Entra.Chat

In this episode, I’m joined by Christopher Brumm from glueckkanja to discuss real-world experiences deploying Microsoft Entra Global Secure Access (GSA).We go beyond the docs to talk about actual customer rollouts, scaling challenges, retiring VPNs, and what teams often underestimate when moving to Zero Trust Network Access.Subscribe with your favorite podcast player or watch on YouTube 👇About Christopher BrummChristopher Brumm is a Cyber Security Architect at glueckkanja AG in Germany. With more than 15 years of experience in IT security, Chris brings deep expertise and hands-on knowledge across the Microsoft Security portfolio and beyond. His career journey spans from network and data center technologies to Active Directory and Entra ID, with a strong focus on identity security.As a Microsoft MVP and CISSP, Chris is an active voice in the security community, regularly speaking at events and sharing insights through blog posts on identity and security topics. His latest passion is Global Secure Access, where identity, security, and networking converge to deliver a holistic Zero Trust approach.* LinkedIn - https://www.linkedin.com/in/christopherbrumm🔗 Related Links* Blog - https://chris-brumm.com📗 Chapters04:46 Proof of Concept vs Pilot 12:19 Deployment Strategy: The Blue Pill Approach 16:03 Solving Performance with Intelligent Local Access 17:49 Navigating Networking Challenges 25:14 The Hardest Part: Shutting Down Legacy VPNs 27:38 Handling External Access and BYOD 32:15 B2B Features and Tenant Switching 46:05 Why You Need the Microsoft 365 Profile 50:49 The Ultimate Admin Workstation SecurityPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Nicolas Blank, Founder of NBConsult and a 20-year Microsoft MVP, joins the show to dismantle the complexity around Zero Trust.Most Zero Trust conversations fail because they start with technology. Nicolas flips the script by using powerful everyday analogies (locking your car, protecting your newborn) to land the three core principles with executives.Essential watching for anyone implementing Zero Trust, securing Microsoft 365/Entra ID, or needing leadership support in 2026.Subscribe with your favorite podcast player or watch on YouTube 👇About Nicholas BlankNicolas is the founder, as well an architect, author and speaker focused on Office 365 and Azure at NBConsult in South Africa, England and Hong Kong. Nicolas is a Microsoft Certified Master, Dual Microsoft MVP - Microsoft Office Apps and Services, Microsoft Azure since March 2007.​Nicolas has co-authored the Microsoft Zero Trust Adoption Framework https://aka.ms/zero-trust-adopt, published by Microsoft; “Microsoft Exchange Server 2013: Design, Deploy and Deliver an Enterprise Messaging Solution”, published by Sybex and available on Amazon; as well as authoring “Azure Site Recovery: IaaS Migration and Disaster Recovery”, published by Pluralsight.Nicolas can be found on LinkedIn: https://www.linkedin.com/in/nicolasblank/Or via his Company Website:​ https://www.nbconsult.co🔗 Related Links* Microsoft Zero Trust Workshop - https://aka.ms/ztworkshop* Zero Trust Adoption Framework - https://aka.ms/zero-trust-adopt* Microsoft Digital Defense Report - http://aka.ms/mddr📗 Chapters01:52 The Why Behind Zero Trust 04:17 The Baby Analogy: Explaining Least Privilege 07:41 Debunking Security Myths 11:43 Assume Breach vs Being Secure 15:28 Getting Stakeholder Buy-in 20:24 The Immune System Approach 21:45 Ruining Attacker ROI 25:50 The 96% Statistic You Can’t Ignore 33:24 Where to Start: Practical Tools 37:54 The Zero Trust Adoption FrameworkPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Is the traditional VPN dead? In the latest episode of Entra Chat, we dive deep Microsoft Entra Global Secure Access (GSA).Joined by Karen Simmel from the GSA product team and Thomas from the Entra CXE Architecture team, we explore how Microsoft is bridging the gap between identity and network security.The Shift from VPN to SASEThe "good old days" of spinning up firewalls and DMZs are fading. Traditional controls are often too coarse-grained and lack identity awareness. As Thomas explains, the COVID-19 pandemic accelerated the need for change when traditional VPN gateways physically couldn't handle the load of remote workforces.This has paved the way for SASE (Secure Access Service Edge) and SSE (Security Service Edge), which move security controls to the cloud at hyperscale.What is Global Secure Access?The team breaks down the confusing terminology to help you understand the core products:* Microsoft Entra Private Access: This is the ZTNA (Zero Trust Network Access) solution, replacing the classic VPN for accessing on-prem and private resources.* Microsoft Entra Internet Access: This acts as a Secure Web Gateway (SWG), protecting outbound access to SaaS apps and the internet with URL filtering and DLP controls.* Microsoft Entra Suite: A bundle that combines these network capabilities with Verified ID, Identity Governance, and Identity Protection for a comprehensive solution.The "Secret Sauce"Why choose Microsoft's solution? The differentiator is that GSA isn't just integrated with the Identity Provider (IdP)—it *is* part of the IdP.This deep integration allows for near real-time security. For example, if a user's device is compromised, the SOC team can revoke the token, and Entra can immediately terminate the network tunnel or prompt for step-up authentication. It brings the power of Conditional Access directly to network traffic.Better Performance, Better PrivacyContrary to the belief that security slows things down, GSA often improves performance. By leveraging Microsoft's massive global private fiber network, traffic is intelligently routed to the closest point of presence rather than being backhauled to a headquarters.From a privacy standpoint, admins have granular control. You decide what traffic is tunneled and inspected, ensuring you can meet compliance requirements (like those in the EU) without over-monitoring employee activity.Ready to Deploy?Deployment doesn't have to take months. Some customers are getting up and running with a Proof of Concept (PoC) in a single day. Whether you use the client-based agent or need client-less access for contractors, Microsoft provides detailed deployment plans to guide you.Subscribe with your favorite podcast player or watch on YouTube 👇About the GuestsKeren SemelKeren leads visibility and data insights for the Global Secure Access product group. Based in Tel Aviv, she brings deep experience from the SASE/SSE market to Microsoft.LinkedIn: https://www.linkedin.com/in/keren-semel-4876383/Thomas Detzner Thomas is a lead architect in the Entra CxE team, specializing in Global Secure Access and Zero Trust. A former network engineer based near Munich, he helps organizations bridge the gap between traditional networking and modern identity security.LinkedIn: https://www.linkedin.com/in/thomasdetzner/🔗 Related Links* Microsoft Global Secure Access Documentation - https://learn.microsoft.com/en-us/entra/global-secure-access/ * Zero Trust Workshop - https://aka.ms/ztworkshop📗 Chapters00:00 Intro 05:17 The Limitations of Legacy VPNs 12:49 SASE vs SSE vs ZTNA Explained 21:26 The Identity-Network Secret Sauce 29:42 Unpacking Entra Suite 33:20 Microsoft’s Global Network Architecture 38:19 Client and Clientless Connectivity 41:26 Deployment and POC Process 45:31 Migrating from Zscaler to GSA 47:15 Privacy and Compliance ControlsPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Louis Mastelinck, a Microsoft MVP and Security Consultant at Proximus NXT, joins me to discuss the critical journey of moving organizations away from SMS-based MFA.We deep dive into a practical strategy for migrating users to the Authenticator app, starting with “stopping the bleed” and managing user groups. We also explore a significant security blind spot regarding Email OTP for SharePoint guest access and how to resolve it. Finally, we debate the future of authentication with device-bound versus synced Passkeys and how to defend against downgrade attacks.Subscribe with your favorite podcast player or watch on YouTube 👇About Louis MastelinckLouis Mastelinck is a Security Consultant at Proximus NXT and a recognized Microsoft MVP based in Belgium. Specializing in Incident Response and the full Microsoft Security stack (including MDE, MDO, Sentinel, and Identity Management), he is dedicated to neutralizing threats and securing digital environments. A GCFA-certified professional, Louis is known for his deep technical expertise in areas like Conditional Access and authentication methods.LinkedIn - https://www.linkedin.com/in/louismastelinck/ 🔗 Related Links* Microsoft: Hang up on SMS - http://aka.ms/hangup📗 Chapters00:00 Intro 00:52 Props and PIM 01:41 The Dangers of SMS MFA 04:51 Strategy: Stopping the Bleed 10:06 Migrating Existing Users off SMS 19:20 Impact on Self-Service Password Reset 22:39 The SharePoint Email OTP Security Gap 25:13 Enabling Entra B2B Integration 34:28 Passkeys: Device-Bound vs Synced 44:40 Defending Against MFA Downgrade AttacksPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

