Entra-Id

TL;DR Maester: Review your tenant configuration using Pester (PowerShell) tests written by the community or customised by you. EntraExporter: Export tenant state to JSON files. Review changes between exports and take action. ZeroTrustAssessment: Evaluates tenant posture against Zero Trust baseline. Provides the big picture and summary of findings. Together they enable repeatable change management, drift detection, and continuous improvement. Introduction Operating Entra ID at scale requires more than ad-hoc scripting. Configuration must be observable, assessable, repeatable, and improvable. Rather than building custom verification scripts, backup solutions, or assessment frameworks from scratch, leverage three proven tools from Microsoft and the community—collectively known as the Entra ID Three Musketeers: Maester, EntraExporter, and ZeroTrustAssessment. Each addresses a critical piece of the operational lifecycle—governance testing, configuration export, and security assessment—forming a complete loop for identity platform maturity. ...

𝐇𝐨𝐰 𝐝𝐨 𝐲𝐨𝐮 𝐞𝐧𝐬𝐮𝐫𝐞 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐚𝐧𝐝 𝐚𝐮𝐝𝐢𝐭𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐰𝐡𝐞𝐧 𝐦𝐚𝐧𝐚𝐠𝐢𝐧𝐠 𝐒𝐞𝐫𝐯𝐢𝐜𝐞 𝐏𝐫𝐢𝐧𝐜𝐢𝐩𝐚𝐥𝐬 𝐚𝐧𝐝 𝐒𝐒𝐎 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐢𝐧 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃? Here’s a proven architecture that combines developer self-service with strong governance: The Flow: Developers request identities via Backstage Backstage generates Terraform configs as Pull Requests Identity Operations team reviews and approves GitHub Actions provisions resources in Entra ID via Terraform Maester continuously audits all non-human identities against Entra as Code (Terraform) Compliance issues are automatically detected and reported Key Benefits: ...

TL;DR Backstage is an open-source developer portal that helps us manage software projects, tools, and APIs. With Backstage, we can create a unified view of our software ecosystem, making it easier for developers to discover and use tools. With Backstage, we can create custom plugins to integrate with our existing tools and services. My post provides an example custom template for Entra ID, which allows us to build a process to enable SSO for the applications. Introduction Based on the Identity perspective for the organisation, we are facing the challenge of managing multiple software projects, tools, and APIs. Backstage is an open-source developer portal that helps us create a unified view of our software ecosystem, making it easier for developers to discover and use tools. In this post, I will guide us through setting up Backstage and creating a custom plugin for Entra ID. ...

TL;DR Use my demo OpenID Connect provider to test workload identity federation in Entra ID. Use my Terraform module and example to create an Azure AD application with federated identity credentials. Play with workload identity federation without the need for secrets. Integrate your workloads with external identity providers like GitHub or Kubernetes. Introduction No more secrets! It is 2025, and our identity operations should be more secure and easier to manage. Microsoft Entra ID Workload Identity Federation enables you to utilise external identity providers (such as GitHub, Workload on Kubernetes cluster, SPIFFE, or SPIRE) to authenticate workloads without requiring secrets. In this post, I’ll guide you through setting up federated identity credentials in Entra ID using a custom OIDC provider and Terraform. ...

Changelog 2025-04-09 - initial version 2025-04-11 - updated with AADInternals OSINT tool Tenant public information Your tenant-id With the page https://www.whatismytenantid.com/, you can find your TenantID How does it work? We can check the Network tab of the browser and find a query to the OpenID Configuration endpoint based on the domain: https://login.microsoftonline.com/{{YOUR-DOMAIN-HERE}}/.well-known/openid-configuration ^ We can also find a tenant location with the tenant_region_scope field. ^ Whatismytenantid doesn’t work? You can get the same from the website https://gettenantpartitionweb.azurewebsites.net/! ...

Make life easier with Entra ID as Code TL;DR It is the end of 2024; daily, we use the following: CI/CD pipelines for infrastructure as code (IaC) deployment to create Services, Applications, Storages, etc, permissions (RBAC) from resources to resources (App Service WebApp1 should read Blob Storage WebApp1Storage), secrets, we hate them, but we found a solution to avoid secrets with Managed Identity and Workload Identity solutions, What is the plan for us? We will use Azure Portal and Entra ID blade to manage our applications, permissions, and secrets. We can create and update our app registrations via the browser. Can we improve our Entra ID and Entra External ID with IaC, as shown in the screenshot (Picture 1) below? ...

TL;DR It is not easy for Entra ID Tenant administrators to choose the best authentication method for their employees, vendors, and partners. You must consider the scenario, the environment, and the passwordless technology. I’m focusing only the passwordless MFA authentication methods in the corresponding changes in the Entra ID - the MFA will be required. Side note: Microsoft announced that MFA will be required for a couple of services, like Azure Portal or CLI. The document mentions that Security defaults will force MFA or should be enabled by Conditional Access Policies for users accessing the defined services. We will see how the final implementation will look like (I promise to update the post with the final state). ...

Entra External ID for Customers is a new Azure Tenant type that allows you to create digital identities for your customers. Use cases B2B partners. You can create a dedicated customer tenant for your partners and give them access to your applications, manage users and groups in the tenant without partners’ access to your organisation (workforce tenant). Your data is fully secured and isolated. Online services and web shops for your retail. Full self-service is available to sign up/sign in and manage their accounts. You can also use social logins like Google or Facebook. Product pages, helpdesk and support. Keep customer engagement and provide them with the best experience. Cross-device authentication. User-friendly experience to log in on the TV screen, medical devices, or any other IoT where you can display a QR code or PIN to log in. What is Entra External ID for Customers? In simple words, it is a new tenant type. From now you can decide Workforce or Customer type. It is a new tenant type to create - so for customers, it is separate - and not connected with your organisation’s tenant. Please remember that the service is still in preview mode - but only till the 15th of May, so only limited features may be available. Service will be GA soon!! ...

History 2024-06-17: Added Wallet SDK Link & Sample Android Implementation. 2024-06-30: Small changes. 2025-07-23: fixed verified employee demo link and removed face check demo. 2025-07-27: Improved B2C and wallet example, improved structure. Entra Verified ID: Complete Guide with Hands-On Workshop Introduction In our digital world, identity verification remains fragmented across countless systems, creating security risks, privacy concerns, and user friction. Microsoft Entra Verified ID solves these challenges using W3C-standard Verifiable Credentials, enabling secure, decentralized, and user-controlled digital identity. ...

Microsoft Entra ID External Identities vs Azure AD B2C. TL;DR A summary of differences between Entra ID and Azure AD B2C. Entra ID in this article is used to build a product. Differences between Entra ID and Azure AD B2C To share resources from your organization (Entra ID) like PowerBi, OneDrive, and SharePoint - use B2B collaboration. Please remember: in many cases, you must assign the expected licenses - PowerBI*, for example, and you will be able to use PowerBI Portal. ...