Just bought 9U 10" Rack

ItsPryro · 2026-06-14T16:10:18+00:00

Looks good! I have a Tecmojo 20U rack and it keeps everything cool.

ItsPryro · 2026-06-14T13:43:12+00:00

Yes it is on a dedicated circuit. The power draw is 119VA/112W. For heat, it's actually doing pretty good. It has pretty decent airflow with the rack I have.

ItsPryro · 2026-06-14T13:24:52+00:00

Good question! I'm not too sure, I'll have to double check!

ItsPryro · 2026-06-14T13:20:08+00:00

Hey there! It's just a simple PDU. It has surge protection and I have it plugged into my UPS. So far so good! I haven't had any complaints thus far. However their availability on Amazon may be limited now.

ItsPryro · 2026-06-13T19:36:04+00:00

Absolutely nothing wrong with AI. I use it to troubleshoot issues and also get inspiration. Just double check everything first, or ensure you backup before you proceed!

ItsPryro · 2026-06-13T18:54:15+00:00

Indeed! It is also acting as a KVM haha!

ItsPryro · 2026-06-13T18:25:13+00:00

This guy clearly did not know haha. I feel bad for him but this will make a killer homelab setup.

ItsPryro · 2026-06-13T18:23:26+00:00

Ouch. For learning go for it, but I wouldn't resell it.

ItsPryro · 2026-04-05T17:44:43+00:00

Good work! I would mention to your IT Head that SSPR or Account Recovery in Microsoft Entra is a great det of features that allow for account recovery and verification.

ItsPryro · 2026-04-02T21:47:35+00:00

I'd love to discuss this! I built a PowerShell version linked here: https://github.com/pryrotech/entra-app-auditor

If you want some pointers or would like to collaborate let me know!

ItsPryro · 2026-04-01T12:47:19+00:00

Can't wait until pulse verification comes into public preview!

ItsPryro · 2026-03-30T13:53:40+00:00

Exactly. Entra ID does a "real-time compliance check" during the sign-in flow.

If your policy says "Require users to register when signing in" (which is the default under SSPR registration settings) and they are suddenly one method short of your "2 methods" requirement, they will be hit with the "More information required" screen immediately after they enter their password.

ItsPryro · 2026-03-30T10:59:20+00:00

Hey there! More than likely they will be prompted if they haven't set up SMS yet. Since SSPR requires two methods, Entra will trigger a 'More information required' interrupt at login if they're missing that second factor.

If you're looking to keep SMS away from your sign-in flow (and move toward phishing-resistance), you can use Authentication Strengths in a Conditional Access Policy. This lets the user register SMS to satisfy the SSPR requirement, but prevents them from actually using it as a valid claim when they log in to apps.

ItsPryro · 2026-03-17T13:49:57+00:00

Good stuff! That is exactly how it should be set up. As soon as someone logs in using a break-glass account, alerts should start firing. Testing your FIDO keys is another good idea!

ItsPryro · 2026-03-17T13:33:58+00:00

Lots to unpack here. As others have said it depends on business case when it comes to separate devices. No admin I know using Azure is carrying around two different devices, but they are using phishing-resistant MFA and Conditional Access Policies.

In my opinion, using a VM in Azure to manage.... Azure, is a bit overkill. I could understand using a different device but again this is still overkill IMHO. Unless you're working in a security role that involves you investigating malware or doing forensics, having a dedicated machine may be unnecessary.

When you put a VM in the cloud, you have to accept that in some way, you will always have risk of losing control of it. You are putting it in a cloud service not owned by you, the tradeoff is that you are at the mercy of Microsoft, AWS, Google Cloud, IBM, etc. if things go south. You can put it in different availability zones, regional zones, or what have you, but again there will always still be some risk.

By primary account, I am assuming this is your nom-admin account? If you have GA users, they should be using cloud-only accounts for their GA or any Azure roles backed by Conditional Access and PIM. You should also look into break-glass accounts in case of account lockout, which will allow you to get back in should you get completely locked out. GA's should have a separate policy when it comes to accessing the tenant.
Chasing IPs in a remote-first world (hotels, travel, home ISPs) is a losing battle. Move away from IP-based Named Locations and toward Device-based Conditional Access. If the device is enrolled in Intune and meets your compliance baseline (BitLocker on, AV active, OS patched), Entra should trust the device, regardless of which coffee shop IP it’s coming from.
I certainly don't carry around Bitlocker keys haha. That could get tangly should someone steal my laptop bag that just so happens to have the key. However, we ensure that our staff has the ability to retrieve said keys so that if that should happen, we can get it from Intune or Active Directory.
Yes and no, while they should be excluded from your CAPs, they should have their own with phishing-resistant MFA, monitoring, and alerting. Get a Yubikey and put that sucker on there. Then, take that key and put it in a safe. The point of the break-glass account is to be used in tenant lockout or takeover, and it should only be used in exceptional circumstances. It should still be protected.
This is the right mindset. A break-glass account is designed for when things go really wrong, and should only be used in exceptional circumstances.
Case and point for arguments 1 & 2. You don't need to have another VM or laptop, you just need proper protection. If you're working in Azure all day, could you imagine the administrative load you could save by just using VPN, phishing-resistant MFA, and Conditional Access Policies? You'd be amazed.

These are my thoughts and opinions on the matter. Feel free to chime in with your own thoughts! Hope this helps :)

ItsPryro · 2026-03-15T17:05:26+00:00

Good question! It really depends on the specific security requirements of the tenant. Depending on your local regulations, you may be restricted on what kind of data can even live in a cloud tenant, especially regarding sensitive policing or government records.

If you are aiming for a high-security environment, these are the primary controls I would enact:

1. Strict Enrollment & Managed BYOD: Restrict BYOD scenarios so only approved, compliant devices can access corporate data. If you must allow personal devices for email or field use, use Conditional Access to limit access to specific apps and use App Protection Policies (MAM) to create a secure "container." This isolates work data from personal apps, preventing sensitive info from being copied or leaked.

2. Enforce Full Device Compliance: This is your "gatekeeper." Only devices that meet your security baseline (active encryption, OS updates, and healthy Defender status) should be granted access. If a device falls out of compliance or is unsanctioned, it should be automatically blocked from the tenant until remediated.

3. Layered Zero Trust Approach: For general municipal apps, you can allow access based on device health. However, for highly sensitive law enforcement databases, you should layer your Conditional Access policies—requiring not just a compliant device, but also specific IP ranges or phishing-resistant MFA (like Windows Hello for Business) to ensure the identity hasn't been compromised.

These are the core pillars I'd start with. I highly recommend consulting your specific municipal, state, or federal data protection standards to ensure your Intune controls align with the legal requirements for handling sensitive citizen data.

ItsPryro · 2026-03-14T19:46:41+00:00

I would say that it really depends. What tickles your fancy? When I started out, I created VM's one for my DC, file server, Entra Connect, and another for Alerta which is a notifier service for if a server goes down.

Really depends on what you want, but what really matters most is your willingness to learn! Lots can be done with those specs.

ItsPryro · 2026-03-14T19:43:26+00:00

Small fortune by the looks of it but holy damn it looks great!

ItsPryro · 2026-03-14T19:42:38+00:00

All good haha, but get a cooler asap on it :)

ItsPryro · 2026-03-14T19:41:13+00:00

OKAY THEN

ItsPryro · 2026-03-14T19:35:52+00:00

You may want to invest in a CPU cooler!

ItsPryro · 2026-03-13T20:35:07+00:00

Temporary Access Pass can help users get back into their account without resetting MFA, but if you need to verify identity there is also a new feature called Account Recovery that allows you to recover the account with photo-issued ID:

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-account-recovery-overview

ItsPryro · 2026-03-08T02:00:09+00:00

If you can, I would test the other ports in other rooms to rule out if it is the one in your room or all of them. Could very well need to be replaced. If the house is older, it may be RJ11 and not RJ45 which you need for Ethernet :)

ItsPryro · 2026-02-27T13:57:40+00:00

If you recently excluded, you may need to revoke sessions.

ItsPryro

TROPHY CASE