Posts

TL;DR A multi-agent system (.NET 9 + Anthropic Claude) that embeds Entra Verified ID directly into the conversation. A QR code appears in chat, the user scans it with their wallet (Microsoft Authenticator), and the agent receives cryptographic proof of identity before it acts. Five layers of security enforcement — from probabilistic prompts to deterministic hooks — ensure identity verification cannot be skipped. The Problem: AI Agents Acting Without Proof AI agents are increasingly asked to perform sensitive operations — unlocking accounts, resetting credentials, approving transactions. But how does an agent know who it’s talking to? A username typed into chat is not identity. A “yes, that’s me” confirmation is not proof. ...

TL;DR Need to expose a local HTTPS endpoint to the internet or your private network? Tailscale does it in minutes. One command, no complex configuration, free for up to 3 users and 100 devices. It is a game changer for my developer setup. tailscale serve --service=svc:my-service --https=3000 http://localhost:3000 That’s it. Your local service is now accessible over HTTPS in your private Tailscale network with a valid certificate. The Problem As developers, we constantly hit the same wall: “I need to expose my local service”. Here are real scenarios I deal with regularly: ...

Securing Smart Access: Integrating Microsoft Entra Verified ID with Azure IoT Hub and Home Assistant Building a Zero-Trust Door Access System with Verifiable Credentials In this post, we’ll explore how to create a secure, decentralized access control system that combines Microsoft Entra Verified ID with Azure IoT Hub to unlock smart doors via Home Assistant. This solution demonstrates how verifiable credentials can bridge identity verification with physical access control in a zero-trust architecture. ...

Introducing the Entra as Code Interactive Workshop Manual identity management works for small setups—but at scale, it’s hard to stay consistent, track changes, and ensure compliance. That’s where Infrastructure as Code shines. I’m excited to announce the Entra as Code Interactive Workshop; A hands-on experience to master Microsoft Entra ID with Terraform. Why Entra as Code? Apply proven IaC principles to identity management: Version control your configurations Review changes before deployment Replicate environments reliably Audit every modification Automate with CI/CD What Makes This Workshop Different? Interactive Progress Tracking: GitHub Actions creates issues for each stage with instructions and checklists. ...

Changelog 2025-11-17 initial version 2026-01-02 updated Zero Trust Assessment pipeline to publish only HTML files (all others are not needed to display the report) TL;DR Maester: Review your tenant configuration using Pester (PowerShell) tests written by the community or customised by you. EntraExporter: Export tenant state to JSON files. Review changes between exports and take action. ZeroTrustAssessment: Evaluates tenant posture against Zero Trust baseline. Provides the big picture and summary of findings. Together they enable repeatable change management, drift detection, and continuous improvement. Introduction Operating Entra ID at scale requires more than ad-hoc scripting. Configuration must be observable, assessable, repeatable, and improvable. Rather than building custom verification scripts, backup solutions, or assessment frameworks from scratch, leverage three proven tools from Microsoft and the community—collectively known as the Entra ID Three Musketeers: Maester, EntraExporter, and ZeroTrustAssessment. Each addresses a critical piece of the operational lifecycle—governance testing, configuration export, and security assessment—forming a complete loop for identity platform maturity. ...

𝐇𝐨𝐰 𝐝𝐨 𝐲𝐨𝐮 𝐞𝐧𝐬𝐮𝐫𝐞 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐚𝐧𝐝 𝐚𝐮𝐝𝐢𝐭𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐰𝐡𝐞𝐧 𝐦𝐚𝐧𝐚𝐠𝐢𝐧𝐠 𝐒𝐞𝐫𝐯𝐢𝐜𝐞 𝐏𝐫𝐢𝐧𝐜𝐢𝐩𝐚𝐥𝐬 𝐚𝐧𝐝 𝐒𝐒𝐎 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐢𝐧 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃? Here’s a proven architecture that combines developer self-service with strong governance: The Flow: Developers request identities via Backstage Backstage generates Terraform configs as Pull Requests Identity Operations team reviews and approves GitHub Actions provisions resources in Entra ID via Terraform Maester continuously audits all non-human identities against Entra as Code (Terraform) Compliance issues are automatically detected and reported Key Benefits: ...

TL;DR Backstage is an open-source developer portal that helps us manage software projects, tools, and APIs. With Backstage, we can create a unified view of our software ecosystem, making it easier for developers to discover and use tools. With Backstage, we can create custom plugins to integrate with our existing tools and services. My post provides an example custom template for Entra ID, which allows us to build a process to enable SSO for the applications. Introduction Based on the Identity perspective for the organisation, we are facing the challenge of managing multiple software projects, tools, and APIs. Backstage is an open-source developer portal that helps us create a unified view of our software ecosystem, making it easier for developers to discover and use tools. In this post, I will guide us through setting up Backstage and creating a custom plugin for Entra ID. ...

TL;DR Use my demo OpenID Connect provider to test workload identity federation in Entra ID. Use my Terraform module and example to create an Azure AD application with federated identity credentials. Play with workload identity federation without the need for secrets. Integrate your workloads with external identity providers like GitHub or Kubernetes. Introduction No more secrets! It is 2025, and our identity operations should be more secure and easier to manage. Microsoft Entra ID Workload Identity Federation enables you to utilise external identity providers (such as GitHub, Workload on Kubernetes cluster, SPIFFE, or SPIRE) to authenticate workloads without requiring secrets. In this post, I’ll guide you through setting up federated identity credentials in Entra ID using a custom OIDC provider and Terraform. ...

No more Custom Policies & Identity Experience Framework With the new Entra External ID and Entra ID, we can use the built-in policies for authentication. Entra External ID technical details and requirements: authentication method must be supported by the tenant; no custom authentication methods via user flow, we can select a password or OTP (one-time password) method. no custom methods like magic link or passwordless (yet!) no ADMIN API to authenticate users; no API connector to use external API for authentication; Compare User with password and OTP ...

Changelog 2025-04-09 - initial version 2025-04-11 - updated with AADInternals OSINT tool Tenant public information Your tenant-id With the page https://www.whatismytenantid.com/, you can find your TenantID How does it work? We can check the Network tab of the browser and find a query to the OpenID Configuration endpoint based on the domain: https://login.microsoftonline.com/{{YOUR-DOMAIN-HERE}}/.well-known/openid-configuration ^ We can also find a tenant location with the tenant_region_scope field. ^ Whatismytenantid doesn’t work? You can get the same from the website https://gettenantpartitionweb.azurewebsites.net/! ...