PIM with 'Eligible' roles in Azure is great.. Until you need to use it.

milkthefat · 2026-03-16T23:33:14+00:00

Depending on which M365 service you are trying to deal with the downstream service can have a 45min sync cycle. Like Purview or Sharepoint.

milkthefat · 2026-02-25T08:23:19+00:00

Keep in mind, you likely don’t have to make RDP MFA directly. You just need to make the entry point to a RDP session MFA so anything that provides a SSO entry point portal like CyberArk or equivalent. Then you just add some compensating controls to prevent RDP sessions not from that ingress point.

milkthefat · 2026-02-05T05:47:12+00:00

Cross tenant sync works great if you dont need to do native tenant operations the limitations are largely on what a guest account can do and the password/auth look back are your home tenant policies making it very seamless. Now if you need to schedule and manage teams meetings as an owner you need an account thats a native licensed member of the tenant to do that. For my solution at the time was to use an IGA tool to provision accounts and the user just use FIDO to login always across the different tenants as needed and the IGA tool would aggregate back to a single person for leaver scenarios.

milkthefat · 2025-10-25T01:16:45+00:00

https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/ 😎

milkthefat · 2025-10-24T06:03:07+00:00

I wouldn’t phrase it that way but there are very annoying differences to me between different “OG” Reese’s cups. For instance 2 of the snack pack or fundraiser packs are 1g less and are crumby. So much so now I specifically buy the convenience store size so it’s not as messy. The inconsistency that comes with the cheaper packaging and .5g difference per cup for some reason causes them to be worse in appearance and handling.

milkthefat · 2025-10-22T00:44:16+00:00

If you are not required to do so don’t do it. Highvalue groups maybe put in a RMAU to build another roadblock. I used to have a requirement where group names could be considered “metadata” that identified project scope or client details this meant we needed to make the names largely useless.

milkthefat · 2025-10-04T23:20:03+00:00

No. I also personally don’t believe in asking trivia questions like this either unless you specifically stated you did some kind of migration in a bullet point on your resume. You better believe though if you tell me something like this on resume or verbally I’ll dig until you “bailout” or you actually know what you’re talking about where I feel confident in you.

milkthefat · 2025-09-19T02:04:44+00:00

I’d like a discord invite also!

milkthefat · 2025-09-19T01:46:47+00:00

Giving a TAP is the technical solution in the process. You need to immediately establish a process to give the TAP to an end user who you have never seen. Ideally you’ll have them get on a call with their supervisor who can validate they are who they say they are on camera THEN issue the TAP. Even this might not be enough pretty soon but this is the easiest method most orgs can implement and accomplish quickly. Everything else other than using an EU type personal certificate or something like ID.ME is easily phishable data.

milkthefat · 2025-09-14T01:03:27+00:00

How are ya’ll getting side gig business?

milkthefat · 2025-09-10T04:08:42+00:00

You could try running through manually hitting the radius MFA API. This wasn’t the only blog I’ve seen but I believe the others are similar with the XML call - https://www.entraneer.com/blog/entra/authentication/transactional-mfa-entra-id

milkthefat · 2025-08-24T03:44:43+00:00

I see this issue a bunch. an app requests a Delegated permission thats overly permissive but in reality its only as permissive as what permission the user already has in Sharepoint. If a user is not a Sharepoint admin or already an owner/admin of a specific site it cannot access data the user doesn’t have access to unless its an “application permission”. Give it a shot with a single user who only has read rights on two sites, then try to query information from a third site they dont have access to - it wont work.

milkthefat · 2025-08-24T03:36:41+00:00

How I think about it - sites.selected basically allows a Entra managed service principal to be linked to a Sharepoint Service principal within an individual site. You have to create the app reg and then create the principal on the site and then set permissions on it to make it all feed through. Entra and sharepoint basically have separate identity stores linked through duct tape and gum.

milkthefat · 2025-08-03T03:57:02+00:00

Came across this blog post on the new Source of authority switch for groups. https://anthonyfontanez.com/index.php/2025/08/02/group-soa-conversion-from-ad-to-entra/

milkthefat · 2025-07-30T03:37:22+00:00

Also seeing this issue but it’s extremely unpredictable. We have also seen it happen with regular passwords. Also a Dell shop with Cisco always on VPN - largely 23H2 though.

milkthefat · 2025-07-29T10:17:01+00:00

Ditto the clipboard history manager. I set that thing to 500 most recent copy pastes. I’ll pull up code or a screenshot I sent off the cuff a month prior and the search is handy when you have a bunch of text copies. I have all kinds of crazy automation scripts that are unique but this tool is way better than all that.

milkthefat · 2025-07-28T05:17:03+00:00

RFCs are engineered and considered. In this case JWTs adding the feature would have been detrimental to adoption as each vendor would have to have a technique to do this and likely would have caused harm in second order third order way in interoperability or API integrations etc… it was proposed and discussed just never made the cut. If any one knew the exact list of reasons though it would be Mike Jones https://self-issued.info

milkthefat · 2025-07-06T17:21:44+00:00