Understanding Device Registration Join Types: When and Why to Use Each
In today’s digital landscape, securing devices and ensuring seamless access to corporate resources is paramount. As an Identity & Security expert, it’...
In today’s digital landscape, securing devices and ensuring seamless access to corporate resources is paramount. As an Identity & Security expert, it’...
We have observed recently many customers are asking why they do see the same device has two device objects on Azure AD, and connected twice to Azure AD as Az...
Responding to COVID-19 (aka. coronavirus) crisis, employees started working from home, and we start receiving many queries about Azure AD Devices. In this ar...
The number of users working from home (WFH) increases in the response of COVID-19 (aka. coronavirus) outbreak, and we need to make sure that identities and t...
The number of users working from home (WFH) increases in response of COVID-19 (aka. coronavirus) outbreak, and we need to make sure that identities and their...
Lots of customers are asking if it is important to connect their devices to Azure AD, and what are the benefits of doing this.
Do you have pending devices in your Azure AD tenant? If so, then this article is definitely for you 🙂
In this article, I am discussing device registration for hybrid Azure AD joined devices. First of all, let’s go through device registration steps: The dev...
When configuring Hybrid Azure AD joined devices with non-persistent Virtual Desktop Infrastructure (VDI) we face the following challenges: Non-persistent ...
In a previous article I described why Do I really need to connect my device to Azure AD. In this article I will describe the available types of having device...
When the user login successfully to Hybrid Azure AD device or Azure AD joined device, he acquires AzureAD PRT which is extremely important to enable Single S...
Microsoft single sign-on for Linux is generally available, bringing Entra registration, brokered SSO, and device-based controls to Linux desktops.
Passkeys on Windows Hello let users register device-bound FIDO2 credentials in the local Windows Hello container.
Microsoft Entra registration campaigns can now nudge eligible users to register passkeys during sign-in.
System-preferred authentication now applies to first-factor and second-factor sign-in when Microsoft managed settings are used.
Most organizations get phishing-resistant authentication working on the desktop and then stall at mobile. iPhones and iPads are where people actually do a ...
In PKI-heavy environments, broad certificate trust gets messy fast. If every trusted certificate authority is valid for every user, you lose the ability to...
Anyone who has rolled out certificate-based authentication has seen it: a user opens the certificate picker, finds a long list of options, and guesses. The...
Strong authentication only helps if the platform actually steers people toward it. Users tend to pick whatever is fastest at the prompt, and on iOS certifi...
Lifecycle Workflows can now test an Update user attributes task for joiner, mover, and leaver automation.
SAP SuccessFactors HR provisioning can now use short-lived federated OIDC tokens instead of stored basic-auth passwords. Here’s how the Public Preview works.
Access packages can now govern active and eligible Azure RBAC assignments at key Azure scopes in Public Preview.
Cross-tenant group synchronization is generally available for synchronizing security groups and memberships across Entra tenants.
Agent Identity Sponsorship Transitions help lifecycle workflows notify and transfer ownership when an agent sponsor changes.
Access delays are often communication problems, not policy problems. A request sits pending, nobody knows who’s responsible, and the requestor opens a tick...
Offboarding delays are more than an HR annoyance — they’re an identity risk. Every hour an account stays active past someone’s last day is an hour of unnec...
The hardest part of bringing an application into governance usually isn’t wiring up the connector — it’s answering a deceptively simple question: who alrea...
Mobile access is always where policy consistency gets tested. People live in Microsoft 365 on iPhones and iPads, and if your Zero Trust controls stop at th...
Partner access usually breaks down at the handoff between identity and connectivity. You can invite a guest, but getting them to the right private app — wi...
Even in a cloud-first architecture, branch traffic still needs old-school network control. The problem is that maintaining that control usually means rule ...
A lot of branch and remote-site traffic still comes from devices that will never run a client — printers, kiosks, IoT gear, shared workstations, and the li...
Plenty of internet traffic still originates from places where installing the Global Secure Access client just isn’t realistic — multi-session VDI, kiosks, ...
A lot of modern data loss looks completely ordinary. Someone uploads a spreadsheet to a generative AI tool, drags a PDF into personal mail, or pushes a con...
Stop wiring AI agents to shared secrets and borrowed service accounts. Treat every agent as a governed non-human identity with the controls you already run.
Microsoft Entra now lets you apply Purview sensitivity labels to cloud security groups in public preview — here’s why it matters and how to test it.
Device soft delete moves deleted Entra device objects into a recoverable state instead of removing them immediately.
App Deactivation lets admins stop new token issuance while preserving app registration metadata and configuration.
When an account is compromised, every minute spent escalating to an IAM admin is a minute the attacker keeps working. Privileged Identity Response for SOCs...
If you build on Microsoft Entra sign-in data, this is a quietly important update. Microsoft Graph now supports $count in sign-in API requests, so your quer...
Modernized My Account pages are generally available, giving users clearer self-service paths for account and device tasks.
Most teams know exactly what licenses they bought. Far fewer can show how much of that capability is actually being used. That gap costs money at renewal a...
For years, Microsoft Entra branding has been a tenant-wide decision. That’s fine when one identity maps to one audience — but most tenants don’t work that ...
For hybrid identity teams, stability work matters just as much as new features. Microsoft Identity Manager 2016 Service Pack 3 is now Generally Available, ...
Domainless SAML federation lets external users sign in with their own IdP even when email domains do not map cleanly.
High Scale Compatibility mode is generally available for phased Azure AD B2C migrations to Microsoft Entra External ID.
If you build customer-facing apps, you know the tension: users expect to sign in with the accounts they already have, but you don’t want to hand the whole ...
Connecting workforce identity to customer-facing applications has long meant duplicate accounts — and duplicate accounts mean extra lifecycle work, inconsi...
A notice displays information that explains nearby content. Often used to call attention to a particular detail.
Token lifetime settings look minor on paper, but they shape how long access persists after it’s granted — and not every application deserves the same behav...
Privileged access should never ride on stale trust. A user who signed in hours ago and now wants to step into an admin role is a different risk than they w...
Prompt injection is one of the first risks security teams run into once AI pilots turn into production workloads. Attackers craft inputs that trick a large...