The New Control Plane for Microsoft Entra Tenant Governance

The New Control Plane for Microsoft Entra Tenant Governance

Microsoft had 7 million internal tenants and almost lost control of their environment and your org might be facing the same problem at a smaller scale. In this episode, we sit down with Jeff Staiman [https://www.linkedin.com/in/jeffstaiman/], PM Area Lead for Tenant Governance at Microsoft, to break down the feature born from the Midnight Blizzard attack. We cover discovery, drift detection, governance relationships, secure tenant creation, licensing, and exactly where admins should start. What Can Your AI Applications Access? Organizations are investing heavily in AI-powered applications and agents, but many are discovering they lack the operational visibility and governance discipline needed to scale AI confidently and securely. With continuous visibility into Entra ID applications, permissions, OAuth access, secrets, certificates, and application ownership, ENow App Governance Accelerator can: * Reduce uncertainty around what SaaS apps can access * Accelerate application reviews and approval processes * Strengthen operational trust across security and leadership teams * Prevent unmanaged application growth from becoming operational risk * Enable lean IT teams to support AI expansion at scale * Demonstrate governance maturity required for enterprise AI adoption While most admins focus on securing their primary production environment, many organizations are sitting on hundreds of “test” or “shadow” tenants that were created by users with a simple Azure subscription. These unmanaged environments often lack proper security bars and can become entry points for sophisticated attackers. The Wake-Up Call: Midnight Blizzard The urgency for these new features was fueled by the 2024 Midnight Blizzard attack. In that instance, attackers compromised a legacy test tenant and used its old access rights to move laterally into Microsoft’s core environment. This highlighted a critical gap: securing one tenant isn’t enough if you don’t even know how many other tenants are connected to your organization. Three Things You’ll Learn in This Episode: * Automatic Discovery of the “Unknown”: Jeff explains how the Related Tenants feature uses signals like B2B sign-in logs, multi-tenant app consents, and billing relationships to automatically find every tenant connected to your corporate identity. * Configuration Drift Monitoring: You can now define a “Golden Configuration” for your tenants. The service monitors over 200 resource types across Entra, Intune, Teams, and Exchange every six hours, alerting you the moment a security setting is weakened. * The “Three-Step” Handshake: To prevent accidental or malicious takeovers, Microsoft has implemented a rigorous trust process. If two tenants don’t share a billing relationship, the governed tenant must explicitly invite the governing tenant before any control can be established. A New Approach to Licensing Something many admins will find surprising is the licensing model. Unlike many Entra features that require a license for every user, Tenant Governance is licensed based on the number of admins interacting with the features. This makes it far more accessible for organizations trying to secure a massive multi-tenant estate without a massive budget. Why you should listen: Jeff dives deep into how Microsoft managed its own 7 million internal tenants and shares the roadmap for future discovery signals, including using Global Secure Access network telemetry to find tenants being accessed from corporate devices. Whether you are managing a merger or just trying to clean up years of “test” environments, this episode provides the blueprint for moving from manual, one-tenant-at-a-time management to a deterministic, automated security posture. Subscribe with your favorite podcast player or watch on YouTube 👇 About Jeff Staiman Jeff Stammen is the PM Area Lead for Tenant Governance within the Identity and Access Management (IAM) team at Microsoft. A true company veteran of 31 years, Jeff originally joined Microsoft managing engineering compensation and famously architected Microsoft's core engineering leveling framework (Levels 59–61) directly from requirements delivered by Steve Ballmer. Today, he leads engineering and product efforts to secure multi-tenant cloud ecosystems at massive scale. LinkedIn - https://www.linkedin.com/in/jeffstaiman/ [https://www.linkedin.com/in/jeffstaiman/] 🔗 Related Links * Microsoft Entra Tenant Governance - https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview [https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview] 📗 Chapters 00:00 Intro 00:18 Introducing Jeff Stammen 00:41 Jeff’s 31-Year Journey at Microsoft 01:25 The Midnight Blizzard Hack That Started It All 05:07 Tenant Governance: What It Is and Why It Exists 07:12 Where Should Admins Start? 09:57 Configuration Snapshots and Baselines 13:02 The M365 DSC Connection 15:18 What Resources Should You Monitor? 17:07 How Drift Detection Works 19:49 Multi-Tenant Monitoring Strategy 20:02 Related Tenants: Discovering Your Unknown Exposure 20:39 Licensing: Basic vs Premium Explained 22:48 Quotas and Resource Limits 24:27 Governance Relationships and Cross-Tenant Role Assignments 28:26 Two-Step vs Three-Step Governance Flow 31:15 Discovery Signals and Blind Spots 35:17 Tenant Restrictions: A Related Feature Worth Knowing 36:40 Secure Tenant Creation 38:10 Governance Policy Templates 40:01 Licensing Across Multiple Tenants 43:43 Final Recommendations: Where to Start Today 47:54 Wrap Up Podcast Apps 🎙️ Entra.Chat - https://entra.chat [https://entra.chat] 🎧 Apple Podcast → https://entra.chat/apple [https://entra.chat/apple] 📺 YouTube → https://entra.chat/youtube [https://entra.chat/youtube] 📺 Spotify → https://entra.chat/spotify [https://entra.chat/spotify] 🎧 Overcast → https://entra.chat/overcast [https://entra.chat/overcast] 🎧 Pocketcast → https://entra.chat/pocketcast [https://entra.chat/pocketcast] 🎧 Others → https://entra.chat/rss [https://entra.chat/rss] Merill’s socials 📺 YouTube → youtube.com/@merillx [https://youtube.com/@merillx] 👔 LinkedIn → linkedin.com/in/merill [https://linkedin.com/in/merill] 🐤 Twitter → twitter.com/merill [https://twitter.com/merill] 🕺 TikTok → tiktok.com/@merillf [https://www.tiktok.com/@merillf] 🦋 Bluesky → bsky.app/profile/merill.net [https://bsky.app/profile/merill.net] 🐘 Mastodon → infosec.exchange/@merill [https://infosec.exchange/@merill] 🧵 Threads → threads.net/@merillf [https://www.threads.net/@merillf] 🤖 GitHub → github.com/merill [https://github.com/merill] Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe [https://entra.news/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

What’s New in Microsoft Entra - May 2026: Passkeys, Agents & Cloud Sync

Fabian and Thomas join the podcast to share their extensive experience and unpack the massive wave of updates coming to Microsoft Entra. We talk about the massive shift toward Passkeys and registration campaigns, the impending migration from Entra Connect Sync to Cloud Sync, and the rapidly evolving world of Agent IDs and AI workloads. We also cover how Entra admins can leverage new Defender XDR features and Security Copilot agents to secure their environments. Subscribe with your favorite podcast player or watch on YouTube 👇 About Fabian and Thomas Fabian Bader is a Microsoft MVP and Cybersecurity Architect at glueckkanja, based in Hamburg, Germany. He is a well-known researcher in the Microsoft identity space, creator of the Cloud Brothers blog, and creator of the Maester and Token Tactics V2 tools. His work focuses on Microsoft Entra and the Defender suite, helping customers secure their cloud environments. Thomas Naunheim is a Microsoft MVP and a Cybersecurity Architect at glueckkanja. He specializes in Microsoft Entra, identity and access management, and cloud security posture. * Thomas LinkedIn - https://www.linkedin.com/in/thomasnaunheim/ [https://www.linkedin.com/in/thomasnaunheim/] * Fabian LinkedIn- https://www.linkedin.com/in/fabianbader/ [https://www.linkedin.com/in/fabianbader/] 🔗 Related Links * What’s New in Microsoft Entra: May 2026 - https://techcommunity.microsoft.com/blog/microsoft-entra-blog/whats-new-in-microsoft-entra-may-2026/4517884 * Claude API Docs - https://platform.claude.com/docs/en/manage-claude/wif-providers/azure [https://platform.claude.com/docs/en/manage-claude/wif-providers/azure] * Microsoft Graph - https://learn.microsoft.com/en-us/graph/api/resources/agentid-platform-overview?view=graph-rest-1.0 [https://learn.microsoft.com/en-us/graph/api/resources/agentid-platform-overview?view=graph-rest-1.0] 📗 Chapters 00:00 Intro 01:18 The Year of Passkeys & Registration Campaigns 08:49 Windows Hello & Passkey Syncing 16:37 Migrating to Entra Cloud Sync 22:27 The Rise of Agent IDs & AI Workloads 28:21 Defender XDR Updates for Entra Admins 38:32 Security Copilot & Conditional Access Agent 45:48 Access Packages & New AI Admin Roles Podcast Apps 🎙️ Entra.Chat - https://entra.chat [https://entra.chat] 🎧 Apple Podcast → https://entra.chat/apple [https://entra.chat/apple] 📺 YouTube → https://entra.chat/youtube [https://entra.chat/youtube] 📺 Spotify → https://entra.chat/spotify [https://entra.chat/spotify] 🎧 Overcast → https://entra.chat/overcast [https://entra.chat/overcast] 🎧 Pocketcast → https://entra.chat/pocketcast [https://entra.chat/pocketcast] 🎧 Others → https://entra.chat/rss [https://entra.chat/rss] Merill’s socials 📺 YouTube → youtube.com/@merillx [https://youtube.com/@merillx] 👔 LinkedIn → linkedin.com/in/merill [https://linkedin.com/in/merill] 🐤 Twitter → twitter.com/merill [https://twitter.com/merill] 🕺 TikTok → tiktok.com/@merillf [https://www.tiktok.com/@merillf] 🦋 Bluesky → bsky.app/profile/merill.net [https://bsky.app/profile/merill.net] 🐘 Mastodon → infosec.exchange/@merill [https://infosec.exchange/@merill] 🧵 Threads → threads.net/@merillf [https://www.threads.net/@merillf] 🤖 GitHub → github.com/merill [https://github.com/merill] Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe [https://entra.news/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

If You Manage Entra Permissions, Watch This Before Deploying Agents

Microsoft Entra Agent ID Just Went GA Here’s What You Need to Know About Agent Permissions If you’ve been waiting for the dust to settle on Microsoft Entra Agent ID before diving in, the wait is over. Agent ID hit General Availability on May 1st, and in this episode of Entra Chat, Erin Greenlee, a PM in the the Entra AuthN team joins to break down one of the trickiest parts of the new model: how permissions actually work. The three-tier model you need to understand The biggest mental shift with Agent ID is moving from the familiar single app registration model to a three-tier hierarchy. Here’s the short version: * Agent Blueprint → the template for your agent. Think of it as a souped-up app registration that lives in one tenant and defines how the agent behaves. Every agent needs one, even if you’re only ever creating a single instance. * Blueprint Principle → the identity that represents the blueprint inside each tenant it’s deployed to. This is the middle tier, and it has a superpower: permissions granted here cascade down to all current and future agent identity instances automatically. * Agent Identity → the actual running instance of the agent. This is what authenticates, what shows up in your tenant logs, and what can hold its own individual permissions on top of whatever it inherits. Required Resource Access is a hint, not a grant One thing that trips people up early: adding permissions to the blueprint’s Required Resource Access (RRA) doesn’t actually grant anything. It’s a signal to admins adopting your agent. A polite list of “here’s what this agent will need to function.” The real grant happens later, either upfront during adoption or dynamically as the agent needs it. Expect agents to lean more on dynamic consent than traditional apps have, since agents evolve and request new permissions as tasks change. Inheritance only works if you set it up Permissions granted on the Blueprint Principle will only cascade down to agent identities if the resource app (e.g. Microsoft Graph) is explicitly marked as an inheritable resource on the blueprint. It’s an easy thing to miss, and if you skip it, your Blueprint Principle grants won’t flow through to your instances. A free tool to visualise all of this Erin built an interactive web app — using GitHub Copilot, no less — that makes all of the above click visually. It has a no-sign-in tutorial that walks you through the object relationships, a permission matrix view, and even generates the PowerShell or Graph API scripts to apply your configuration in real life. No changes are made to your tenant unless you explicitly ask it to. The source code is being open-sourced too, so you can fork and customise it if you want. Watch the full episode to see Erin walk through the tool live, including how permission inheritance works in practice and a real-world debugging scenario that inspired the whole thing. Subscribe with your favorite podcast player or watch on YouTube 👇 About Erin Greenlee Erin is a member of the Entra AuthN team working on AI and Agent ID at Microsoft. She previously joined Entra Chat to discuss app permissions and consent, and she loves building tools that make complex identity concepts easier to understand. LinkedIn - https://www.linkedin.com/in/eringreenlee/ [https://www.linkedin.com/in/eringreenlee/] Sponsored by: Find App Access Gaps Before They Break Workflows In Microsoft Entra ID, small visibility gaps lead to outages and delays. Expired secrets break integrations, while unclear ownership and excessive permissions slow access decisions. Teams still struggle to answer: * Which apps access Microsoft 365 data? * Is that access still justified? * Who owns it? AppGov Score [https://www.appgovscore.com/appgov-score?utm_campaign=AppGov%20Score&utm_source=EntraNews&utm_medium=Email&utm_content=5.10.26] helps you quickly identify these gaps. ENow App Governance Accelerator then exposes app-specific credential risks, permission issues, and ownership gaps before they disrupt operations. Start with your AppGov Score, then upgrade to a 7-day free trial to take action. 🔗 Related Links * https://aka.ms/erins-agent-helper [https://aka.ms/erins-agent-helper] 📗 Chapters 01:11 Agent ID General Availability 04:14 The Agent ID Visualizer Tool 05:35 Defining the Agent Blueprint 08:06 Understanding the Blueprint Principle 10:57 Agent Identity Instances Explained 13:37 Required Resource Access (RRA) 24:07 Inheritable Permissions and Cascading 30:18 Applying Changes with Scripts Podcast Apps 🎙️ Entra.Chat - https://entra.chat 🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rss Merill’s socials 📺 YouTube → youtube.com/@merillx [https://youtube.com/@merillx] 👔 LinkedIn → linkedin.com/in/merill [https://linkedin.com/in/merill] 🐤 Twitter → twitter.com/merill [https://twitter.com/merill] 🕺 TikTok → tiktok.com/@merillf [https://www.tiktok.com/@merillf] 🦋 Bluesky → bsky.app/profile/merill.net [https://bsky.app/profile/merill.net] 🐘 Mastodon → infosec.exchange/@merill [https://infosec.exchange/@merill] 🧵 Threads → threads.net/@merillf [https://www.threads.net/@merillf] 🤖 GitHub → github.com/merill [https://github.com/merill] Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe [https://entra.news/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

How to Secure Copilot Agents, Azure DevOps & Defender (+ more) with Maester 2.1 (Full Breakdown)

Maester is back with one of its biggest release since launch. In this episode, we are joined by Sam Erde, Architect at Patriot Consulting and one of Maester’s core maintainers, to walk through everything that’s landed in Maester 2.1. Since the December release, the community has shipped 540 new commits, grown the test suite from 128 to 168 tests, and added coverage across entirely new product areas. Here’s a taste of what’s covered: 🤖 Securing Your AI Agents (Copilot Studio) With Microsoft’s Agent 365 going GA and organisations rapidly deploying Copilot Studio agents, Maester now includes tests based directly on Microsoft’s own recommendations for securing agents. Think orphaned agents with no owner, missing authentication on MCP connections, dormant agents, risky HTTP configurations, and agents shared too broadly. If you’re deploying agents in your tenant, these tests should be running. 🔧 AI That Writes Its Own Security Tests One of the most exciting developments in this release isn’t a test, it’s a custom AI skill that writes Maester tests for you. Sam built a GitHub Copilot agent skill that understands Maester’s structure, coding conventions, and contributor guide. You describe a security check in plain English, and within minutes you get a properly structured test, helpers, and documentation. No VS Code required! You can do it straight from GitHub’s Agents tab or even the mobile app. The barrier to contributing to Maester just got a lot lower. 🛡️ Defender for Endpoint Coverage Maester now includes 24 community-contributed MDE tests covering antivirus configuration, endpoint policy posture, cloud protection, behaviour monitoring, and PUA protection. Getting these tests into shape required the new AI skill to refactor months of pending work and it delivered. 🔑 Azure DevOps Security (37+ New Tests) With AI-generated code accelerating supply chain risks, securing your DevOps pipeline has never been more critical. Maester 2.1 ships with 37+ new Azure DevOps tests, checking OAuth config, PAT token policies, external guest access, collection admin hygiene, and more. 🔗 Linked Identity Checks for Privileged Accounts A new test surfaces a common blind spot: privileged admin accounts that remain active after their linked standard user account is disabled. If someone leaves your organisation and their cloud admin account stays enabled, Maester will now catch it. 📋 CIS Benchmark Refresh & Conditional Access Improvements Community contributor Morten has refreshed the CIS benchmark tests to reflect the latest changes, plus improved the logic behind several conditional access policy checks — including automated tracking of Entra ID roles used in XSPM and commercial access quality checks. There’s a lot more covered in the full episode, including multi-tenant reporting updates, the new dev container for contributors, a surprisingly entertaining story about two AI models dissing each other’s code reviews, and a teaser for what’s coming in the next release. 👉 Listen to the full episode for the deep dives, the war stories behind getting community PRs across the line, and Merill and Sam’s take on where AI fits into the future of security testing. Subscribe with your favorite podcast player or watch on YouTube 👇 About Sam Erde Sam is an Architect at Patriot Consulting who focuses on performing security assessments, securing and deploying Microsoft 365, and writing PowerShell. He has been a critical pillar for the Maester community over the last year, helping heavily refactor the codebase and streamlining community contributions. LinkedIn - https://www.linkedin.com/in/samerde/ [https://www.linkedin.com/in/samerde/] Sponsored by: Would you bet your reputation on your current Microsoft 365 security posture? Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that. But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited. You could assume it’s fine. Or you could run the Microsoft 365 Security Posture Check. It’s free. It runs locally. And no, it doesn’t send your tenant data back to us. We’ll even help you set it up. 🔗 Related Links * What’s new in Maester 2.1.0 - https://maester.dev/blog/whats-new-since-maester-2-0 [https://maester.dev/blog/whats-new-since-maester-2-0] 📗 Chapters 00:00 Intro 05:49 Securing Copilot Studio & AI Agents 08:53 The Challenge with Defender for Endpoint Tests 013:39 Using AI to Automate Writing Security Tests 22:30 Dev Containers for Easy Contributions 24:58 New Azure DevOps Security Checks 31:02 Multi-Tenant Reporting & Xbox’s Secret 37:00 Active Directory Tests & The Future of Hybrid 43:00 The Long-Term Vision for Maester 54:48 CIS Benchmarks & Linked Identity Tests Podcast Apps 🎙️ Entra.Chat - https://entra.chat 🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rss Merill’s socials 📺 YouTube → youtube.com/@merillx [https://youtube.com/@merillx] 👔 LinkedIn → linkedin.com/in/merill [https://linkedin.com/in/merill] 🐤 Twitter → twitter.com/merill [https://twitter.com/merill] 🕺 TikTok → tiktok.com/@merillf [https://www.tiktok.com/@merillf] 🦋 Bluesky → bsky.app/profile/merill.net [https://bsky.app/profile/merill.net] 🐘 Mastodon → infosec.exchange/@merill [https://infosec.exchange/@merill] 🧵 Threads → threads.net/@merillf [https://www.threads.net/@merillf] 🤖 GitHub → github.com/merill [https://github.com/merill] Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe [https://entra.news/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

What an ID Governance Consultant Wishes You Knew About Entra

Identity Governance is often treated as a “nice-to-have” compliance checkbox, but as ID Governance expert Sandra Saluti reveals, it is actually the foundation of a secure, scalable environment. In this technical deep dive, we move past the marketing slides to discuss some of the common real-world “gotchas” that break Entra ID deployments. In this episode, you will learn: * The Golden Rule of Automation: Why you must stop using “presentation data” (like UPNs or Email addresses) as your anchor. We explain why the Object ID is the only immutable truth for your automation. * The “Marriage Bug”: A cautionary tale of how a simple name change can break hybrid joins and lead to accidental laptop wipes and how to prevent it. * The “Unsexy” Side of Governance: Why the most important part of your job isn’t writing PowerShell, but interviewing HR and stakeholders to map out process flow diagrams before you ever touch the portal. * Closing the “Rehire Gap”: How to solve the common crisis where contractors lose access for 48 hours during a renewal because of lifecycle synchronization delays. * Directory Extensions vs. Exchange Attributes: Technical advice on where to store your identity metadata for the most reliable governance. Sponsored by: Entra ID Gaps That Cause Outages In Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks. Teams are left asking: * Which applications can access Microsoft 365 data? * Is that access still appropriate? * Who owns the app? Unclear answers stall reviews, weaken accountability, and slow delivery. ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually. Subscribe with your favorite podcast player or watch on YouTube 👇 About Sandra Saluti Sandra Saluti is a consultant at Epical working with Microsoft Entra ID and identity governance. She helps organisations design secure and practical identity solutions with a focus on governance, access management, and Zero Trust. LinkedIn - https://www.linkedin.com/in/sandra-saluti-6866a686/ [https://www.linkedin.com/in/sandra-saluti-6866a686/] 🔗 Related Links * Sandra’s Blog - https://agderinthe.cloud/author/sandra/ [https://agderinthe.cloud/author/sandra/] 📗 Chapters 00:00 Welcome to Entra Chat 03:18 Explaining Identity Governance 08:51 Handling Late Hires and Rehires 11:25 Using Directory Extensions Effectively 18:50 Stop Targeting UPNs for Automation 25:18 Managing Chaos with Guest Access Reviews 30:56 Deciding Who Approves App Access 33:51 Replacing Nested Groups with Access Packages 39:29 Closing Thoughts and Community Podcast Apps 🎙️ Entra.Chat - https://entra.chat 🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rss Merill’s socials 📺 YouTube → youtube.com/@merillx [https://youtube.com/@merillx] 👔 LinkedIn → linkedin.com/in/merill [https://linkedin.com/in/merill] 🐤 Twitter → twitter.com/merill [https://twitter.com/merill] 🕺 TikTok → tiktok.com/@merillf [https://www.tiktok.com/@merillf] 🦋 Bluesky → bsky.app/profile/merill.net [https://bsky.app/profile/merill.net] 🐘 Mastodon → infosec.exchange/@merill [https://infosec.exchange/@merill] 🧵 Threads → threads.net/@merillf [https://www.threads.net/@merillf] 🤖 GitHub → github.com/merill [https://github.com/merill] Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe [https://entra.news/subscribe?utm_medium=podcast&utm_campaign=CTA_4]