 Benefits: Security, User Empowerment & Visibility

48:13 Intune Dependency & Flexibility with Other MDMs

49:50 The Fun of Cross-Team Collaboration

50:48 Concluding Thoughts & Thank You

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

In this episode, Simon Gottschlag, CTO of Co-native and a Microsoft MVP in Azure, discusses his innovative prototype for implementing Azure service principal impersonation using Azure Functions and Key Vault.

We explore the challenges of managing service principals, the journey to building a solution, and the potential for improving developer experience in platform building. Simon shares insights on the four-eyes principle, Entra ID's newer attribute-based access control (ABAC) vs the traditional RBAC model, and how his solution can enhance security and auditability in Azure environments.

LinkedIn - https://www.linkedin.com/in/simongottschlag

🔗 Related Links

* Azure Service Principal Impersonation - https://github.com/co-native-ab/azure-service-principal-impersonation

* pimctl - https://github.com/co-native-ab/pimctl

📗 Chapters

00:00 Intro

00:42 Meet Simon: CTO & Azure MVP

01:51 The Project: Azure Service Principal Impersonation

02:11 The Problem: Challenges in Managing Service Principals

03:47 Journey to the Solution: Building Platforms & Terraform Pain Points

06:50 The Challenge with Graph Permissions & Least Privilege

08:27 Improving Developer Experience in Platform Building

11:05 The Core Issue: Running Operations Locally vs. Service Principals

13:43 The Idea: Service Principal Impersonation

13:50 Four-Eyes Principle and PIM in Azure

15:40 Understanding Attribute-Based Access Control (ABAC)

18:58 Enforcing Role Delegation with ABAC and PIM

20:12 Clarifying Service Principal Access with PIM and Four-Eyes

21:26 The Local Development Dilemma with Security Principles

22:02 PIM CTL: A CLI Tool for PIM

22:42 New Challenge: Azure Managed Grafana & Terraform Authentication

23:36 AC Identity Terraform Provider: Getting Tokens from Entra

24:42 The Big Question: Securely Getting Service Principal Tokens Locally

25:21 What is Impersonation in This Context?

26:27 Building the Solution: Federated Credentials & Custom Token Exchange

28:42 How the Azure Function Works: Authentication & Token Issuance

29:26 The Result: Consistent Workflow & Auditability

31:05 Open Source: How to Set Up and Try the Prototype

33:31 Use Cases: DevOps Automation & Time-Limited Access

35:15 Potential: Multi-Cloud Deployments & Extending Entra

Podcast Apps

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

🎙️ Entra.Chat - https://entra.chat

This episode of Entra Chat features Anju Singh, a Product Manager at Microsoft in the Microsoft Entra Authentication Experiences team. We discuss the newest authentication method in Entra: QR codes!

Anju answers heaps of questions in this deep dive including why Microsoft chose QR codes, how it works under the hood, what you should and shouldn't use it for, and the biggest question - is it considered MFA?

LinkedIn - https://www.linkedin.com/in/anjusingh29/

Prefer watching? Search for ‘Entra.Chat’ on YouTube

🔗 Related Links

* QR Code Announcement - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/simplify-frontline-workers’-sign-in-experience-with-qr-code-authentication/3822034

* QR code authentication method - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-qr-code

* Best practices to protect frontline workers - https://learn.microsoft.com/en-us/entra/identity-platform/security-best-practices-for-frontline-workers

* Set up optimized QR code authentication experience in Android app - https://learn.microsoft.com/en-us/entra/identity-platform/android-qr-code-pin-authentication

* Set up optimized QR code authentication experience in iOS/macOS app - https://learn.microsoft.com/en-us/entra/identity-platform/ios-qr-code-pin-authentication

📗 Chapters

00:00 Intro

02:58 Topic Intro: QR Code Authentication for Frontline Workers

03:30 The Problem: Why QR Code Sign-In?

04:09 Who Are Frontline Workers?

05:41 Challenges with Current Authentication (Username/Password)

07:29 Balancing Simplicity and Security

10:40 Target Scenario: Shared Devices

11:36 Other Use Cases: Education Sector

12:30 How It Works: User Sign-In Experience

15:34 QR Code Contents: More Than Just a Username

16:40 PIN & QR Code Relationship

17:13 Scenario: Lost Badge & Admin Actions

18:32 Replacing the PIN

19:10 Delegated Management: The My Staff Portal

22:11 Handling Forgotten Badges: Temporary QR Codes

24:45 Rolling Out: Bulk Generation via APIs

26:12 Cost Comparison: QR Codes vs. FIDO Keys

28:05 The Big Question: Is it MFA?

29:43 Security Best Practices & Conditional Access

30:43 Combining QR Code with MFA

35:31 Fallback Options (Username/Password, TAP)

37:35 Public Preview & Call for Feedback

38:57 Current Scope: Mobile Devices & Tablets Only

40:09 Integrating QR Sign-In into Apps (Web View vs. MSAL)

41:00 Desktop Support Status

42:26 How to Provide Feedback

43:30 Future Considerations: Barcode Scanners

44:39 Closing Thoughts & Call to Action

——

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

——

Merill's socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill