Hey folks, I have to start with a massive shout-out to Morten Knudsen and his entire team at Experts Live Denmark where I’m just returning from. Organizing an event for over 1,200+ attendees is no small feat, and they pulled it off with incredible energy and precision. It was easily one of the most impressive community gatherings I’ve been a part of. Amidst that massive crowd, I had the privilege of co-leading a deep-dive Identity Masterclass alongside four exceptional Microsoft MVPs: Jan Vidar Elven, Pim Jacobs, Thomas Naunheim, and Klaus Bierschenk. We weren’t sure what to expect, but the response was overwhelming. We had over 120 dedicated attendees who stayed with us for the full 7-hour session - diving deep into the weeds of Entra ID, governance, privileged access, Agent ID and more. Instead of theory-heavy slides, we built a practical, end-to-end governance story. Because we believe this knowledge should be accessible, we are now giving away the labs for free so everyone can skill up, learn, and implement these patterns in their own environments. Here’s the core of what we covered, and what you will learn in this podcast walk through of the labs and what you can try out yourself today! Links to GitHub repo and YouTube video below. Sponsored by: If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy? Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity. And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachat So, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”. 1️⃣ Inbound Provisioning: Start with a Source of Truth Most identity problems start with one issue: There is no clean, authoritative identity source. We demonstrated how to use Inbound Provisioning in Entra to: * Accept identity payloads via Microsoft Graph * Create users in a disabled state * Capture attributes like hire date, leave date, department * Treat HR (or another system) as the lifecycle authority Why this matters If identities are manually created: * Joiners are inconsistent * Leavers are missed * Privileged accounts become orphaned Inbound provisioning allows you to: * Standardize creation * Attach lifecycle automation immediately * Reduce manual admin overhead Key concept:Provision first. Enable later. Automate everything in between. 2️⃣ Lifecycle Workflows: Automate Joiner / Mover / Leaver Once a user is provisioned, lifecycle workflows take over. We implemented: * Pre-hire workflow * Day-one onboarding workflow * Post-onboarding actions Triggers included: * Employee hire date * Creation time * Group membership * Attribute changes Real-world onboarding pattern * Account is created disabled * Workflow enables the account at the correct time * Temporary Access Pass (TAP) is generated * TAP is sent securely * Access is assigned automatically This reduces: * Manual enablement * Helpdesk load * Security gaps Design principle:Automation should enforce timing — not people. 3️⃣ Privileged Account Design: Separate the Identities We had a strong opinion in the session: Admin accounts should be separate and cloud-only. Why? * Syncing privileged accounts from on-prem introduces risk * HR systems should not directly control privileged identities * Governance features work best with cloud-native identities We explored three creation patterns: * Inbound provisioning for privileged accounts * Access Packages (with auto-assignment or request model) * Lifecycle workflows + custom Logic Apps Each has trade-offs. What matters most:Privileged identities must be: * Separately authenticated * Phishing-resistant (FIDO2 or passkeys) * Independently governed * Linked for offboarding 4️⃣ Linking Identities for Investigation One challenge in Entra: There’s no native “this person owns these 3 accounts” view. We explored identity linking in Microsoft Defender XDR, where: * Multiple accounts can be associated to one identity * Incident investigations become clearer * Privileged activity can be correlated with user context This becomes critical during: * Compromise investigations * Insider threat analysis * Lateral movement tracking Security takeaway:If you can’t correlate identities, you can’t fully investigate them. 5️⃣ Backup & Restore: The Truth About Entra There is no traditional backup system in Entra. Instead, you have: * Soft-delete (with recycle bin) * Hard-delete (irreversible) * API-based recovery * Configuration export strategies We discussed: * Protecting deleted items with Protected Actions * Using Conditional Access to restrict destructive operations * Exporting configuration JSON regularly * Monitoring configuration drift Reality:If you aren’t exporting your tenant configuration, recovery becomes manual and painful. Governance is not just about creation — it’s about resilience. 6️⃣ Protected Actions + Conditional Access A powerful but underused feature: Protected Actions. You can require Conditional Access enforcement before allowing: * Hard deletes * Sensitive configuration changes Example: * Only allow permanent deletion from a compliant device * Only allow from a trusted location * Require phishing-resistant authentication Even Global Admins must pass policy. Security mindset shift:Admin role ≠ unlimited ability. 7️⃣ Agent ID & Blueprints: The Future of Identity for AI We also explored Agent ID — one of the newer capabilities in Entra. Why not just use a service principal? Because agents: * Need stronger guardrails * Must support per-user instances * Require conditional access enforcement * Must be auditable at scale Blueprints allow: * A parent definition of permissions * Individual agent instances per user * Centralized governance over many agents As AI agents scale, identity must scale securely with them. Forward-looking insight:Agent governance will soon be as important as user governance. 8️⃣ Design Philosophy Behind the Lab The entire masterclass was built around one principle: Identity is a lifecycle, not a login. We covered: Provision → Enable → Assign → Elevate → Monitor → Protect → Offboard → Recover If any step is manual, inconsistent, or undocumented — risk increases. The labs give you a complete pattern you can implement in your own tenant. 🎯 What You Should Do Next * Watch/listen to the full podcast where we walk you through the labs. * Go try out the labs at github.com/IdentityMan/MasterclassELDK26 in your own tenant. Subscribe with your favorite podcast player or watch on YouTube 👇 About us * Jan Vidar Elven, Security MVP - https://www.linkedin.com/in/janvidarelven * Pim Jacobs, Security MVP - https://www.linkedin.com/in/pimjacobs89 * Thomas Naunheim, Security MVP - https://www.linkedin.com/in/thomasnaunheim * Klaus Bierschenk, Security MVP - https://www.linkedin.com/in/klabier 🔗 Related Links * https://github.com/IdentityMan/MasterclassELDK26 * https://discord.entra.news * https://on.action1.com/entrachat 📗 Chapters 00:00 Intro 00:50 Open Sourcing the Entra Lab 03:42 Entra ID Inbound Provisioning 08:05 Lifecycle Workflows and Governance 10:57 Securing Privileged Admin Accounts 16:21 Offboarding and Linked Identities 19:51 Sponsor: ActionOne 21:02 Entra ID Backup, Restore & Protected Actions 26:08 Exploring Agent ID and Blueprints 30:28 How to Access the Open Source Lab Podcast Apps 🎙️ Entra.Chat - https://entra.chat 🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rss Merill’s socials 📺 YouTube → youtube.com/@merillx 👔 LinkedIn → linkedin.com/in/merill 🐤 Twitter → twitter.com/merill 🕺 TikTok → tiktok.com/@merillf 🦋 Bluesky → bsky.app/profile/merill.net 🐘 Mastodon → infosec.exchange/@merill 🧵 Threads → threads.net/@merillf 🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
