Check out ๐๐ง๐ญ๐ซ๐๐๐จ๐๐ฌ๐๐ซ๐๐๐ค๐๐ซ to stay always up to date with everything Microsoft Entra > https://t.co/l0ASxpwNga
๐๐ก๐ข๐ฌ ๐ข๐ฌ ๐๐๐๐ข๐ง๐ข๐ญ๐๐ฅ๐ฒ ๐ ๐ฉ๐๐ ๐ ๐ญ๐จ ๐๐จ๐จ๐ค๐ฆ๐๐ซ๐ค
One way I stay up to date with all changes in Microsoft Entra is by monitoring updates to the Microsoft documentation, which often gets updated before official announcements of new features. Previously, I did this privately, but here I have turned it into an easy-to-use website, with a sprinkle of AI to summarise often difficult-to-read large commits.
Let me know what you think!
#Microsoft #Entra #EntraDocsTracker
Education is difficult... we partner with some universities with 50k+ student identities. It's a challenge, but it's certainly doable. Although most primary-age education environments I have been in are on traditional AD. It's a bit more manageable when you get to secondary and higher ed.
๐ Stop bypassing MFA by adding your Office IP addresses to Conditional Access exclusions ๐
Read this now on why you shouldn't do this > https://t.co/RgnRLurmGR
Modern threats have evolved, and your justification for why you have done this no longer matters.
๐๐จ๐ฎ ๐ฆ๐๐ฒ ๐ญ๐ก๐ข๐ง๐ค ๐ข๐ญ ๐๐๐๐ฌ ๐ญ๐จ ๐ฆ๐ฎ๐๐ก ๐๐ซ๐ข๐๐ญ๐ข๐จ๐ง ๐ฐ๐ก๐ข๐ฅ๐ ๐ข๐ง ๐ญ๐ก๐ ๐จ๐๐๐ข๐๐?
No, misconception. Microsoft invented their own token to solve this, called a PRT (or Primary Refresh Token). It works for AD Joined, Hybrid, or Entra-only devices, so no excuses.
๐๐จ๐ฎ ๐ฆ๐๐ฒ ๐ญ๐ก๐ข๐ง๐ค ๐ฎ๐ฌ๐๐ซ๐ฌ ๐๐จ๐ง'๐ญ ๐ก๐๐ฏ๐ ๐ฌ๐ฎ๐ฉ๐ฉ๐จ๐ซ๐ญ๐๐ ๐๐๐ฏ๐ข๐๐๐ฌ (๐จ๐ซ ๐ข๐ญ๐ฌ ๐ญ๐จ๐จ ๐ข๐ฆ๐ฉ๐๐๐ญ๐๐ฎ๐ฅ)
No, misconception. Plenty of platforms let you to federate your logins to offer custom authentication options. Like QR code badges, which satisfy MFA through your webcam.
๐๐ข๐ ๐ฒ๐จ๐ฎ ๐๐จ๐ซ๐ ๐๐ญ ๐๐๐จ๐ฎ๐ญ ๐ฉ๐จ๐ฐ๐๐ซ๐๐ฎ๐ฅ ๐๐๐ฏ๐ข๐๐-๐๐๐ฌ๐๐ ๐๐จ๐ง๐๐ข๐ญ๐ข๐จ๐ง๐๐ฅ ๐๐๐๐๐ฌ๐ฌ ๐๐๐๐ญ๐ฎ๐ซ๐๐ฌ?
Requiring device compliance in Conditional Access is non-interruptive for users, but acts as a highly impactful "second factor".
#Entra #Microsoft
Microsoft are adding native time-bound access to Purview Role Groups this month! Check it out > https://t.co/jkaeamGCHj
Role Groups in Purview don't support PIM natively, but they are necessary for admins and compliance teams to operate Purview or manage specific, time-limited compliance cases. While it's not a full PIM integration, you'll soon be able to assign role groups on a limited, time-bound basis.
I explore this a little in my blog post linked above. While the UX isn't ready for this feature, you can still configure it using PowerShell.
#Microsoft #Purview #Entra
@Alex_Pearce But what about the other 3 sub processors that where already listed, like Anthropic. For any of these sub processors, your data is authorised to be stored and processed outside of Azure anyway :)
https://t.co/tSEtzsCS23 tracks which Graph API permissions can be used for each built-in Microsoft Admin role. And it also keeps track of changes, allowing you to compare the difference when roles are updated! ๐
A challenge for those writing Microsoft Graph PowerShell scripts is knowing which Graph API permissions work for which Role. This is because there is no mapping between between the two, as they work on independent authorisation planes. I asked Microsoft about this challenge last year and it wasn't something they planned to solve... Yes, some Graph API endpoints provide a "least privileged role" in the documentation, but it doesn't solve the problem, which is why I built this utility.
#Microsoft #Entra #Roles
The Microsoft Licensing FAQs finally clarify a long-standing point of frustration for Entra ID. I have broken this down here https://t.co/smodwJLoQQ
The "One Person, One License" philosophy for Microsoft Entra was only ever shared through blog posts and social media, meaning people often doubted whether it breached the current licensing terms or not. Now, the Microsoft Licensing FAQs clarify these points.
๐๐๐: ๐๐ญ๐จ๐ฉ ๐ฅ๐ข๐๐๐ง๐ฌ๐ข๐ง๐ ๐ฌ๐๐๐จ๐ง๐๐๐ซ๐ฒ ๐๐๐๐จ๐ฎ๐ง๐ญ๐ฌ (๐ฅ๐ข๐ค๐ ๐๐๐ฆ๐ข๐ง ๐๐๐๐จ๐ฎ๐ง๐ญ๐ฌ) ๐ฐ๐ก๐๐ซ๐ ๐ข๐ญ ๐ข๐ฌ๐ง'๐ญ ๐ซ๐๐ช๐ฎ๐ข๐ซ๐๐.
#Entra #Microsoft
@Nigel_Farage Is social media safety not part of the current IT syllabus for secondary schools... surely that would make more sense? Social media was way worse 20 years ago during the times of Bebo and Tumblr. Nothing like preparing adolescents for adulthood like treating them like a child.
Baseline Scope enforcement in Conditional Access is rolling out today, but Microsoft have hidden the setting for it > https://t.co/3k5omkG8af
Currently, if a Conditional Access policy includes an exclusion, and your application only requests a specific set of baseline directory scopes (like https://t.co/f44DVMcoIo), then that authentication request could bypass the Conditional Access policy.
Rolling out from today, this behaviour is changing, and all authentication requests will be subject to Conditional Access policy enforcement.
For 99.9% of organisations, there will be no impact on you, but for a small subset that have built their own applications, you should verify any impact following the steps I have outlined in my article!
#Microsoft #Entra
Check it out ๐ฉต You can now validate PIM requests automatically (like verifying a Ticket ID) using Custom Extensions! Read here > https://t.co/u1PIEnveME
This could be such a game changer, both for security, validation and accountability for accessing Roles, Groups and Azure Resource.
Once configured properly, you go from an organisation that only reacts to critical privileged access events, to an organisation that implements zero trust programmatically to a critical part of the user elevation process.
While it would require some development, I'm sure it will not be long for ISV's to integrate API's and approval logic to integrate natively into PIM!
#Microsoft #Entra #PIM