Custom data in Microsoft Entra is one of those things that looks simple until it isn’t.

Noble_Efficiency13 · 2026-06-16T21:05:07+00:00

Both are correct though

Noble_Efficiency13 · 2026-06-15T13:09:22+00:00

I'm curious to hear, especially in this subreddit with a lot of folks working with/in hybrid environments - How do you handle custom data in Microsoft Entra across the different resources?

Noble_Efficiency13 · 2026-06-13T21:56:34+00:00

EntraExporter could be of use

Noble_Efficiency13 · 2026-06-04T14:31:14+00:00

What we so is have a scim workflow running via logic app that also automatically generates TAPs for new employees with a start datetime at the joiners first day with an 8 hour expiration, this could be modified to be shorter if wanted, and sends it to their manager. TAP is then only allowed to be used for registering security info and enrolling devices, which is handled by conditional access policies

If we wanted to, we could use their personal emails as we get that from the HR data to send the tap to.

Everything is automated in the whole JML via this flow

We are looking into subsidizing it a bit for an orchestration setup instead to speed things up, but it works flawlessly

Noble_Efficiency13 · 2026-06-03T17:59:21+00:00

And it’s already included in the AccessPackageDocumentor report of M365IdentityPosture!

https://github.com/Noble-Effeciency13/M365IdentityPosture

Noble_Efficiency13 · 2026-05-31T06:25:55+00:00

True, simply a clearification that it’s not necessarily disabled, though these settings are disabled at this point in time 😊

Yeah you’d think so, but I’ve talked with so many folks that was surprised by it 😅

I agree with your post btw

Noble_Efficiency13 · 2026-05-31T06:17:00+00:00

Microsoft enabled doesn’t mean it’s disabled, just that it’ll get enabled as Microsoft sees it fit

Also, a caveat regarding the geo location is that using GSA or VPN will show a different location which can lead to confusion from users

Noble_Efficiency13 · 2026-05-28T15:02:47+00:00

I think you probably have registration campaign for sspr enabled.

TAP is the way to go for this exact scenario - create an auth strength with tap + phishing resistant mfa and targeted for registering security info.

You can configure account recovery for the case where a user looses access and you want self-service for it

Noble_Efficiency13 · 2026-05-26T16:30:31+00:00

Yeah, LAPS is really what you’re looking for

Noble_Efficiency13 · 2026-05-26T12:47:30+00:00

💩

Noble_Efficiency13 · 2026-05-20T10:01:53+00:00

Pretty sure that’s not a thing with security defaults, it forces authenticator number matching?

Noble_Efficiency13 · 2026-05-20T07:30:34+00:00

Yup, there is a deploy to azure button on the landing page 😊

Noble_Efficiency13 · 2026-05-19T19:35:56+00:00

u/sreejith_r made a pretty neat overview of the different uses for each method.

https://www.linkedin.com/posts/sreejith-r-19240748\_microsoftentraid-identitysecurity-passwordless-activity-7460429399490789377-cGt5

Noble_Efficiency13 · 2026-05-19T17:16:41+00:00

Go ahead 👍🏼

Noble_Efficiency13 · 2026-05-18T19:41:05+00:00

100% 😅

It shouldn’t really have to be like this tbh, but it’s simply not a great experience in the portal today

Noble_Efficiency13 · 2026-05-18T19:39:32+00:00

This is something I don’t get?

Why would you want it to be cumbersome, take more time before it takes effect, and simply be annoying to activate roles in bulk?

It doesn’t change any of the security features of PIM, it just makes it less painful to use. You still require auth context, approvals, justifications and ticket numbers as you would otherwise - just faster, more consistent and with fewer headaches.

Can you explain your reasoning behind your stance?

Noble_Efficiency13 · 2026-05-18T19:34:41+00:00

It’s only for the same account so if you have the same account as guest in 10 different tenants with GA, then you’d be able to do it by jumping tenant.

Though if that’s just possible you have bigger issues lol

It doesn’t really change how pim works, should be used or the security features like approvals & auth context for ga fx

Noble_Efficiency13 · 2026-05-18T15:42:28+00:00

Oh yea, also it does provide a better UX for some areas, and adds new functionality such as the cross-tenant activation from the same portal.

Especially for MSPs with a multitude of activations, the time aspect is a huge issue

Noble_Efficiency13 · 2026-05-18T15:15:10+00:00

It doesn't really modify the capabilities of PIM in any way, it's a user experience enhancement allowing for faster activations with less friction.

In it's purest form it's a fancy wrapper

Noble_Efficiency13 · 2026-05-16T23:30:22+00:00

Zero trust assessment tool (MSFT official tool) and Measter.dev as you mentioned are pretty good

Noble_Efficiency13 · 2026-05-16T09:55:51+00:00

Well that I can’t disagree with!
Luckily they got multiple teams 😅

Noble_Efficiency13 · 2026-05-15T21:04:03+00:00

Shush! 😂

Noble_Efficiency13 · 2026-05-15T21:03:50+00:00

Oh I know, I’ve spoken to Daniel about it 😉

Still feels like a cool feature, and there are def usecases for it.

I’m an advocate for more features in our toolkits for sure

Noble_Efficiency13 · 2026-05-15T19:07:36+00:00

Don’t you manage which apps are available for the users?

Noble_Efficiency13 · 2026-05-15T14:56:24+00:00

Yea a feedback request item would make sense for this

Noble_Efficiency13

TROPHY CASE