23-part deep dive into Microsoft Entra ID security: admin roles, MFA, TAP, passwordless, Conditional Access, PIM, device join (Entra/Hybrid), BitLocker self-service, B2B collaboration.
13 articles • follow them in order
Two ways to assign Microsoft Entra admin roles to a user. Method 1 is role-first — pick a role, add users to it. Method 2 is user-first — pick a…
Per-user MFA is the legacy way to enable MFA in Microsoft Entra ID — Microsoft now recommends Conditional Access for new tenants, but per-user MFA is still useful for existing…
A Temporary Access Pass (TAP) is a time-limited passcode an admin issues to a user that lets them sign in without their password or existing MFA. Two main use cases:…
SMS-based sign-in lets a user log in to Microsoft 365 by typing their phone number as their username and receiving a 6-digit code by text — no password, no UPN.…
Passwordless authentication via Microsoft Authenticator turns the user’s phone into a phishing-resistant credential. The login flow becomes: type email → phone gets a notification → user types a 2-digit number…
Entra ID monitoring splits into two distinct surfaces: Audit Logs (changes — who did what to your tenant) and Sign-in Logs (access — who got in, from where, with what…
Microsoft’s number-one recommended baseline Conditional Access policy is require MFA for any administrator. The premise is simple: admin accounts have the keys to the kingdom — if an attacker phishes…
Sometimes the right policy is just block — not “require MFA,” not “require compliant device,” but a hard no. Common scenarios: an IP range tied to a known-malicious VPN, a…
Privileged Identity Management (PIM) flips the assumption about admin access. Instead of “users with admin roles always have admin powers”, it’s “users are eligible for admin roles, and must activate…
Part 9 covered the basic PIM flow: configure role → assign Eligible → user activates → admin removes when done. This guide adds two layers: An approval workflow — the…
Entra ID Device Join Types define the relationship between a device and your organization. Different join types give different levels of trust, control, and access. There are three: Entra Joined,…
Part 11 covered the conceptual map of the three device join types. This guide is the procedure — the actual click-by-click of joining a Windows 11 PC to Microsoft Entra…
When you join a Windows device to Microsoft Entra ID, four entities are automatically added to the local Administrators group on that device: The built-in Administrator account (always exists) ALL…
