Entra.Chat

Microsoft Entra security is evolving and the way organizations think about identity protection needs to evolve with it. In this episode, I’m joined by Sean Metcalf, one of the foremost identity security experts in the industry, whose work has helped shape how many organizations approach securing both Active Directory and Microsoft Entra.Sean shares the hardening steps many teams still overlook, and why advances in AI are making it easier for both defenders and attackers to work faster than ever before. From MFA and application controls to protecting privileged accounts and reducing unnecessary exposure, this conversation offers a practical look at where strong identity security starts and why getting the fundamentals right matters more than ever.
Subscribe with your favorite podcast player or watch on YouTube 👇

About Sean Metcalf
Sean Metcalf is the Identity Security Architect at TrustedSec and a renowned expert in Microsoft identity security. He holds the rare Certified Master in Active Directory certification and has spoken at major security conferences including Black Hat, DEF CON, and BlueHat on how to defend cloud and hybrid environments.
LinkedIn - https://www.linkedin.com/in/seanmmetcalf/
🔗 Related Links
* Securing Entra ID Administration: Tier 0 - https://trustedsec.com/blog/securing-entra-id-administration-tier-0
* Managing Privileged Roles in Microsoft Entra ID: A Pragmatic Approach - https://trustedsec.com/blog/managing-privileged-roles-in-microsoft-entra-id-a-pragmatic-approach
* Improve Entra ID Security More Quickly - https://adsecurity.org/?p=4825
* Microsoft Graph Skill - https://graph.pm
📗 Chapters
00:04:05 AI and the Evolution of Attacks
00:06:42 The Importance of Hardening Fundamentals
00:12:03 Securing Entra ID Quickly
00:16:24 Protecting Tokens with VBS and TPM
00:19:58 Restricting Consent and Guest Users
00:23:40 Managing Rogue Tenants
00:27:36 Cloud Admin Workstation Strategies
00:34:14 Delegated Admin Privileges
00:44:32 The Danger of Application Permissions
00:57:06 Artemis Mission Trivia
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

If you can’t immediately name your break glass accounts and the last time you tested them → you’re already at risk.
In this episode of Entra Chat, Microsoft MVP Per Torben walks through the conditional access mistakes he sees even large enterprises making, and the practical framework he actually uses with customers.
You’ll learn how to set up emergency access accounts the right way, why your CA policies should be built more like a firewall than a checklist, and the one naming convention that makes managing dozens of policies actually manageable.
🎧 Hit play, your tenant will thank you.
Sponsored by:
Entra ID Gaps That Cause Outages
In Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.
Teams are left asking:
* Which applications can access Microsoft 365 data?
* Is that access still appropriate?
* Who owns the app?
Unclear answers stall reviews, weaken accountability, and slow delivery.
ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.
Subscribe with your favorite podcast player or watch on YouTube 👇

About Per Torben
Per Torben is a Senior Architect at Crayon and a Microsoft MVP for Identity and Access. Based in Norway, he frequently writes highly-read posts featured on Entra.News and runs the collaborative tech blog “Agder in the Cloud”.
LinkedIn - https://www.linkedin.com/in/pertorbensorensen/
🔗 Related Links
* Agder in the Cloud - https://agderinthe.cloud
* I.D.E.A. for creating/configuring break-glass accounts
* GitHub - https://github.com/Per-Torben/I.D.E.A.
* Blog - https://agderinthe.cloud/2026/01/06/introducing-i-d-e-a-and-i-d-e-a-001/
* Protected actions: https://agderinthe.cloud/2025/02/12/protected-actions-adding-extra-guards-to-your-entra-id-gate/
* Conditional Access hardeing (series): https://agderinthe.cloud/2024/12/05/how-to-fix-the-fundamental-flaw-in-conditional-access-part-1-introduction-and-coverage-gapsCA geo filter (series): https://agderinthe.cloud/2025/11/06/diving-into-geo-filter-with-entra-conditional-access-part-1
* Entra Backup - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/backup-restore
📗 Chapters
06:22 The importance of Break Glass accounts
09:02 Securing emergency access with FIDO2 and RMAUs
18:10 Configuring Conditional Access: The “Block by Default” strategy
27:26 Managing scope and preventing accidental lockouts
29:31 Persona-based naming conventions for CA policies
35:38 Grouping settings and avoiding bloated policies
41:54 Handling exceptions and travel access with Access Packages
44:55 The flaw in Protected Actions for Conditional Access
53:38 Using the new Entra Backup feature for quick restores
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Microsoft just dropped a massive wave of features for Entra, and the rules of Tenant Governance have officially changed.
Join us as we talk to three world-class MVPs about their hands-on experience with the new Entra Backup and Recovery and Tenant Governance features.
Our Microsoft MVP guests Nathan McNulty, Ru Campbell, and Thomas Naunheim break down the most exciting new features in Microsoft Entra.
In this episode, we explore:
* The “Shadow Tenant” Problem: One org found 700+ Entra tenants they didn’t know they had.
* Version Control for Admins: Why “Difference Reports” are a total game-changer for troubleshooting.
* Recovery Safeguards: How to protect your tenant from accidental deletions and “sneaky” background changes.
* Backup & Recovery: The truth about Entra Backup vs. Third-Party ISV tools.

