https://dp666.net/tags/microsoft-entra-id/Recent content in Microsoft Entra ID on dp666Hugo -- gohugo.ioen-US© 2026 Daniel PetriFri, 24 Apr 2026 10:00:00 +0200https://dp666.net/blog/copilot-readiness-permissions-not-licenses/Fri, 24 Apr 2026 10:00:00 +0200https://dp666.net/blog/copilot-readiness-permissions-not-licenses/Copilot readiness is not a license assignment problem. It is an access boundary problem. If the tenant already overshares, Copilot only makes the blast radius easier to query. That is the part that gets lost in adoption decks. A Copilot license enables the experience. It does not make SharePoint clean. It does not remove broad sharing links. It does not review stale guests. It does not make an app registration less terrifying.https://dp666.net/blog/pim-role-group-assignment-auditing/Mon, 09 Feb 2026 10:00:00 +0100https://dp666.net/blog/pim-role-group-assignment-auditing/The Problem # If you ask “who has Global Administrator access in this tenant?” the answer is never simple. A user might have it directly. A group might be assigned the role, with PIM eligibility, and that group contains nested groups from two different business units. A service principal might hold it permanently. And all of this might be scoped to an Administrative Unit rather than the full directory.https://dp666.net/blog/conditional-access-policy-report/Mon, 15 Dec 2025 10:00:00 +0100https://dp666.net/blog/conditional-access-policy-report/The Problem # You have 40 Conditional Access policies. Some target users, some target groups, some target roles. Some include locations, some exclude them. Some enforce MFA, some enforce compliant devices, some do both with different operators. And you need to answer the question: “What is our current CA posture?” The Entra ID portal shows one policy at a time. There is no native export. There is no overview that lets you see all policies side by side with all their conditions and controls. So you end up with a shared spreadsheet that someone manually maintains and that is always out of date.https://dp666.net/blog/guest-account-lifecycle-management/Sun, 12 Oct 2025 10:00:00 +0100https://dp666.net/blog/guest-account-lifecycle-management/The Problem # Every B2B collaboration, vendor engagement, and external consultant invitation creates a guest account in your Entra ID tenant. Over time, these accumulate. People leave partner organizations, projects end, contracts expire – but the guest accounts persist. They retain whatever access they were granted, their tokens remain valid, and nobody reviews them. Access reviews help if someone’s running them. Usually, nobody is.https://dp666.net/blog/managed-identity-permissions-powershell/Fri, 26 Sep 2025 10:00:00 +0100https://dp666.net/blog/managed-identity-permissions-powershell/The Problem # Managed Identities are the recommended way to authenticate Azure resources – Azure Functions, Logic Apps, Automation Accounts – to Microsoft Graph. No secrets. No certificates. No credential rotation. The identity is managed by the platform. The problem comes when you need to assign Graph API permissions to that identity. Microsoft added basic portal support for this in late 2023 via Enterprise Applications, but it is click-heavy, not scriptable, and gives you no audit trail. If you’re deploying infrastructure as code, managing multiple identities, or need to know what every managed identity in your tenant can do – you need PowerShell.https://dp666.net/blog/audit-mfa-methods-via-graph-api/Sat, 12 Jul 2025 10:00:00 +0100https://dp666.net/blog/audit-mfa-methods-via-graph-api/The Problem # You can see which MFA methods users have registered. Entra ID tells you that. What it doesn’t tell you at a glance is which methods they’re actually using day-to-day. A user might have registered a FIDO2 key, a phone, and Microsoft Authenticator – but if they’re approving every sign-in with SMS, their registered FIDO2 key is security theater.https://dp666.net/blog/reprocess-license-assignments-with-powershell/Sat, 10 May 2025 10:00:00 +0100https://dp666.net/blog/reprocess-license-assignments-with-powershell/The Problem # Group-based licensing in Entra ID is great until it is not. License assignments get stuck in error states. A user’s license shows “Error” in the admin center. Maybe the license pool ran out temporarily and now there are available licenses, but Entra never retried. Maybe a service plan conflict caused a failure that has since been resolved. Maybe you just migrated a batch of users and the license processing stalled.https://dp666.net/blog/license-drift-detection/Wed, 26 Feb 2025 10:00:00 +0100https://dp666.net/blog/license-drift-detection/The Problem # You’ve moved to group-based licensing. All your Microsoft 365 licenses are assigned through Entra ID groups. Clean, governed, auditable. Except someone gave a contractor a direct license assignment six months ago. And someone else added a license manually during a troubleshooting session and forgot to remove it. And three former employees still have licenses because they were removed from the group but had a direct assignment that nobody noticed.