In this week’s episode Jan Bakker, Microsoft MVP and solution architect from the Netherlands, joins us for a masterclass in extending Microsoft Entra ID beyond out-of-the-box capabilities. This episode is your complete guide to building custom identity governance and lifecycle management using Power Apps, Logic Apps, and Azure automation.You’ll learn the fundamental building blocks of automation in the Microsoft ecosystem and how to combine them creatively.Jan’s approach: treat Entra as a platform, not just a product.The automation stack he teaches: → Power Automate (everyday workflows)→ Logic Apps (enterprise automation)→ Dynamic Groups (intelligent triggers)→ Graph API (the foundation of everything)→ Event Hub (cost-effective event streaming)Key topics covered:* Understanding Power Automate vs Azure Logic Apps (and when to use each)* Managed identities and least privilege automation* Dynamic groups as automation triggers* Event Hub for cost-effective event-driven workflows* Custom authentication extensions and token augmentation* Real implementation costs ($50/month for enterprise solutions!)From the conversation:* Step-by-step temporary access pass automation* Automatic refresh token revocation on account disable* MFA method change notifications (like Gmail/Twitter)* Guest lifecycle management and approval flows* Conditional access policy monitoringWhether you’re new to automation or an experienced architect, you’ll walk away with actionable ideas and a new way of thinking about identity solutions.Subscribe with your favorite podcast player or watch on YouTube 👇About Jan BakkerJan is a Microsoft MVP and Solution Architect based in the Netherlands. He is known for his ability to make complex DevOps and Entra concepts accessible and publishes extensive guides on his blog about extending Entra capabilities.LinkedIn: https://www.linkedin.com/in/jan-bakker/🔗 Related Links* Send an email on a new MFA method registration - https://janbakker.tech/send-an-email-on-a-new-azure-mfa-method-registration/* How to build a PowerApp – Temporary Access Pass Manager - https://janbakker.tech/category/power-platform/* Trigger Logic App on group membership changes in Entra ID - https://janbakker.tech/trigger-logic-app-on-group-membership-changes-in-entra-id/* Poor man’s IGA: Monitor and clean up stale guest accounts - https://janbakker.tech/poor-mans-iga-monitor-and-clean-up-stale-guest-accounts/* Poor man’s IGA: Generate Temporary Access Pass for joiners - https://janbakker.tech/poor-mans-iga-generate-temporary-access-pass-for-joiners/* Unlocking the Power of employeeHireDate in Entra ID Dynamic Groups - https://janbakker.tech/unlocking-the-power-of-employeehiredate-in-entra-id-dynamic-groups/* Temporary exclusions for Conditional Access using PIM for Groups - https://janbakker.tech/temporary-exclusions-for-conditional-access-using-pim-for-groups/Sponsored by:Shadow IT and SaaS sprawl are outpacing IT teamsIt can feel impossible to tackle these app governance challenges:📦 Entra ID isn’t secure by default💥 SaaS adoption & sprawl isn’t slowing down⌨️ Citizen Development keeps rising (hello, Copilot Studio!)🗑️ Vendors often don’t remove apps after uninstall🔃 Offboarding is inconsistent or doesn’t happen at all🥔 App governance is passed around like a hot potatoENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.Secure & Govern Entra Apps Now📗 Chapters00:03 The Poor Man’s IGA Concept 00:07 Revoking Refresh Tokens Automatically 00:13 Power Apps for Approval Workflows 00:16 Custom Logic for Managing Guest Access 00:19 Building a Temporary Access Pass Tool 00:25 Power Automate vs. Azure Logic Apps 00:28 Triggering Automation with Event Hubs 00:31 Alerting on Security Changes via Audit Logs 00:41 Self-Service Group Management 00:44 Why You Must Learn Graph APIPodcast Apps🎙️ Entra.Chat - https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill’s socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe