Entra Chat is a weekly podcast hosted by Merill Fernando and delivers practical insights for Microsoft administrators and security professionals through convers...
Securing a Global Giant: Inside IKEA's Identity Strategy with Martin
In this insightful discussion, Martin Sandren from IKEA joins Entra Chat to discuss the evolving landscape of IAM.The episode covers critical considerations for modern identity strategies, including the trade-offs between syncable and device-bound passkeys, the necessity of robust regression testing for Conditional Access, and advancements in identity proofing methods.Subscribe with your favorite podcast player or watch on YouTube 👇About Martin SandrenMartin Sandren is the IAM Lead at Inter IKEA, overseeing the systems that support IKEA's worldwide presence. His extensive background includes over twenty years of experience as an IAM product lead, architect, engineering manager, and developer.Beyond his role at IKEA, he is actively involved in the identity community as a frequent speaker at international conferences and a founder of the Digital Identity Amsterdam meetup and the Amsterdam chapter of IdentiBeer, and is active within the idNext foundation and IDPro.LinkedIn - https://linkedin.com/in/martinsandren/🔗 Related Links• IAM Conferences in Europe📗 Chapters00:00 Intro02:51 Martin's Journey into Entra & Early IAM Experiences05:35 Early Entra Wins: Simplified Sign-in Logging07:02 Value of Microsoft's Preview Feature Model (Private/Public/GA)09:39 Evolution of Federation: SAML/OIDC Then vs Now13:22 The Rise of SCIM for User Provisioning14:47 Cloud Standardization vs On-Prem Customization Trade-offs16:48 Identity Governance & Multi-Tenant Organizations (MTO)19:01 The Power & Complexity of Conditional Access20:23 Resilience & Offline Scenarios in IAM23:12 Challenges with Guest User Management & Governance26:16 Cross-Tenant Sync vs Connected Organizations27:49 The "Schrodinger's Cat" Problem with Guest Accounts30:58 Mastering Conditional Access Policies: Best Practices & Pitfalls32:41 Shifting Security Focus: From Network to Identity Defense-in-Depth34:04 Adapting Security for Different User Populations (Frontline Workers)35:21 Leveraging ITDR, Risky User Signals & Red Teaming38:00 Importance of Regression Testing CA Policies (Meister Tool)39:08 Edge Cases: SSPR & Certificate-Based Authentication Conflicts40:37 Securing Conditional Access Group Memberships42:40 Identity Proofing, Onboarding & Phishing Risks46:01 Wishlist: Granular Read Permissions in Entra48:36 Passkeys & Phishing-Resistant MFA: Progress & Challenges (Android Usability)50:01 Strategy: Syncable vs Device-Bound Passkeys51:58 Embracing Standards: SSF & CAPE Protocols53:04 Advice for Newcomers to the Identity & Access Management Field54:55 Closing RemarksPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
55:07
What nobody tells you about managing Microsoft 365 guest access with Samantha
In this episode we discuss the evolution of guest access from SharePoint to Entra ID, the challenges of managing guest identities, and the importance of security and governance. Our conversation covers key topics including cross-tenant access settings, identity governance, B2B direct connect, and licensing considerations. Samantha also shares practical advice and best practices for organizations to secure their tenants and streamline external collaboration.Subscribe with your favorite podcast player or watch on YouTube 👇LinkedIn - https://www.linkedin.com/in/samkloos/🔗 Related Links* Overview: Cross-tenant access with Microsoft Entra External ID * Cross-tenant access activity workbook* B2B direct connect overview* Entra Security Recommendations📗 Chapters00:00 The Evolution of Guest Access04:49 Guest Access Settings and Best Practices23:00 Cross Tenant Access Settings Demystified36:06 B2B Direct Connect48:09 Guest Licensing: Key Considerations56:10 Entitlement Management and Guest UsersPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
1:05:31
Operational Groups in Entra with Nathan McNulty
Entra.Chat Podcast - https://entra.chatIn this insightful episode, Nathan McNulty, Senior Security Solutions Architect at Patriot Consulting, shares his extensive experience deploying and securing Microsoft Entra environments. With a background spanning civil engineering, education, and critical infrastructure, Nathan brings practical wisdom from managing environments with 50,000+ users and 90,000+ devices.Subscribe with your favorite podcast player or watch on YouTube 👇The conversation explores realistic approaches to securing BYOD, building effective conditional access policies using a "castle" framework, and leveraging administrative units to partition permissions efficiently. Nathan reveals his innovative "operational groups" automation technique that helps classify users by authentication methods, enabling granular security controls without manual effort. The episode also covers authentication methods migration strategies, extension attributes, and modern cloud automation approaches that replace traditional server-based scripts.Whether you're looking to improve your conditional access strategy, smoothly migrate authentication methods, or automate Entra management tasks, Nathan's field-tested insights will help you secure your environment more effectively while reducing administrative overhead.Nathan McNulty* Web - https://nathanmcnulty.com/* LinkedIn - https://www.linkedin.com/in/nathanmcnulty/* Bluesky - https://bsky.app/profile/nathanmcnulty.com* X - https://x.com/nathanmcnultyRelated Links* Operational Groups scripts - https://github.com/nathanmcnulty/nathanmcnulty/tree/master/Entra/operational-groups* Maester DevOps - https://maester.dev/docs/monitoring/github* Authentication Methods Migration - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage* Administrative units - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units* Restricted management administrative units - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
46:59
Bypassing MFA with Kuba, the Evilginx guy!
Episode SummaryIn this episode, we dive into the sophisticated world of phishing attacks with Kuba Gretzky, creator of the renowned Evilginx framework. He shares insights on how Evilginx operates as a reverse proxy, capturing authentication tokens in real-time, and discusses the ethical considerations of creating such a powerful tool. Most importantly, Kuba provides valuable guidance on protection strategies that organizations can implement to defend against these advanced phishing techniques.Chapters00:00 - Introduction to Kuba and Evilginx- Creator of Evilginx, a phishing framework demonstrating MFA vulnerabilities- 15+ years in cybersecurity, started with MMO game hacking- Transitioned through reverse engineering to cybersecurity02:03 - Understanding Phishing Fundamentals- Phishing presents fake sign-in pages to capture user credentials- Even 7-year-olds now learn about phishing dangers in school03:39 - How Evilginx Works Technically- Functions as a reverse proxy between user and legitimate server- Creates dual TLS connections to intercept all communications- Captures authentication tokens for complete account takeover05:55 The Evolution of Phishing Tools- Evolved from experiments with cookie manipulation- Improved upon older tools that required malware installation- Developed from Nginx with Lua scripting to standalone Go application10:37 Evilginx's Impact and Popularity- Gained traction through demonstrating MFA vulnerabilities- Creates "shock factor" when users see how easily accounts are compromised- Emerged alongside other tools but distinguished by ease of demonstration12:25 Real-World Phishing Examples- Sophisticated attacks use browser-in-browser techniques- High-profile victims include Linus Tech Tips YouTube channel- Attackers leverage urgency and fear to bypass security awareness16:23 Protecting Against Evilginx Attacks- Implement domain verification checks through JavaScript- Deploy "shadow tokens" with browser fingerprinting- Utilize conditional access policies and FIDO2/passkeys22:57 - Detecting Evilginx Attacks- HTTP header inspection can identify attack signatures- TLS fingerprinting (JA4) detects unusual connection patterns- Cloudflare and other services block suspicious proxy connections27:33 - User Education and Psychological Factors- Focus on recognizing psychological triggers like urgency- Reward reporting rather than punishing victims- Teach users to access websites directly rather than through email links31:01 - Ethical Considerations and Responsible Development- Implemented vetting process for Evilginx Pro access- Built anti-cracking protections to prevent misuse- Created trusted community for responsible information sharing36:43 - Future Developments and Evilginx Pro- New client-server architecture with API for automation- Features include bot protection and shadow token bypass capabilities- Established BreakDev as company with plans for security software platformKey Takeaways- Modern phishing attacks like those enabled by Evilginx can bypass MFA by acting as a proxy in real-time.- The strongest protections include device compliance, FIDO2/passkeys, and domain verification checks.- Organizations should implement conditional access policies that verify device identity, not just user identity.- User education should focus on recognizing urgency tactics rather than just checking URLs.- Shadow tokens that include browser fingerprinting and domain information show promise as protection methods.- Ethical security tools require responsible handling - vetting processes to help prevent misuse.- Security awareness demonstrations with tools like Evilginx help stakeholders understand risks and invest in protections.Key LinksBREAKDEV Blog → breakdev.orgEvilginx Pro → evilginx.comEvilginx Mastery Course → academy.breakdev.org/evilginx-mastery Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
53:46
From Okta to Entra: Migrating 700 Apps in 90 Days
In this very first episode of the Entra Chat podcast I sat down with Ben Wolfe, my former manager and ex-Microsoft, who is now the Head of Security Solutions at Increment. How to get in touch with Ben: Ben Wolfe - https://www.linkedin.com/in/benjaminwillwolfe/ Increment - https://www.increment.inc/ Mentions during the episode: Graph X-Ray - https://graphxray.merill.net/ Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
Entra Chat is a weekly podcast hosted by Merill Fernando and delivers practical insights for Microsoft administrators and security professionals through conversations with identity experts who've been in the trenches.
Episodes feature seasoned Entra practitioners sharing real-world deployment experiences and Microsoft Entra team members who build the features you use daily.
Get the inside track on best practices, implementation strategies, and upcoming capabilities directly from those who design and deploy Microsoft identity solutions.
Join us for actionable takeaways you can apply immediately in your Microsoft 365, Azure, and Entra environments.
---
Entra.Chat, its content and opinions are my (Merill Fernando) own and do not reflect the views of my employer (Microsoft). All postings are provided “AS IS” with no warranties and is not supported by the author. All trademarks and copyrights belong to their owners and are used for identification only. entra.news
Listen to Entra.Chat, The AI Daily Brief (Formerly The AI Breakdown): Artificial Intelligence News and Analysis and many other podcasts from around the world with the radio.net app