23-part deep dive into Microsoft Entra ID security: admin roles, MFA, TAP, passwordless, Conditional Access, PIM, device join (Entra/Hybrid), BitLocker self-service, B2B collaboration.
23 articles • follow them in order
Two ways to assign Microsoft Entra admin roles to a user. Method 1 is role-first — pick a role, add users to it. Method 2 is user-first — pick a…
Per-user MFA is the legacy way to enable MFA in Microsoft Entra ID — Microsoft now recommends Conditional Access for new tenants, but per-user MFA is still useful for existing…
A Temporary Access Pass (TAP) is a time-limited passcode an admin issues to a user that lets them sign in without their password or existing MFA. Two main use cases:…
SMS-based sign-in lets a user log in to Microsoft 365 by typing their phone number as their username and receiving a 6-digit code by text — no password, no UPN.…
Passwordless authentication via Microsoft Authenticator turns the user’s phone into a phishing-resistant credential. The login flow becomes: type email → phone gets a notification → user types a 2-digit number…
Entra ID monitoring splits into two distinct surfaces: Audit Logs (changes — who did what to your tenant) and Sign-in Logs (access — who got in, from where, with what…
Microsoft’s number-one recommended baseline Conditional Access policy is require MFA for any administrator. The premise is simple: admin accounts have the keys to the kingdom — if an attacker phishes…
Sometimes the right policy is just block — not “require MFA,” not “require compliant device,” but a hard no. Common scenarios: an IP range tied to a known-malicious VPN, a…
Privileged Identity Management (PIM) flips the assumption about admin access. Instead of “users with admin roles always have admin powers”, it’s “users are eligible for admin roles, and must activate…
Part 9 covered the basic PIM flow: configure role → assign Eligible → user activates → admin removes when done. This guide adds two layers: An approval workflow — the…
Entra ID Device Join Types define the relationship between a device and your organization. Different join types give different levels of trust, control, and access. There are three: Entra Joined,…
Part 11 covered the conceptual map of the three device join types. This guide is the procedure — the actual click-by-click of joining a Windows 11 PC to Microsoft Entra…
When you join a Windows device to Microsoft Entra ID, four entities are automatically added to the local Administrators group on that device: The built-in Administrator account (always exists) ALL…
By default, when a user joins or registers a device to Microsoft Entra ID, only their username and password are required. If those credentials are stolen (phishing, breach, brute force),…
Device Settings in the Microsoft Entra Admin Center is the single page where you configure how devices interact with your tenant: who can join them, how many they can have,…
The previous post in this Entra ID Security pathway covered two of the three ways a user can become a local administrator on an Entra-joined device: the Global Admin auto-elevation…
Standing local admin rights are one of the most reliably exploited footholds in real-world incidents. If a device with permanent admin access is compromised — via malware, phished session token,…
Microsoft Entra Registered — usually shortened to ‘device registration’ — is how you let a personal device (someone’s home laptop, phone, tablet, MacBook) talk to your tenant for work apps,…
Microsoft Entra Hybrid Join is the configuration that lets a Windows device live in two directories at once — your on-premises Active Directory (e.g. lab.local) and Microsoft Entra ID (e.g.…
You followed the Hybrid Join guide. Entra Connect is happily syncing. The SCP is in AD. The four URLs are reachable. The device is domain-joined. Yet dsregcmd /status on the…
Decommissioning a device in Microsoft Entra ID looks deceptively simple from either end — click Disconnect on the device, or click Delete in the cloud. Either one alone leaves you…
Microsoft Entra B2B Collaboration — part of the Entra External Identities feature set — lets you invite people from outside your tenant (partners, vendors, contractors) to access specific apps and…
The Users may view their BitLocker keys toggle in Entra Device Settings is one of those security knobs where you don’t actually know it works until you test it end-to-end…
