Over my last few posts, I’ve casually mentioned Authentication Context a few times, so I thought it was about time we gave the feature a proper spotlight. Within Microsoft Entra, we sometimes encounter scenarios where we need to enforce specific conditions for certain sub-actions or unique requirements. While Conditional Access can directly enforce conditions in most cases, there are times when it’s trickier — especially if we want to enforce a condition for a single  action

Getting annoyed or impatient when activating eligible roles in PIM — especially multiple roles at once? You’re not alone. Today, I’m sharing a solution to take the pain out of the process. Whenever I talk with clients, colleagues, or students about Microsoft Entra Privileged Identity Management (PIM), the first complaint I hear is always the same: activating roles is a headache! After hearing this one too many times, I decided to do something about it. What started as a quic

Today, I’ll take a closer look at Microsoft Entra Administrative Units (AUs)  and Restricted Management Administrative Units (RMAUs) Despite being incredibly useful, AUs and RMAUs are still underutilized in many environments. As organizations scale and responsibilities shift across teams, the need for scoped delegation becomes increasingly important. AUs let you define clear administrative boundaries, while RMAUs go a step further by blocking even high-privileged roles from m

Managing external users is one of the most tedious—but also critical—challenges in a Microsoft Business Premium environment. With authentication , authorization , and password security covered in earlier posts, we're now prepared to dive into identity and access management (IAM) specifically for external and guest users. Collaboration beyond organizational boundaries presents unique security challenges, particularly in balancing streamlined access and robust security practic

In my last post I covered how to monitor the GOD Mode in Azure (Coined by the great John Savill ). While visibility and monitoring are great capabilities, there’s a big issue: the permanent  nature of the access. - Let's fix that! The way Elevated Access currently works, there’s no built-in way to manage, or restrict it—not through PIM for time- and approval-based access, not with access reviews, and not with entitlement management either. Once access is enabled for a user,

Elevating access to manage Azure subscriptions is a valuable tool for administrators, particularly when dealing with unknown or orphaned subscriptions. However, with no built-in restrictions on when or how long this access can be used , monitoring these events is critical  to maintaining security and accountability. Global administrators occasionally need to enable Elevated Access  in Microsoft Entra to manage Azure subscriptions, but without proper oversight, this level of a

Protecting highly critical configurations in our Entra tenants has never been easier! Join me as we explore Protected Actions  in Microsoft Entra and how they help us lock down security-sensitive operations. A solid Identity and Access Management (IAM) strategy based on Zero Trust principles strengthens security by enforcing separation of duties, elevating access requests , and ensuring Just-In-Time (JIT) access , among others. But what if you need to further restrict specif

Managing emails for unlicensed admin accounts? Juggling a shared mailbox flooded with notifications from services and clients? Today’s solution: Plus addressing! In the world of IT administration, juggling multiple identities for a single employee can feel like a high-stakes balancing act. Notifications, admin emails, approval requests, and consent forms all demand clear separation from daily accounts. But licensing admin accounts? That can quickly get complicated. Enter Plus

As the season for audits approaches (though, let’s be honest, auditing should be an all-year-round endeavor), I’m excited to share a practical solution for managing role assignments across your tenant. Managing role assignments can feel overwhelming, especially when multiple administrators are involved in assigning, monitoring, auditing, and managing roles. It’s rarely a one-person job, and the complexities only grow with the scale of your organization. Combine that with incr

In this blog post, we’ll be covering the fundamentals  of Access Packages in Microsoft Entra—it’s all about getting a solid understanding...

As the Conditional Access series wraps up , we’re diving headfirst into a new adventure in Identity Management! Join me as I explore the...

As the countdown for my series draws to a close, there are still a few final points I’d like to explore, and hopefully, you’ll join me...

I’ve gathered the Conditional Access tributes from nearly every district, and today, we’re collecting the final ones as we approach the...

Today, we’re donning our coolest black shades, pulling on leather jackets, and proudly proclaiming, “We’ll be back!” —for when our...

Now that we’ve covered the baseline essentials, it’s time to focus our Conditional Access policy deployment a bit more. As I mentioned in...

Welcome to Microsoft Entra, where Zero Trust, permissions, and the infamous policy change await. Buckle up—this rabbit hole goes deep! IAM, or Identity & Access Management, is undoubtedly one of the most critical pillars of cybersecurity. The reason for this is simple: we want to trip up adversaries as much as possible while still allowing our end users access to necessary data, applications, and more, all while adhering to the Zero Trust principles— Assume Breach, Verify Exp

Understanding the authentication flow for Microsoft Entra  is essential when working with IAM in a Microsoft environment. Like the...