Hybrid identity is no longer a “maybe later” project. It is now the default state for most enterprises: on-premises active directory still runs many core workloads, while microsoft entra id is the control plane for modern access, conditional access, and saas. The connector you choose between those worlds determines whether sign-ins are boring (good) or chaotic (bad).
When people say “set up…
Using custom roles and pim in entra id
March 1, 2026
Least privilege that actually survives real life
Imagine you’re the person who gets paged when “someone needs admin access right now.” The request is always urgent. The blast radius is always unclear. And the only role that “just works” is usually global administrator.
That is the default failure mode of identity governance: not because people love risk, but because granularity is hard…
Deploying identity governance policies in Entra
March 1, 2026
How to build something that survives audits, outages, and “we’ll just script it”
Identity governance is the part of identity management that answers a blunt question: who has access to what, why do they still have it, and what’s the process for removing it without breaking the business? In Microsoft Entra, “deploying identity governance policies” is not a single switch you flip. It’s…
Detecting stale accounts in azure ad
March 1, 2026
A stale account is not “a user who hasn’t logged in for 90 days.” That definition is convenient, but it’s incomplete—and in Entra ID it can be dangerously misleading.
A stale account is an identity object whose continued existence creates risk or cost without delivering current business value. Login inactivity is just one signal. The real question is: does this identity still have an…
Cross-tenant collaboration with b2b guest access
March 1, 2026
How it actually works, what breaks in the real world, and how to design it like an engineer
Cross-tenant collaboration with Microsoft Entra b2b guest access is the modern answer to an old problem: “How do we let partner users access our apps and data without creating accounts for them?”
In plain terms: you grant access to resources in your tenant to external users who authenticate using their…
Auditing azure ad app permissions
March 1, 2026
How to see what apps can really do in your tenant
If you’ve ever opened microsoft entra id (azure ad) and clicked through enterprise applications → permissions, you’ve seen the comforting illusion of control: a list of “api permissions” that looks finite, reviewable, and mostly harmless.
In real incidents, that list is rarely the whole story.
The permissions you see (requested…
Using access reviews to reduce privilege creep
March 1, 2026
Privilege creep is what happens when access accumulates faster than it is removed. A contractor is added to a “temporary” admin group. A developer gets an exception role “just for this sprint.” A helpdesk tech inherits access from a past incident. Months later, nobody remembers why those permissions still exist.
In security terms, this is not a “bad admin” problem. It is a systems…
How Entra handles token lifetimes
March 1, 2026
and why “expiry time” is the wrong mental model…
If you’ve ever tried to “set Entra token lifetime to 8 hours” and walked away confused, you’re not alone. Microsoft Entra ID (formerly Azure AD) absolutely issues tokens with expiry timestamps. But in real-world Entra, “how long a user stays signed in” is governed by a stack of mechanisms: OAuth token lifetimes, refresh token…
Integrating Entra with third-party apps
February 20, 2026
At 9:07 AM, your helpdesk phone lights up.
“Users can’t log into the CRM anymore. It says something about SAML.”
The CRM vendor insists nothing changed. Your network team swears the firewall is fine. Meanwhile, executives can’t access customer data.
In most modern Windows environments, this failure sits at the intersection of Microsoft Entra ID (formerly Azure AD), third-party SaaS apps…
Picture a familiar Windows/AD problem, just wearing 2026 clothes.
You hire a contractor in a different country. They need access to a handful of internal apps, maybe a helpdesk portal, maybe a privileged request workflow. You don’t want to create a full AD account yet. You don’t want a permanent Entra B2B guest either. HR wants “proof of employment” and “proof of training completion.”…
