The Great Debate: P2 vs. Entra ID Governance for Guests
Jeremy Conley, Principal Product Manager on the Identity Governance team at Microsoft, demystifies the world of guest access in Microsoft Entra. We discuss the hidden security risks that accumulate as guests are invited into a tenant and the governance challenges this creates.We also do a deep dive into the different licensing tiers, from P2 to the new Entra ID Governance for Guests license, and explain the recently GA’d , cost-effective MAU-based billing model for guests. Jeremy provides actionable tips for admins to start cleaning up their tenants and implementing a robust governance strategy today.Subscribe with your favorite podcast player or watch on YouTube 👇About Jeremy ConleyJeremy Conley is a Principal Product Manager at Microsoft, focusing on identity governance. His work is centered on Entitlement Management and the governance of guest and external users within Microsoft Entra, helping customers secure their environments and manage user lifecycles effectively.LinkedIn - https://www.linkedin.com/in/jeremy-conley-99552379/🔗 Related Links* Microsoft Entra ID Governance licensing for guest users • aka.ms/EntraIDGuestGovernance📗 Chapters00:51 What are Guests & External Users? 03:51 The Hidden Security Risk of Guests 07:14 Understanding Licensing for Guest Governance 09:10 P2 Features: Entitlement Management & Access Reviews 15:19 Entra ID Governance: Lifecycle Workflows & Automation 20:33 The "Sponsor" Concept for Guest Accountability 25:49 The NEW Guest Licensing Model Explained28:15 Demystifying the 1:5 Ratio vs. MAU Billing35:18 Common Mistakes Admins Make with Guests 37:22 A Simple First Step to Clean Up Your TenantPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
44:22
--------
44:22
The Hidden Risks of Non-Human Identities in Your Tenant
In this episode of Entra.Chat, I dive into the critical world of app governance with experts Jay Gundotra and Sander Berkouwer, who unpack the hidden risks of non-human identities in Microsoft Entra. From shocking real-world breaches like Midnight Blizzard to a hilarious tale of a theme park’s water supply mishap, we explore why securing your cloud apps is more urgent than ever. Tune in to discover practical tips and tools to safeguard your organization without losing your giraffes!Subscribe with your favorite podcast player or watch on YouTube 👇About Jay GundotraJay is the CEO and technical founder of E-Now. He has a long history as an Exchange and Active Directory engineer, which led him to found his company and focus on solving complex identity and application governance challenges for enterprises.LinkedIn - https://www.linkedin.com/in/jay-gundotra-19079a/About Sander BerkouwerSander Berkouwer is a 17-year Microsoft MVP veteran and an accomplished identity architect. With deep expertise from being "in the trenches," he partners with Jay to educate the community and build solutions for managing non-human identities and service principals.LinkedIn - https://www.linkedin.com/in/sanderberkouwer/🔗 Related Links* AppGov Community - https://community.appgovscore.com/* How Ownerless Apps in Entra ID Increase Your Attack Surface* Securing Workload Identities in Entra ID: A Practical Guide for IT and Security Teams📗 Chapters00:00 Intro 01:55 What is App Governance? 04:02 The Origin Story of Focusing on App Governance 08:35 Why App Security is Critical Today 14:15 The Dangers of Over-Privileged Apps 20:38 The Giraffe Story: When Cleanup Goes Wrong 24:42 What Should a Successful Organization Do? 30:22 The Full Application Lifecycle: Onboarding to Offboarding 35:38 Building the AppGov Community 45:04 The Importance of Education and AutomationPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
48:47
--------
48:47
Red Team Secrets: How we bypass Conditional Access (and how you can fix it)
In this episode of Entra.Chat, I dive deep with cybersecurity architect Fabian Bader into his research on bypassing poorly designed Microsoft Entra’s conditional access policies and what you can do about them. We also cover the game-changing new Group Source of Authority feature that lets you finally manage synced groups in the cloud, and share insights from Fabian’s work with MSRC to secure the platform—don’t miss this one if you want to stay ahead in cloud security!Subscribe with your favorite podcast player or watch on YouTube 👇About Fabian BaderFabian Bader is a Cybersecurity Architect at glueckkanja, based in Hamburg, Germany. He is a well-known researcher in the Microsoft identity space, creator of the Cloud Brothers blog, and creator of the Maester and Token Tactics V2 tools. His work focuses on Microsoft Entra and the Defender suite, helping customers secure their cloud environments.LinkedIn - https://www.linkedin.com/in/fabianbader/🔗 Related Links* Fabian’s Blog - https://cloudbrothers.info/* Entra Scopes - https://entrascopes.com/* Maester - https://maester.dev/* Token Tactics V2 - https://github.com/f-bader/TokenTacticsV2📗 Chapters 02:19 The Story of the "Cloud Brothers" Blog 03:32 The Origin Story of Maester 07:39 Token Tactics V2 & Continuous Access Evaluation 09:43 How Conditional Access Bypasses Are Found 12:05 What is FOCI (Family of Client IDs)? 18:04 Hardening Your Conditional Access Policies 29:59 V1 vs V2 Token Endpoints Explained 38:19 Using Graph Activity Logs in Defender XDR 42:45 The New Group Source of Authority (SOA) 54:59 Workplace Ninjas US AnnouncementPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx 👔 LinkedIn → linkedin.com/in/merill 🐤 Twitter → twitter.com/merill 🕺 TikTok → tiktok.com/@merillf 🦋 Bluesky → bsky.app/profile/merill.net 🐘 Mastodon → infosec.exchange/@merill 🧵 Threads → threads.net/@merillf 🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
58:03
--------
58:03
Inside Entra Resilience: Microsoft's Outage War Stories, Backup Secrets and Preventing Global Outages
In this episode, I sit down with my boss, Tarek Dawoud, to pull back the curtain on what really happens during a major service outage. Tarek shares some incredible "war stories" from his time in the trenches, from the early days of DirSync where the team had to edit a sync file with a debugger to prevent an incident, to the massive outages of 2017 and 2018 that changed everything. We'll give you a peek into the high-stakes, quick-thinking world of a "live site" incident and reveal the groundbreaking engineering principles like cell-based architecture and the backup authentication service that were born from these challenges, making Entra more resilient than ever before. Subscribe with your favorite podcast player or watch on YouTube 👇About Tarek Dawoud Tarek Dawoud is a Lead Architect in the Customer Engineering team for Microsoft Entra. With years of experience growing up in Entra engineering, he has been involved in his share of outages and has a deep understanding of what it takes to build and maintain a resilient, hyperscale identity service. LinkedIn - https://www.linkedin.com/in/tarekdawoud/🔗 Related Links * SLA performance for Microsoft Entra ID - aka.ms/entraidsla * Microsoft Blames "Severe Weather" for Azure Cloud Outage * Microsoft Probes Cause of Global Web Outage* Microsoft's Azure AD authentication outage: What went wrong📗 Chapters00:57 What is a "Live Site"? 14:15 The Secret to Entra's Uptime: Cell-Based Architecture 18:09 How Entra Routes Your Login Request Globally 24:46 War Story #1: The 2017 Conditional Access Outage 29:52 War Story #2: How a Hurricane & an Office Bug Caused Chaos 43:39 The Backup Auth Service: Entra's Secret Weapon 57:54 Does the Backup Service Kick in Automatically? 01:04:16 Regional Isolation & The Power of Managed Identity 01:08:17 Anatomy of a Near-Outage in 2021 01:12:02 How Microsoft's Culture Learns From MistakesPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
1:15:26
--------
1:15:26
Identity War Stories: Surviving the Domain Cutover Nightmare!
In this episode, I sit down with Conrad Murray, a seasoned expert who lives and breathes the complexities of IT migrations during mergers, acquisitions, and divestitures.We dive deep into the real-world challenges that companies face, from the political battles of deciding whose tenant to use, to the technical nightmares of migrating three-quarters of a petabyte of data for a major global firm.Conrad shares some incredible "war stories" about the single hardest part of any migration—the domain cutover—and reveals why the success of a months-long project boils down to just the first four hours of the end-user experience on a Monday morning. Subscribe with your favorite podcast player or watch on YouTube 👇About Conrad MurrayConrad Murray is an expert in the IT lifecycle, specializing in complex tenant-to-tenant migrations for mergers, acquisitions, and divestitures. With over 15 years of experience moving companies to the cloud, Conrad has seen it all, from early BPOS and Lotus Notes migrations to massive, petabyte-scale Microsoft 365 consolidations.LinkedIn - Conrad Murray🔗 Related Links* Google to Microsoft 365 Migrations* PowerSyncPro📗 Chapters00:00:00 Intro 00:05:40 The Politics of Merging Tenants 00:07:23 Greenfield Tenants: A Fresh Start 00:09:58 War Story: Migrating 750TB for S&P Global 00:19:13 The Nightmare of Domain Cutovers 00:25:14 The Critical Day-One User Experience 00:30:00 Reconfiguring Mobile Devices: The Hardest & Easiest Part 00:35:46 Multi-Tenant Orgs (MTO): A Long-Term Solution? 00:49:22 The Unique Challenges of Divestitures 00:55:17 Data Cleanup That Never Happens 01:01:06 Tools of the Trade for Migration SuccessPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
Entra Chat is a weekly podcast hosted by Merill Fernando and delivers practical insights for Microsoft administrators and security professionals through conversations with identity experts who've been in the trenches.
Episodes feature seasoned Entra practitioners sharing real-world deployment experiences and Microsoft Entra team members who build the features you use daily.
Get the inside track on best practices, implementation strategies, and upcoming capabilities directly from those who design and deploy Microsoft identity solutions.
Join us for actionable takeaways you can apply immediately in your Microsoft 365, Azure, and Entra environments.
---
Entra.Chat, its content and opinions are my (Merill Fernando) own and do not reflect the views of my employer (Microsoft). All postings are provided “AS IS” with no warranties and is not supported by the author. All trademarks and copyrights belong to their owners and are used for identification only. entra.news
Polska