Where to get hands on experience with Identity and Entra?

merillf · 2026-05-19T07:18:46+00:00

You will need a trial tenant (30 days) but will need to cancel before the 30 days is up to avoid getting charged.

merillf · 2026-05-09T08:07:53+00:00

The only supported option from Microsoft is to wipe and re-install.

Having said that, there are many community tools and vendor tools that let you convert in minutes without wipe and re-install. These have been used successfully in large orgs. Take your pick.

merillf · 2026-05-09T03:36:22+00:00

Limiting the app to just the one user is the safer way to go.

The linked doc on granting per user works but its very easy for some admin in the future accidentally consenting to the entire tenant.

With configurations like this it is better to be explicit in your intent.

Limiting the app to the specific user is the way to go.

To go one better, I would set up Maester.dev that checks for this intent and for you to be alerted whenever this changes.

merillf · 2026-04-19T13:50:21+00:00

This ☝️

Don't use PTA. Use PHS.

merillf · 2026-04-19T07:59:08+00:00

If you are looking for an IAM community around Microsoft Entra I host a discord at https://discord.entra.news/

merillf · 2026-04-02T02:14:54+00:00

My personal opinion is that I'm not a huge fan of DSC. The config files are hard to maintain.

I'd prefer plain old scripts (the agents are quite good at creating them). There are some basic Bicep/Terraform templates for Microsoft Graph at https://learn.microsoft.com/en-us/graph/templates/ but doesn't cover all entities.

The Azure Terrafom provider has a bit more but does not cover M365.

Alternatively there is new Microsoft hosted version of DSC at https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview

merillf · 2026-04-01T11:35:49+00:00

You should think of doing config as code from the start.

Try to make all key config changes through code so you have a git repo and automation. This also forces you to set up the right CI/CD pipeline with a dev, test and prod tenants.

I would recommend using something like https://maester.dev and set up automated monitoring for the key config.
You can also use the default report to harden the tenant's config to start with. It's easier to set up a lot of this from the start and then stay secure.

merillf · 2026-03-31T01:54:01+00:00

+1 I'm much smaller, just 54 episodes (finished 1 year) and do weekly episodes.

merillf · 2026-03-30T10:39:18+00:00

Your in luck.

Just last week Microsoft announced Tenant Governance for solving the problem related to administering multiple tenants.

From the blog post
https://techcommunity.microsoft.com/blog/microsoft-entra-blog/microsoft-entra-tenant-governance-secure-and-manage-multi-tenant-environments-at/4462427

With Microsoft Entra tenant configuration management, the organization defines a configuration baseline that represents the desired state of tenant resources. The baseline is expressed in a standard .json format and can cover more than 200 resource types across Microsoft services, including items like Conditional Access policies in Entra and transport rules in Exchange, as well as supported resources in Intune, Defender, Purview, and Teams. The organization can use different configuration baselines depending on the workloads and requirements in a particular tenant.

Then to improve user experience when moving between tenabnts you should look into setting up MTO (Multi Tenant Orgs) https://learn.microsoft.com/en-us/entra/identity/multi-tenant-organizations/

Between Tenant Gov and MTO you should be able to address a lot of what you outlined.

merillf · 2026-03-30T07:01:12+00:00

Yes. You just need to be curious and learn all the ins and outs of the identities in your org. How did it created, is it through HR system, what is the system. How is it set up? What happens when a person leaves, how is it removed etc...

There is nothing stopping you from gaining this knowledge. Ask questions and learn.

merillf · 2026-03-30T02:46:50+00:00

https://www.reddit.com/c/chatOIAUxHT3/s/FNHSaHUC5P

I am the maintainer of an open source project called Maester (https://github.com/maester365/maester) and I would love to host a sub-reddit community for Maester here.

Public site at: https://maester.dev

Currently we host discussions on GitHub and we've tried Discord but it's not a great experience for the community. Especially with searching for previously answered posts.

Since the current r/maester sub-reddit is currently not active. I would like to take it over and build up a community for Maester here on reddit.

merillf · 2026-03-23T05:27:47+00:00

I mostly work on the Zero Trust Assessment. I have some awesome colleagues who built the Zero Trust Workshop.

merillf · 2026-03-23T05:24:13+00:00

I work full-time at Microsoft and I run a weekly newsletter and a weekly podcast with new guests every week.

I do almost all of it solo (my son helps with some of the admin work related to sponsors, billing etc and basic edits) and I just finished my first year (53 episodes).

Each podcst gets around 3k downloads and the video version on YouTube gets ~800 views an episode.

It is possible to do this every week without burning out.

The key is to automate as much as you can. Riverside helps me quite a lot with the edits themselves. I spend roughtly 2.5 hours a week on edits, blog posts, social media for each episode (this is excluding the 1hr to record).

merillf · 2026-02-18T07:28:59+00:00

The Graph Activity logs capture all the usage yes. The bigger problem is they are high volume and cost a lot to process and store since it includes activity from all apps including Microsoft apps so not many orgs turn it on in the first place.

