Entra.Chat

• Microsoft's Entra Kerberos: Bridging Legacy AD to Cloud Auth + MAM on Edge with PM Jordan Gross

  In this episode we chat with Microsoft PM Jordan Gross about the exciting world of Entra Kerberos.Discover how this crucial feature bridges the gap between traditional on-premises Active Directory and the modern cloud, enabling seamless authentication for legacy applications in hybrid environments.Jordan delves into the mechanics of Entra Kerberos, its different operational modes (up-level and down-level trust), and its significance for organizations migrating to the cloud.We also explore MAM (Mobile Application Management) on Edge, another innovative solution Jordan worked on, which helps secure browser access on personal devices.LinkedIn - https://www.linkedin.com/in/jordangross61/PS. Can I ask a favor? If you enjoy this podcast please leave a review and rating on your podcast app! This helps more folks discover Entra.Chat - Thank you 🙏 - MerillWatch on YouTube or get the podcast from the links below 👇🔗 Related LinksEntra Kerboros* How Azure AD Kerberos Works • Steve Syfuhs* Cloud Kerberos trust deployment guide* Use Kerberos for single sign-on (SSO) to your resources with Microsoft Entra Private Access* Kerberos Constrained Delegation for single sign-on (SSO) to your apps with application proxy* Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files* How Windows Authentication for Azure SQL Managed Instance is implemented with Microsoft Entra ID and Kerberos* Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID* Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources in Platform SSO (MacOS)MAM* Data protection for Windows MAM📗 Chapters00:00 Intro01:24 Introducing Entra Kerberos & MAM on Edge03:13 What is Entra Kerberos?04:14 Understanding Traditional Kerberos06:39 Why Entra Didn't Just Use Kerberos Initially07:36 The Lingering Importance of On-Prem AD09:08 Where Entra Kerberos Fits: Solving Hybrid Problems10:06 Use Cases: Regulations & File Sharing (SMB Protocol)11:55 How Entra Kerberos Works: Two Styles13:36 Modern Auth vs. Down-Level Trust Explained14:04 The Convenience of Cloud TGTs with Windows Hello15:26 Accessing Resources: TGT to TGS Exchange17:03 How Apps Trust Entra Kerberos Tickets18:00 Admin Setup for Trust Relationship19:22 Supporting Legacy Apps in a Modern World21:24 Benefits Over NTLM & Conditional Access23:04 Future of Entra Kerberos: Cloud-Only Users26:28 Expanding Support: Mac, Linux & Mobile Devices29:13 Current Big Use Cases: Azure Files & AVD30:06 Understanding Down-Level Scenarios31:42 Interaction with Global Secure Access33:57 Transition to MAM for Edge34:27 What Problem Does MAM for Edge Solve?36:12 How MAM for Edge Protects Personal Devices38:11 Security Scope: Benign User Mistakes vs. Hackers40:23 Combining MDM and MAM for Enhanced Security41:20 Deployment: Intune Policies & Entra Configuration43:18 Windows-Only Feature for Now44:10 Benefits: Security, User Empowerment & Visibility48:13 Intune Dependency & Flexibility with Other MDMs49:50 The Fun of Cross-Team Collaboration50:48 Concluding Thoughts & Thank YouPodcast Apps🎙️ Entra.Chat - https://entra.chat 🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

  --------  

  51:53
• Entra & Azure Power-Up: Secure Service Principal Impersonation with Simon Gottschlag

  In this episode, Simon Gottschlag, CTO of Co-native and a Microsoft MVP in Azure, discusses his innovative prototype for implementing Azure service principal impersonation using Azure Functions and Key Vault.We explore the challenges of managing service principals, the journey to building a solution, and the potential for improving developer experience in platform building. Simon shares insights on the four-eyes principle, Entra ID's newer attribute-based access control (ABAC) vs the traditional RBAC model, and how his solution can enhance security and auditability in Azure environments.LinkedIn - https://www.linkedin.com/in/simongottschlag🔗 Related Links* Azure Service Principal Impersonation - https://github.com/co-native-ab/azure-service-principal-impersonation* pimctl - https://github.com/co-native-ab/pimctl📗 Chapters00:00 Intro00:42 Meet Simon: CTO & Azure MVP01:51 The Project: Azure Service Principal Impersonation02:11 The Problem: Challenges in Managing Service Principals03:47 Journey to the Solution: Building Platforms & Terraform Pain Points06:50 The Challenge with Graph Permissions & Least Privilege08:27 Improving Developer Experience in Platform Building11:05 The Core Issue: Running Operations Locally vs. Service Principals13:43 The Idea: Service Principal Impersonation13:50 Four-Eyes Principle and PIM in Azure15:40 Understanding Attribute-Based Access Control (ABAC)18:58 Enforcing Role Delegation with ABAC and PIM20:12 Clarifying Service Principal Access with PIM and Four-Eyes21:26 The Local Development Dilemma with Security Principles22:02 PIM CTL: A CLI Tool for PIM22:42 New Challenge: Azure Managed Grafana & Terraform Authentication23:36 AC Identity Terraform Provider: Getting Tokens from Entra24:42 The Big Question: Securely Getting Service Principal Tokens Locally25:21 What is Impersonation in This Context?26:27 Building the Solution: Federated Credentials & Custom Token Exchange28:42 How the Azure Function Works: Authentication & Token Issuance29:26 The Result: Consistent Workflow & Auditability31:05 Open Source: How to Set Up and Try the Prototype33:31 Use Cases: DevOps Automation & Time-Limited Access35:15 Potential: Multi-Cloud Deployments & Extending EntraPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

  --------  

  38:08
• Unlocking Entra ID's NEW QR Code Sign-In. Fast & Simple Authentication!

  🎙️ Entra.Chat - https://entra.chatThis episode of Entra Chat features Anju Singh, a Product Manager at Microsoft in the Microsoft Entra Authentication Experiences team. We discuss the newest authentication method in Entra: QR codes!Anju answers heaps of questions in this deep dive including why Microsoft chose QR codes, how it works under the hood, what you should and shouldn't use it for, and the biggest question - is it considered MFA?LinkedIn - https://www.linkedin.com/in/anjusingh29/Prefer watching? Search for ‘Entra.Chat’ on YouTube🔗 Related Links* QR Code Announcement - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/simplify-frontline-workers’-sign-in-experience-with-qr-code-authentication/3822034* QR code authentication method - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-qr-code* Best practices to protect frontline workers - https://learn.microsoft.com/en-us/entra/identity-platform/security-best-practices-for-frontline-workers* Set up optimized QR code authentication experience in Android app - https://learn.microsoft.com/en-us/entra/identity-platform/android-qr-code-pin-authentication* Set up optimized QR code authentication experience in iOS/macOS app - https://learn.microsoft.com/en-us/entra/identity-platform/ios-qr-code-pin-authentication📗 Chapters00:00 Intro02:58 Topic Intro: QR Code Authentication for Frontline Workers03:30 The Problem: Why QR Code Sign-In?04:09 Who Are Frontline Workers?05:41 Challenges with Current Authentication (Username/Password)07:29 Balancing Simplicity and Security10:40 Target Scenario: Shared Devices11:36 Other Use Cases: Education Sector12:30 How It Works: User Sign-In Experience15:34 QR Code Contents: More Than Just a Username16:40 PIN & QR Code Relationship17:13 Scenario: Lost Badge & Admin Actions18:32 Replacing the PIN19:10 Delegated Management: The My Staff Portal22:11 Handling Forgotten Badges: Temporary QR Codes24:45 Rolling Out: Bulk Generation via APIs26:12 Cost Comparison: QR Codes vs. FIDO Keys28:05 The Big Question: Is it MFA?29:43 Security Best Practices & Conditional Access30:43 Combining QR Code with MFA35:31 Fallback Options (Username/Password, TAP)37:35 Public Preview & Call for Feedback38:57 Current Scope: Mobile Devices & Tablets Only40:09 Integrating QR Sign-In into Apps (Web View vs. MSAL)41:00 Desktop Support Status42:26 How to Provide Feedback43:30 Future Considerations: Barcode Scanners44:39 Closing Thoughts & Call to Action——Podcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rss——Merill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

  --------  

  46:18
• Entra @ McDonald's: Managing 2.2 million workforce identities in the cloud

  George Roberts, Director of Identity Governance and Administration at McDonald's, shares his extensive experience in migrating the company's workforce identity platform from on-premises ADFS to Microsoft Entra.We also talk about challenges like handling unique frontline worker needs (including a creative paper-based MFA solution) and integrating with various applications.About GeorgeGeorge Roberts is the Director of Identity Governance and Administration at McDonald's, where he leads a global team responsible for building and delivering the enterprise identity and access platform to support over 2 million employees, partners, franchisees, and restaurant staff users worldwide. George has over 25 years of experience delivering secure, scalable, and user-friendly solutions that help McDonald's to accelerate its business. All views expressed are his own.* LinkedIn - https://linkedin.com/in/sirtwist* Bluesky - https://bsky.app/profile/sirtwi.st🔗 Related Links* Custom claims provider - https://learn.microsoft.com/en-us/entra/identity-platform/custom-claims-provider-overview* Manage an external authentication method in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage📗 Chapters00:00 Intro00:30 Overcoming ADFS Custom Claims Roadblock01:35 Global Footprint and MFA Challenges for Frontline Workers03:20 Guest Introduction: George Roberts, McDonald's04:07 George's Background and Role at McDonald's06:42 McDonald's Identity Journey: Decentralization to Centralization08:38 The Entra (Azure AD) Migration Begins13:04 Operational Benefits and Challenges of Moving to Entra16:55 Deep Dive: Custom Claims and the Virtual Directory Service23:56 Shift to API-First Mindset and Standards (SCIM)32:46 Major Challenge: MFA Solutions for Frontline Workers37:27 The Paper-Based MFA Solution40:03 Entra External Authentication Methods46:02 Ideas for Device-less Frontline Authentication50:12 Onboarding Speed Challenges in Restaurants58:06 Advice for Other Organizations: Change Management and Planning1:05:07 Anticipating Relief from Decommissioning ADFSPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

  --------  

  1:07:52
• Inside Entra Sync: Dhanyah, the Microsoft PM for Entra Connect & Cloud Sync Reveals All

  Join us for a conversation with Dhanyah Krishnamoorthy, Product Manager at Microsoft, as she discusses Microsoft Entra Connect Sync and Cloud Sync solutions for synchronizing on-premises Active Directory identities to Entra ID.Learn about Microsoft's overall strategy for syncing and what you can do to prepare for the future including security considerations and scaling guidance.Subscribe with your favorite podcast player or watch on YouTube 👇About DhanyahDhanyah Krishnamurthy is a Principal Product Manager in the Microsoft Entra product group. For the past four years, Dhanyah has focused on hybrid identity scenarios, leading the product management for critical services that help organizations manage identities between on-premises Active Directory and the cloud. She specifically owns Microsoft Entra Connect Sync and the newer Microsoft Entra Cloud Sync capabilities, designing solutions to streamline identity provisioning, enhance security, and support complex scenarios like mergers and acquisitions.LinkedIn - https://www.linkedin.com/in/dhanyah🔗 Related Links* Hybrid Identity - https://learn.microsoft.com/en-us/entra/identity/hybrid/* Comparison between Microsoft Entra Connect and cloud sync - https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync* Topologies for Microsoft Entra Connect - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies* Factors influencing the performance of Microsoft Entra Connect - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-performance-factors* Group writeback with Microsoft Entra Cloud Sync - https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync📗 Chapters00:00 Intro03:16 Why Two Sync Solutions? Connect Sync vs Cloud Sync History05:17 Benefits of Cloud Sync vs Connect Sync06:23 Cloud Sync Advantage: Mergers & Acquisitions08:16 Cloud Sync Advantages: Lightweight, High Availability, Simplicity10:17 Shared Provisioning Agent Benefits10:59 Future Plans: Investing in Cloud Sync12:11 Coexistence: Using Cloud Sync & Connect Sync Together13:25 Getting Started with Cloud Sync: Group Writeback & Acquisitions15:56 Choosing the Right Tool: When to Use Cloud Sync16:34 Using the Sync Wizard for Recommendations18:03 Operational Differences & Admin Roles19:53 Group Writeback Scaling Considerations22:31 Common Customer Issues: Topologies & Configuration25:36 Scaling Guidance: When to Worry About Performance29:12 Security Considerations: Connect Sync vs Cloud Sync30:41 Connect Sync Security Hardening & Updates33:40 Cloud Sync Security & GMSA Accounts35:16 Final Thoughts & Call to ActionPodcast Apps🎙️ Entra.Chat → https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

  --------  

  38:33

More Technology podcasts

Trending Technology podcasts

About Entra.Chat