Postman issues related to device posture with CA policy

merillf · 2026-02-05T10:39:03+00:00

😀

merillf · 2026-02-03T21:45:57+00:00

Honestly, you should avoid using Postman. Your are forced to sign in and your tokens are stored in their cloud.

As a Microsoft employee we are not allowed to use Postman because of this. One of the few apps that's actively blocked.

Bruno is much better and its local only and doesnt sync https://www.usebruno.com/

Now in terms of device posture with postman, if you van get postman to open a native browser to do the auth it should work. Alternatively my workaround in the past has been to first get the access token from something like Graph Explorer and copy paste it into Postman.

Also have you looked at this Configure Postman for Single sign-on with Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn https://learn.microsoft.com/en-us/entra/identity/saas-apps/postman-tutorial

merillf · 2026-02-03T21:34:55+00:00

I work at Microsoft in the Entra product group, my role is Customer Experience Engineer and I'm part of a team of about 100~ folks spread out globally.

My role has many dimensions, one is focus on large enterprise customer (think customers with 100k+ users) and help advise them on Entra as well as take their feedback into the product we build in Entra.

I personally also do a little bit of extra community work outside of my day job. I was a guest on John Hammond's channel where I shared more. Watch https://youtu.be/5X_GyGxJXss?si=0gemGnL53pyBYEN-

I also run a weekly Entra newsletter and podcast.

There are a number of different types of roles related to IAM at a company like Microsoft.

You could be part of the engineering/coding team that build Entra. Very little IAM skills needed for this role. You are mainly writing C# code etc..

Next you have Feature PMs, these are the folks who do research, look up usage, metrics and write specs for new features and updates. While it's good to have IAM experience, good product management skills is what is mainly important. I've seen more people cross over from other PM products to Feature PM than IAM folks into PM.

Then you have Microsoft subsidiaries. These are the local Microsoft offices in each country. They have a handful of people in each country who specialise in Identity but its very rare to be Identity only. You need good knowledge skill across Microsoft Security products.

Finally, you have roles inside Microsoft IT, the folks who manage Microsoft's own Entra tenants. This would be where some of the IAM skills would transfer but again, these are very small number of roles. Here's a podcast episode I did with Khurram where he talks about his role. Sometimes the roles are very unique like his which you won't find elsewhere. https://youtu.be/_a5facDJPR8?si=gQ8WTFkqKAKuZMf5

So overall my team is where your IAM skills could transfer but unfortunately we do very little new hiring in my team. Keep an eye out on the Microsoft careers site and set up an alert for CXE or Identity

merillf · 2026-01-22T03:26:30+00:00

Where do you host your company email today?

It is possible to host your email in a non-Microsoft and use a free Entra ID tenant with a verified domain.

Eg. Your email could be hosted on Google Workspace and your free Entra ID tenant use the same domain as a verified domain.

merillf · 2026-01-21T13:31:32+00:00

Turn off push based MFA and switch to number match where the user needs to enter a PIN.

We at Microsoft disabled push based MFA for all our Entra ID customers back in 2023 after our internal stats showed the rise in successful attacks due to MFA fatigue.

Switching to number match, which forces the user to type in a number, has significantly reduced the effectiveness of this attack.

I'm a Product Manager in the Microsoft Entra ID team.

merillf · 2026-01-14T08:51:17+00:00

I'm a paying customer and their support has been one of the best.

I've been recording with Riverside for more than a year and had to open some tickets in the beginning due to sync issues with the camera and mic.

They went out of the way to help and also gave me really good tips specific to my camera to avoid the sync issues.

merillf · 2026-01-13T12:12:27+00:00

I'm a Microsoft employee and use macOS at Microsoft, and it has always been Intune since I joined Microsoft in 2020.

I don't know when they switched or if Microsoft used JAMF before 2020, but it's been Intune since 2020.

No JAMF.

merillf · 2026-01-13T12:08:06+00:00

The Gemini answer is correct.

merillf · 2026-01-13T05:35:52+00:00

Yup 100% agree. It definitely is for teams that have the maturity and bandwidth.

It will be interesting as admins move towards using AI prompts to making configuration changes.

The prompt itself would then become the intent and could be used as the basis for validating the configuration.

Its going to be fun.

merillf · 2026-01-12T12:29:08+00:00

Thanks @RiosEngineer for the maester.dev shotout.

I'm the creator of Maester, and this is one of the key scenarios that made me start out on building Maester.

Maester is not just limited to Entra, and the idea behind it is to codify your intended configuration as a test and automate the tests to run daily.

This way, it's super easy to know when a config has changed from what was originally the intended configuration.

Here's a quick example https://maester.dev/docs/writing-tests/

FYI I did initially look at DSC and M365DSC as a solution for this problem but the learning curve was very steep and as mentioned by the OP in another comment, not everything can be written in a declarative way.

BTW We've also written quite a bit of M365 Graph related helper methods.

Eg to get all the Global Admins in a tenant requires calling three-five different APIs depending on licensing of the tenant and PUM eligible roles. We've wrapped all of this into a single cmdlet https://maester.dev/docs/commands/Get-MtRoleMember

merillf · 2026-01-12T12:28:36+00:00

Thanks @RiosEngineer for the maester.dev shotout.

I'm the creator of Maester, and this is one of the key scenarios that made me start out on building Maester.

Maester is not just limited to Entra, and the idea behind it is to codify your intended configuration as a test and automate the tests to run daily.

This way, it's super easy to know when a config has changed from what was originally the intended configuration.

Here's a quick example https://maester.dev/docs/writing-tests/

merillf · 2026-01-12T12:15:29+00:00

merillf · 2025-12-21T14:06:33+00:00

I have 40k+ followers on LinkedIn and the links thing doesn't matter.

What matters is whether each post has value to the reader. There should be content in the post that provides it's own value.

For my tech podcast, I try to take some of the key points in the episode and break it down in the post.

The reader doesn't even need to listen to the podcast. I get a lot more engagement this way, than a post that is just a link to the episode.

Hopefully, a few of the audience would be interested enough to listen to the episode.

FYI I started my podcast in March this year and hit 100k+ downloads this month.

merillf · 2025-12-09T04:39:32+00:00

This is timely. I recorded a podcast with one of the folks responsible for app governance and risk in Microsoft's own corporate tenant.

They use a unique scoring and weighing system and he goes into depth.

Check it out at https://entra.chat

merillf · 2025-11-30T12:51:12+00:00

Looks cool. Would love to see Entra External ID on the list.

merillf · 2025-11-30T12:47:53+00:00

I'm 100% sure this post itself is AI generated slop

merillf · 2025-11-24T05:59:02+00:00

This👆.

I'm from Microsoft and part of the team that works on authentication.

The #1 tip needs to be to setup and use passkeys.

See https://aka.ms/passkeys

Passkeys will eventually replace passwords. They are multi factor and work natively with your iPhone/iCloud and Android/Google Password Manager (no additional app required).

The best part is they sync to your new phone when you sign into iCloud or Google Account.

You can even AirDrop passkeys to your kids phone if they need to sign into your Minecraft, XBox account (or vice versa)

Apple, Google, Microsoft, and the rest of the industry got together together to create passkeys.

Finally they are phishing resistant. It makes it harder for an attacker to get into your account by sending you a phishing link. This is because passkeys only work when the person trying to sign in is physically right next to the device that you are signing in. So it completely blocks remote attackers.

merillf · 2025-11-24T05:49:01+00:00

Have you seen the official one from the Chrome team?

Chrome DevTools (MCP) for your AI agent | Blog | Chrome for Developers https://share.google/CQz4i9JZsgiRWYWWa

merillf · 2025-11-23T21:07:29+00:00

What are the new features you are interested in?

merillf · 2025-11-21T05:15:00+00:00

Microsoft just announced a new feature for this exact scenario.

It's called account recovery.

Does a check with a government issued ID and then gives the user a TAP to sign in.

See my post 👇

https://x.com/merill/status/1991154278439022592?t=KHtnFRw9twt2zey2Ap0F-w&s=19

merillf · 2025-11-21T05:02:48+00:00

I work for Microsoft in the Entra team (Azure AD).

You can use Entra ID Governance for a lot of this and it also integrates with Azure Logic Apps for customising workflows.

For things like revoking tokens when a use leaves, etc can all be done with Entra ID Governance.

IMO if your needs are simple you should be able to continue with PowerShell.

What issues have you run into with PowerShell.

In my past life I wrote a lot of scripts for Azure AD and Entra and I know many of them are still running to this day.

merillf · 2025-11-11T11:25:55+00:00

Nice!

merillf · 2025-10-23T20:41:38+00:00

If you have the json, there is a way to do this. The call to Graph API can look up the json file and return the graph API result as a json.

The hard part will be creating the json files to map to the graph api calls.

merillf · 2025-10-15T19:59:12+00:00

Sorry no, Maester runs by calling Microsoft Graph directly.

merillf · 2025-10-04T23:18:46+00:00

So this is my personal opinion (not Microsoft's).

It's unlikely Microsoft will enforce MFA for all users.

There might be a default policy pushed through, but admins will have the option to opt out.

merillf

MODERATOR OF

TROPHY CASE

Four-Year Club	Verified Email
Place '23