Skip to content

Microsoft Entra ID Governance: Show suggested access packages in My Access

  • Entra
  • 2 min read

Today’s post is about a new feature in Entra ID’s Identity Governance: Show suggested access packages in My Access. This feature provides users with a tailored list of suggested access packages. Instead of browsing through all available options, users can now quickly view the most relevant access packages based on their peers’ choices and their past requests. To enable the preview, go to: Identity Governance – Microsoft Entra admin center Click Edit, and enable the preview: Show suggested access packages… 

Use Requestor information in Entra ID Access Packages as input for Custom Extensions

In a previous blog post, I explained a proof of concept in which we use Entra ID Governance Access Packages to request a Temporary Access Pass on behalf of other users. While this is already a good starting point, I’d like to take it to the next level. In the previous example, we had some static values like the duration of the Temporary Access Pass and the phone number to which it should be sent. This was hard-baked into the… 

Request Temporary Access Pass on behalf of others via Entra ID Governance Access Package

While looking at this new feature (Request access packages on-behalf-of other users (Preview) – Microsoft Entra ID Governance | Microsoft Learn), an interesting use case popped to mind. I thought of a scenario where a manager would request a Temporary Access Pass on behalf of a direct report so the IT service desk would not be needed. Apart from the details on how a manager would verify the identity of the team member, this seemed like a good proof of… 

Evilginx Mastery Course | What I learned

  • Security
  • 4 min read

A couple of years back, I was really struggling to get Evilginx up and running. The main reason was that I had forgotten how to do it by the time I needed an instance for a demo, so it took me hours to spin it up. Then, I decided to take notes, and I made this post. To this day, this is my go-to manual for getting Evilginx up and running from scratch. It contains all the steps, such as… 

Selfservice for hardware (OATH) tokens in Entra ID.

One of the longest-running previews in Entra ID is the support for hardware (OATH) tokens. Hardware tokens can create OTP tokens that can be used to satisfy MFA requirements in Entra ID. That said, I also must point out that this method is not phishing-resistant. (T)OTP tokens can easily be stolen using AiTM attacks. But that’s for another time. This post will focus on the management of the hardware keys itself. According to the documentation, this feature has received several… 

Register Yubikeys on behalf of your users with Microsoft Entra ID FIDO2 provisioning APIs

Microsoft recently announced their new FIDO2 provisioning APIs within Microsoft Entra ID. While users can register their FIDO2 keys fairly easily with a Temporary Access Pass, the new API allows admins to register keys on behalf of a user. This can be extremely handy in onboarding scenarios or in case a new key needs to be shipped to a vendor or contract worker. The Microsoft APIs support every vendor of FIDO2 (passkeys), but Yubico has made some extra effort to… 

All you need to know about the mandatory multifactor authentication for Azure and other administration portals

In case you didn’t get the latest memo, Microsoft is tightening the security around the Azure and Microsoft 365 admin portals by enforcing multifactor authentication for all interactive sign-ins. In this post, I will try to answer all the questions about this change, as there seem to be a lot of questions on social media lately. If you still have questions after reading this post (which I’m sure you have), please reach out so I can add your Q&A to… 

Temporary exclusions for Conditional Access using PIM for Groups

Conditional Access include and exclude groups cannot be messed with. As we have seen in a previous blog post, this will impact your security posture. But what if you need to create a legitimate escape for operational purposes? Take this use case, for example: You’ve enforced phishing-resistant MFA for your admin accounts on all apps (you are a rockstar!). Still, some applications do not support MSAL/WAM, or you have legacy scripts that use Internet Explorer 11 for authentication, so your… 

Prevent Conditional Access bypass with Restricted Management Administrative Units in Entra ID

Bypassing Conditional Access is easy. That’s because most Conditional Access policies rely on Entra ID Security Groups. Since Entra ID is very “flat” by default, every admin with group management permissions can add or remove members to ANY group. That’s why we want to handle our include and exclude groups carefully. This idea does not stand alone and is also mentioned in this marvelous article by Thomas Naunheim. If you’re new to Restricted Management Administrative Units, I suggest reading this… 

Entra ID Dynamic Groups – Direct reports of a manager

Here’s a quick tip that I discovered only recently. A nice, somehow hidden feature of Entra ID dynamic groups is the possibility of creating a dynamic group for the reports of a specific manager. When the manager’s direct reports change in the future, the group’s membership is adjusted automatically. Assume you want to create a dynamic group that holds all the direct reports of Miriam Graham; here’s how to do it. From the Entra admin center, go to Identity >…