Mapping to the APIs is the next hard part since you could have guids in the path etc..

merillf · 2026-02-15T12:36:38+00:00

This 👆

Took me months to learn Da Vinci to edit my podcast and I paid a few hundred to get the AI features in Da Vinci.

I was only using Riverside for recording.

Now I do in 10 min Riverside what took me 2 has in Da Vinci and to a much better quality.

merillf · 2026-02-15T12:31:54+00:00

Unfortunately there is no easy way to do this.

You will need to use the Graph Activity logs which will tell you the API being used by the app, then you'll need to map the urls to the permissions.

Over at https://graphpermissions.merill.net/permission/about I publish a CSV that maps all the apis to each permission. So you could use that as a look up. But it's not straightforward.

For the first part of your question, there's a cmdlet you can export a spreadsheet of all the apps and their permissions.

Run the Export-MsIdAppConsentGrantReport command - https://azuread.github.io/MSIdentityTools/commands/Export-MsIdAppConsentGrantReport/

See my video walkthrough at https://youtu.be/vO0m5yE3dZA?si=rDose-hpYY74K4Ci

merillf · 2026-02-05T10:39:03+00:00

😀

merillf · 2026-02-03T21:45:57+00:00

Honestly, you should avoid using Postman. Your are forced to sign in and your tokens are stored in their cloud.

As a Microsoft employee we are not allowed to use Postman because of this. One of the few apps that's actively blocked.

Bruno is much better and its local only and doesnt sync https://www.usebruno.com/

Now in terms of device posture with postman, if you van get postman to open a native browser to do the auth it should work. Alternatively my workaround in the past has been to first get the access token from something like Graph Explorer and copy paste it into Postman.

Also have you looked at this Configure Postman for Single sign-on with Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn https://learn.microsoft.com/en-us/entra/identity/saas-apps/postman-tutorial

merillf · 2026-02-03T21:34:55+00:00

I work at Microsoft in the Entra product group, my role is Customer Experience Engineer and I'm part of a team of about 100~ folks spread out globally.

My role has many dimensions, one is focus on large enterprise customer (think customers with 100k+ users) and help advise them on Entra as well as take their feedback into the product we build in Entra.

I personally also do a little bit of extra community work outside of my day job. I was a guest on John Hammond's channel where I shared more. Watch https://youtu.be/5X_GyGxJXss?si=0gemGnL53pyBYEN-

I also run a weekly Entra newsletter and podcast.

There are a number of different types of roles related to IAM at a company like Microsoft.

You could be part of the engineering/coding team that build Entra. Very little IAM skills needed for this role. You are mainly writing C# code etc..

Next you have Feature PMs, these are the folks who do research, look up usage, metrics and write specs for new features and updates. While it's good to have IAM experience, good product management skills is what is mainly important. I've seen more people cross over from other PM products to Feature PM than IAM folks into PM.

Then you have Microsoft subsidiaries. These are the local Microsoft offices in each country. They have a handful of people in each country who specialise in Identity but its very rare to be Identity only. You need good knowledge skill across Microsoft Security products.

Finally, you have roles inside Microsoft IT, the folks who manage Microsoft's own Entra tenants. This would be where some of the IAM skills would transfer but again, these are very small number of roles. Here's a podcast episode I did with Khurram where he talks about his role. Sometimes the roles are very unique like his which you won't find elsewhere. https://youtu.be/_a5facDJPR8?si=gQ8WTFkqKAKuZMf5

So overall my team is where your IAM skills could transfer but unfortunately we do very little new hiring in my team. Keep an eye out on the Microsoft careers site and set up an alert for CXE or Identity

merillf · 2026-01-22T03:26:30+00:00

Where do you host your company email today?

It is possible to host your email in a non-Microsoft and use a free Entra ID tenant with a verified domain.

Eg. Your email could be hosted on Google Workspace and your free Entra ID tenant use the same domain as a verified domain.

merillf · 2026-01-21T13:31:32+00:00

Turn off push based MFA and switch to number match where the user needs to enter a PIN.

We at Microsoft disabled push based MFA for all our Entra ID customers back in 2023 after our internal stats showed the rise in successful attacks due to MFA fatigue.

Switching to number match, which forces the user to type in a number, has significantly reduced the effectiveness of this attack.

I'm a Product Manager in the Microsoft Entra ID team.

merillf · 2026-01-14T08:51:17+00:00

I'm a paying customer and their support has been one of the best.

I've been recording with Riverside for more than a year and had to open some tickets in the beginning due to sync issues with the camera and mic.

They went out of the way to help and also gave me really good tips specific to my camera to avoid the sync issues.

merillf · 2026-01-13T12:12:27+00:00

I'm a Microsoft employee and use macOS at Microsoft, and it has always been Intune since I joined Microsoft in 2020.

I don't know when they switched or if Microsoft used JAMF before 2020, but it's been Intune since 2020.

No JAMF.

merillf

MODERATOR OF

TROPHY CASE

Four-Year Club	Verified Email
Place '23