All Posts

When someone leaves, can you prove every one of their accounts is actually closed? Most teams can't, because offboarding runs on manual steps across Active Directory, Entra ID, and SaaS apps. This deep-dive shows security architects and the leaders who fund them how to build lifecycle workflows in Microsoft Entra ID Governance: the joiner-mover-leaver architecture, the deployment order that works, and the ROI case for automating it.

Onboarding a device to Microsoft Defender for Endpoint turns on the sensor that sends telemetry. It does not turn on the controls that stop an attack. A device can report "healthy" while nothing blocks files on disk. For the engineers who run MDE rollouts and the leaders who fund them: the five gaps that leave a finished onboarding exposed, and the post-onboarding checklist that closes them.

Most security teams ship two versions of every report. The 40 page export the platform makes easy. The 1 page version someone sat down and designed for a specific reader and a specific decision. This piece walks through a 4 question rubric for separating reports that drive decisions from reports that exist because they always have. Includes an audience cadence matrix, outcome metrics by audience, and a kill list of the reports that almost always fail the test.

Publishing a Copilot Studio agent creates an Entra identity in the same minute. As of March 18, 2026, every Copilot Studio agent in a default-on tenant gets a Microsoft Entra Agent ID: a service principal with the 'Agent' subtype, governable through the same Entra admin center and Microsoft 365 admin center your IAM team already operates. A walkthrough of what the Agent ID is, how Agent 365 governs it, the connected dual-agent pattern from a defensive SecOps PoC, and a 7-step

Three things get called "service account" in Microsoft Entra ID. Most incidents involve only one of them. This article gives security architects and CISOs a framework for picking the right control: PIM-eligible roles for human admins, managed identities and service principals for workloads. Two diagnostic questions, four patterns, and a 5-step checklist for converting a tenant from standing privilege to a controlled model.

Email is still the top entry point for ransomware, BEC, and credential theft. Architects choosing between Exchange Online Protection, Defender for Office 365 Plan 1, and Plan 2 have to answer one question: which tier, at what licensing cost, gets the organization to a defensible posture. This article covers what each tier does, the cost-of-breach math, and the 5 questions that decide Plan 1 versus Plan 2.

App owners can't always answer who has access to their app right now. Mid-market enterprises run about 200 SaaS apps; large enterprises closer to 350. Account Discovery (preview) in Microsoft Entra ID Governance reads each connected app and classifies every account as Local, Unassigned, or Assigned. This post covers the business case, the three categories, and a three-phase rollout worked through SAP.

Zero Trust isn’t a product—it’s a decision framework. This post explains how Microsoft 365 enforces consistent access decisions across identity, endpoints, apps, data, and unified security operations to reduce cost, risk, and improve compliance defensibility.

Identity attacks don't start with malware — they start with a perfectly valid sign-in. Microsoft Defender for Identity is the monitoring and early-warning system for your organization's "control room." This article breaks down the business case: what you're buying, how it reduces identity exposure, why earlier detection compresses cost, and how identity signals correlate into unified incidents for faster response. Includes an ROI model, executive and engineer checklists, and

I've never investigated a breach where Conditional Access failed — only where expectations did. Most CA breakdowns aren't technical. They're architectural: wrong exclusions, forgotten accounts, policies that evaluate risk but never enforce it. This article covers the four most common failure patterns — and the three-phase approach to fix them.