Subscribe with your favorite podcast player or watch on YouTube 👇

About The Guests
Nathan, Ru, and Thomas are highly experienced MVPs specializing in identity security, governance, and Microsoft Entra.
Nathan McNulty - LinkedIn - https://www.linkedin.com/in/nathanmcnulty/
Ru Campbell - LinkedIn - https://www.linkedin.com/in/rlcam/
Thomas Naunheim LinkedIn - https://www.linkedin.com/in/thomasnaunheim/
🔗 Related Links
* Microsoft Entra Backup and Recovery Documentation - https://learn.microsoft.com/en-us/entra/backup/overview
* Microsoft Entra Tenant Governance - https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview
* Synced Passkeys - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-passkeys-fido2
* Microsoft Work IQ CLI (Public Preview) - https://learn.microsoft.com/en-us/microsoft-365/copilot/extensibility/workiq-overview
* Playwright https://playwright.dev/
* Entra Auth Tracer (Chrome Extension) - https://github.com/darrenjrobinson/EntraAuthTracer
* Unified Risk Score - https://learn.microsoft.com/en-us/defender-xdr/investigate-users#risk-score-tab-preview
📗 Chapters
00:00 Intro to New Entra Features
02:04 Entra Backup and Recovery Deep Dive
10:41 Difference Reports Explained
15:54 Intro to Tenant Governance
23:34 Managing Multi-Tenant Organizations
33:31 Conditional Access Optimization Agent
36:55 The Great Passkey Debate
47:22 Retirements: SP-less Auth & ACS for SharePoint
48:46 Unified Risk Score in Defender
52:38 MVP Tips of the Week
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Emilien Socchi, Cloud Security Research Engineer at Storebrand, joins us to discuss CA Insight and AZTier.
Two open-source tools Emilien built to find gaps in Conditional Access policies and categorize Azure/Entra roles based on attack paths.
Learn how CA Insight evaluates 250 million sign-in combinations offline in minutes instead of days, why the What If API doesn't scale, and how AZTier helps defenders and pen testers understand privilege escalation risks across Entra ID, Azure, and Microsoft Graph.
Together, these projects help security teams move from reactive log monitoring to a proactive defense strategy.
What’s Breaking and Slowing Your Entra ID Environment?
In Microsoft Entra ID, the same visibility gaps cause two problems:
* Things break
* Work slows down
Expired client secrets disrupt integrations. Certificates lapse and authentication fails. New apps appear with excessive permissions and no clear ownership. At the same time, teams struggle to answer basic questions, which applications have access to Microsoft 365 data, whether that access is still required, and who is responsible for it.
When answers are not immediate, reviews stall and projects slow down.
ENow App Governance Accelerator Credential Guard helps identify expiring credentials and expose permission and ownership gaps.
For organizations under 10,000 users, pricing ranges from $3,500 to $9,500 annually through March 31, 2026.
Subscribe with your favorite podcast player or watch on YouTube 👇
About Emilien Socchi
Emilien Socchi is a Cloud Security Research Engineer at Storebrand (Oslo, Norway) focusing on the proactive discovery of security issues. With an extensive background in application and cloud penetration testing, Emilien has published practical research and tooling used by defenders. He also maintains several open‑source projects, including Azure administrative tiering models and Entra ID role‑monitoring utilities.
LinkedIn - https://www.linkedin.com/in/emilien-socchi
🔗 Related Links
* CA Insight- https://github.com/emiliensocchi/entra-ca-insight
* Azure Administrative Tiering (AzTier) - https://aztier.com
* AzTier Source: https://github.com/emiliensocchi/azure-tiering
* AzTier Deployer - https://github.com/emiliensocchi/aztier-deployer
📗 Chapters
00:00 The Story Behind CA Insights
16:52 Why the ‘What If’ API Doesn’t Scale
21:09 Building an Offline Evaluation Engine
45:22 Deep Dive into AZTier: A Red Team Perspective
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Darren Robinson, Identity and Zero Trust Strategy and Architecture Capability Lead at Increment, shares his extensive experience in identity governance and administration.
In this episode Merill sits down with Darren “Doc” Robinson – Microsoft MVP since 2017, former SailPoint Ambassador and one of Australia’s most experienced identity architects.
Darren takes us on a 25+ year journey from Novell networks to modern Microsoft Entra ID, reveals why he’s building custom ECMA2 connectors, and shares the exact PowerShell tools he just open-sourced (Granfeldt uplift, ECMA2 Host Tools, Provision On-Demand module).
We also compare Entra ID Governance vs SailPoint and dive into his latest obsession: MCPs for Entra News and personal AI agents.
Whether you’re migrating legacy apps or levelling up your IGA strategy, this episode is pure gold.
Sponsored by CoreView:
Would you bet your reputation on your current Microsoft 365 security posture?
Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.
But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.
You could assume it’s fine.
Or you could run the Microsoft 365 Security Posture Check.
It’s free.
It runs locally.
And no, it doesn’t send your tenant data back to us.
We’ll even help you set it up.
Subscribe with your favorite podcast player or watch on YouTube 👇

About Darren Robinson
Darren is highly accomplished in digital identity and cybersecurity specialising in Identity & Access Management for over three decades. Darren is renowned for driving Digital Identity innovation, building global offerings, and leading high-impact teams to deliver cutting-edge solutions that enhance security posture, operational efficiency, and business value.
🔗 Related Links
* Blog: https://blog.darrenjrobinson.com
* GitHub: https://github.com/darrenjrobinson
* LinkedIn: https://www.linkedin.com/in/darrenjrobinson/
In this episode…
1. Understanding the “Metaverse”
The foundation of Microsoft’s identity strategy dates back to the acquisition of Zoomit in 2000. This introduced the Metaverse—not a VR world, but a “hologram” or central representation of a user that exists across multiple systems like SQL databases and LDAP directories. By correlating these identities into one object, organizations can maintain consistency across a fragmented environment.
2. The Modern Bridge: ECMA and SCIM
As organizations move to the cloud, the “heavy” sync engines like MIM (Microsoft Identity Manager) are being replaced by Entra Cloud Sync. The modern approach uses:
* A Light Shim: A small on-premises component that acts as a member of the domain.
* SCIM Instructions: The Entra provisioning service sends instructions via the SCIM protocol to this shim.
* ECMA Connectors: The Extensible Connector Management Agent (ECMA) translates these cloud instructions into a language legacy on-prem apps can understand, such as SQL or Oracle updates.
3. Scaling with PowerShell 7
One of the biggest hurdles in legacy identity management was performance. Darren Robinson recently uplifted the popular Granfeldt PowerShell Management Agent to support PowerShell 7. This update allows for:
* 64-bit Processing: Handling larger datasets with ease.
* Parallelism: Sending multiple identity updates in parallel rather than waiting for individual “gets,” significantly speeding up sync times.
4. Managing the “Cache”
A common pain point for administrators is the lack of visibility into the ECMA host cache. To solve this, Darren developed a new module that allows practitioners to programmatically query the cache, back up configurations, and document every connector and parameter in the system.
Key Takeaway: Whether you are migrating from legacy solutions like Novell or managing a complex hybrid Entra environment, the goal remains the same: automated, secure, and visible identity lifecycles.
📗 Chapters
00:00 Intro
02:22 The Evolution of Directory Services and Synchronization
08:05 Understanding Sync Engines and the Metaverse
14:45 Modern Identity Provisioning with Entra
17:39 Developing Custom PowerShell ECMA Connectors
20:53 Automating Provisioning with New PowerShell Modules
28:53 The Current Landscape of Identity Governance
31:37 Solving the Disconnected Apps Challenge
35:46 Exploring Model Context Protocol (MCP)
45:34 Leveraging Local AI and LLMs for Identity Tasks
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe