Entra ID - The Conditional Chaos Engine

1
00:00:00,000 --> 00:00:01,960
Most organizations think their Azure problems

2
00:00:01,960 --> 00:00:04,320
are cost network or VM configuration.

3
00:00:04,320 --> 00:00:05,160
They are not.

4
00:00:05,160 --> 00:00:06,600
Your failures start in identity

5
00:00:06,600 --> 00:00:09,240
because identity is Azure's control plane.

6
00:00:09,240 --> 00:00:12,160
And when conditional access fails during an MFA outage,

7
00:00:12,160 --> 00:00:15,080
responders discover the break glass path wasn't protected.

8
00:00:15,080 --> 00:00:16,480
It was hidden from observation.

9
00:00:16,480 --> 00:00:17,720
We didn't design this wrong.

10
00:00:17,720 --> 00:00:19,080
We stopped designing it.

11
00:00:19,080 --> 00:00:21,320
And the system kept accepting every exception we gave it.

12
00:00:21,320 --> 00:00:24,680
Today I'll show why identity debt accumulates by default,

13
00:00:24,680 --> 00:00:26,480
how it spreads through hybrid sync,

14
00:00:26,480 --> 00:00:28,560
conditional access sprawl workload identities

15
00:00:28,560 --> 00:00:30,360
and B2B guests and how to measure it.

16
00:00:30,360 --> 00:00:32,480
If you can't inventory it, you don't control it.

17
00:00:32,480 --> 00:00:34,600
If you can't measure it, you can't pay it down.

18
00:00:34,600 --> 00:00:37,360
Later I'll show you how to see this drift in your own logs

19
00:00:37,360 --> 00:00:38,360
without a lab.

20
00:00:38,360 --> 00:00:42,920
The foundational misunderstanding, identity as control plane.

21
00:00:42,920 --> 00:00:46,320
Most teams treat Microsoft and RID like a login service.

22
00:00:46,320 --> 00:00:47,280
They are wrong.

23
00:00:47,280 --> 00:00:48,840
Architecturally it is something else.

24
00:00:48,840 --> 00:00:51,880
A distributed decision engine that compiles identity signals

25
00:00:51,880 --> 00:00:54,760
into authorization across Azure M365

26
00:00:54,760 --> 00:00:57,200
and every federated app you've consented.

27
00:00:57,200 --> 00:00:58,880
That distinction matters.

28
00:00:58,880 --> 00:01:01,920
Every sign in every token refresh, every app consent

29
00:01:01,920 --> 00:01:03,280
routes through this engine.

30
00:01:03,280 --> 00:01:05,080
Your policy isn't a static document.

31
00:01:05,080 --> 00:01:07,840
It's an executable program that evaluates users' devices,

32
00:01:07,840 --> 00:01:09,800
risk, protocol and exclusions,

33
00:01:09,800 --> 00:01:11,480
then emits allow deny or prompt.

34
00:01:11,480 --> 00:01:13,440
The more you patch exceptions on to intent,

35
00:01:13,440 --> 00:01:16,000
the more your outputs become probabilistic.

36
00:01:16,000 --> 00:01:18,680
Deterministic policy becomes conditional chaos.

37
00:01:18,680 --> 00:01:20,560
Define this one so it sticks.

38
00:01:20,560 --> 00:01:22,120
Entropy generator.

39
00:01:22,120 --> 00:01:25,160
An identity control that increases state complexity

40
00:01:25,160 --> 00:01:26,920
faster than it reduces risk

41
00:01:26,920 --> 00:01:28,480
when exceptions are added.

42
00:01:28,480 --> 00:01:30,600
Conditional access without lifecycle ownership

43
00:01:30,600 --> 00:01:32,120
is an entropy generator.

44
00:01:32,120 --> 00:01:35,280
Hybrid sync without translation rules is an entropy generator.

45
00:01:35,280 --> 00:01:38,440
Workload identities without ownership are entropy generators.

46
00:01:38,440 --> 00:01:40,840
Guests without lifecycle are entropy generators.

47
00:01:40,840 --> 00:01:42,360
These pathways accumulate.

48
00:01:42,360 --> 00:01:46,480
Here is the dead pattern wheel reference throughout.

49
00:01:46,480 --> 00:01:49,400
Intent, translation, exception,

50
00:01:49,400 --> 00:01:51,080
often, persistence.

51
00:01:51,080 --> 00:01:54,720
Intent, least privilege, MFA, no legacy protocols.

52
00:01:54,720 --> 00:01:58,320
Translation will sync AD at baseline CA on-board apps,

53
00:01:58,320 --> 00:02:00,680
exception, temporarily exclude this group,

54
00:02:00,680 --> 00:02:02,240
this app, this vendor.

55
00:02:02,240 --> 00:02:03,000
Often.

56
00:02:03,000 --> 00:02:06,720
Owner left controls till exists, no telemetry ties it to risk.

57
00:02:06,720 --> 00:02:08,800
Persistence, temporary became permanent,

58
00:02:08,800 --> 00:02:10,400
blast radius increased.

59
00:02:10,400 --> 00:02:13,000
The authorization graph mutates at every exception.

60
00:02:13,000 --> 00:02:16,880
Groups nest, rolls a crew, service principles acquire directory,

61
00:02:16,880 --> 00:02:17,800
read write.

62
00:02:17,800 --> 00:02:21,360
All just for now, guests are excluded

63
00:02:21,360 --> 00:02:23,080
until the migration ends.

64
00:02:23,080 --> 00:02:25,520
Your control plane remembers everything you told it

65
00:02:25,520 --> 00:02:27,520
long after you forgot why.

66
00:02:27,520 --> 00:02:29,840
Over time, policies drift away from intent.

67
00:02:29,840 --> 00:02:31,040
That's identity dead.

68
00:02:31,040 --> 00:02:34,720
Why networks and endpoints can't compensate?

69
00:02:34,720 --> 00:02:36,880
They don't see the authorization compiler.

70
00:02:36,880 --> 00:02:39,120
Firewalls don't evaluate interest device filters.

71
00:02:39,120 --> 00:02:42,720
EDR doesn't understand CA's exclude break glass claws.

72
00:02:42,720 --> 00:02:44,880
You can harden hosts and segment subnets,

73
00:02:44,880 --> 00:02:46,760
but the decision to issue a token

74
00:02:46,760 --> 00:02:49,000
and what that token can do lives above them.

75
00:02:49,000 --> 00:02:50,760
When identity is the control plane,

76
00:02:50,760 --> 00:02:53,320
everything below it becomes best effort containment.

77
00:02:53,320 --> 00:02:55,120
Let me ground this in system behavior.

78
00:02:55,120 --> 00:02:57,600
Synchronization compiles on-prem groups semantics

79
00:02:57,600 --> 00:03:00,960
into a flat tenant with rolls, scopes and admin units.

80
00:03:00,960 --> 00:03:02,960
OU intent is lost in translation.

81
00:03:02,960 --> 00:03:05,000
If synced admins arrive with broad rights

82
00:03:05,000 --> 00:03:07,120
as your inherits over permissioned identities

83
00:03:07,120 --> 00:03:08,200
deterministically.

84
00:03:08,200 --> 00:03:11,720
Conditional access compiles, if then logic at runtime.

85
00:03:11,720 --> 00:03:13,560
It's an execution engine, not governance.

86
00:03:13,560 --> 00:03:16,760
Every exclusion is a branch that bypasses your policy pipeline,

87
00:03:16,760 --> 00:03:19,240
branches multiply, coverage fragments.

88
00:03:19,240 --> 00:03:21,240
Report only purgatory feels safe

89
00:03:21,240 --> 00:03:23,200
until an outage proves otherwise.

90
00:03:23,200 --> 00:03:25,560
Tokens are short-lived, but refresh is long-lived.

91
00:03:25,560 --> 00:03:27,680
If an identity's standing privilege is wrong,

92
00:03:27,680 --> 00:03:30,560
short-lived tokens just refresh the wrong decision every hour.

93
00:03:30,560 --> 00:03:33,000
Least privilege must exist before the token is minted

94
00:03:33,000 --> 00:03:34,400
not after it's used.

95
00:03:34,400 --> 00:03:36,160
Workload identities never see MFA.

96
00:03:36,160 --> 00:03:37,000
That's by design.

97
00:03:37,000 --> 00:03:38,960
They either have secrets, certificates

98
00:03:38,960 --> 00:03:40,680
or federated credentials.

99
00:03:40,680 --> 00:03:43,320
If they're overscoped, you won't get a helpful prompt.

100
00:03:43,320 --> 00:03:44,920
You'll get silent drift in your tenant.

101
00:03:44,920 --> 00:03:46,680
Guests don't share your assumptions.

102
00:03:46,680 --> 00:03:48,600
Cross tenant trust settings, access reviews

103
00:03:48,600 --> 00:03:50,800
and group nesting rules either in code,

104
00:03:50,800 --> 00:03:52,680
the trust boundary or dissolve it.

105
00:03:52,680 --> 00:03:54,360
Temporary collaboration without life cycle

106
00:03:54,360 --> 00:03:56,280
becomes privilege persistence.

107
00:03:56,280 --> 00:03:57,560
Now the uncomfortable truth.

108
00:03:57,560 --> 00:04:00,000
Your identity program likely lacks life cycle.

109
00:04:00,000 --> 00:04:02,560
There is no practice path to remove an exception,

110
00:04:02,560 --> 00:04:05,200
rotate a secret, decommissioned a vendor,

111
00:04:05,200 --> 00:04:06,280
or retire a policy.

112
00:04:06,280 --> 00:04:07,560
Therefore, the exceptions win.

113
00:04:07,560 --> 00:04:10,880
Governance requires ownership, review and expiry.

114
00:04:10,880 --> 00:04:13,360
The execution engine only enforces whatever remains.

115
00:04:13,360 --> 00:04:15,080
Measurement must arrive early.

116
00:04:15,080 --> 00:04:17,040
If you can't inventory exclusions,

117
00:04:17,040 --> 00:04:19,080
legacy author temps, non-expiring secrets,

118
00:04:19,080 --> 00:04:20,880
broad graph grants, privileged guests

119
00:04:20,880 --> 00:04:22,600
and synced admins you're guessing,

120
00:04:22,600 --> 00:04:25,520
start thinking in queries, not dashboards.

121
00:04:25,520 --> 00:04:28,320
Sign-in logs filtered for excluded from policy.

122
00:04:28,320 --> 00:04:30,840
KQL for legacy protocol usage over time,

123
00:04:30,840 --> 00:04:33,760
graph queries for service principles with directory,

124
00:04:33,760 --> 00:04:34,680
and no owner.

125
00:04:34,680 --> 00:04:36,800
Access review completion rates for privileged groups

126
00:04:36,800 --> 00:04:37,640
and guests.

127
00:04:37,640 --> 00:04:39,480
Identity debt is not theoretical.

128
00:04:39,480 --> 00:04:40,160
It's observable.

129
00:04:40,160 --> 00:04:42,560
The logs tell you where the control plane is already diverging

130
00:04:42,560 --> 00:04:43,560
from intent.

131
00:04:43,560 --> 00:04:46,240
Once you see that divergence, the case studies make sense.

132
00:04:46,240 --> 00:04:48,520
And once you accept identity as the control plane,

133
00:04:48,520 --> 00:04:52,360
you'll stop expecting networks to fix authorization.

134
00:04:52,360 --> 00:04:56,000
Case study context one, hybrid identity debt propagation,

135
00:04:56,000 --> 00:04:59,000
hybrid is where Azure inherits debt deterministically,

136
00:04:59,000 --> 00:05:00,760
active directory synchronizes objects.

137
00:05:00,760 --> 00:05:02,280
It does not synchronize intent.

138
00:05:02,280 --> 00:05:04,280
That distinction matters because the minute you flip

139
00:05:04,280 --> 00:05:05,600
on synchronization,

140
00:05:05,600 --> 00:05:07,680
Entra compiles your on-prem assumptions

141
00:05:07,680 --> 00:05:10,960
into a flat tenant with rolls, scopes and admin units.

142
00:05:10,960 --> 00:05:14,000
OU hierarchy, GPO scoping, and delegated OU rights

143
00:05:14,000 --> 00:05:15,280
don't exist in Entra.

144
00:05:15,280 --> 00:05:17,520
They collapse into groups, role assignments,

145
00:05:17,520 --> 00:05:19,760
and if you build them administrative units.

146
00:05:19,760 --> 00:05:21,480
The translation throws away structure

147
00:05:21,480 --> 00:05:23,240
you relied on for least privilege.

148
00:05:23,240 --> 00:05:24,640
Here's what the system actually does.

149
00:05:24,640 --> 00:05:27,640
It reads users and groups, applies attribute flows,

150
00:05:27,640 --> 00:05:29,640
projects identities into the tenant,

151
00:05:29,640 --> 00:05:31,880
and links them to your authorization graph.

152
00:05:31,880 --> 00:05:33,880
If a domain admin is also an exchange admin

153
00:05:33,880 --> 00:05:36,880
and sits in three legacy IT all access groups,

154
00:05:36,880 --> 00:05:38,920
synchronization doesn't challenge that design.

155
00:05:38,920 --> 00:05:39,840
It preserves it.

156
00:05:39,840 --> 00:05:40,880
Azure doesn't ask why.

157
00:05:40,880 --> 00:05:43,480
It accepts the input and emits tokens accordingly.

158
00:05:43,480 --> 00:05:46,120
Dead signals show up early if you know where to look.

159
00:05:46,120 --> 00:05:47,520
Start with the obvious one.

160
00:05:47,520 --> 00:05:49,000
Sync global administrators.

161
00:05:49,000 --> 00:05:52,280
If any global admin accounts are on-prem and synchronized,

162
00:05:52,280 --> 00:05:54,560
Azure now trusts your domain controller health

163
00:05:54,560 --> 00:05:56,440
to guard the tenant's most powerful role.

164
00:05:56,440 --> 00:05:58,480
That's not resilience, that is coupling.

165
00:05:58,480 --> 00:06:00,120
If those accounts share passwords,

166
00:06:00,120 --> 00:06:03,080
if those admins sign in from unmanaged devices,

167
00:06:03,080 --> 00:06:04,320
Entra will honor that path

168
00:06:04,320 --> 00:06:06,640
because synchronization blessed the identity.

169
00:06:06,640 --> 00:06:08,960
You just extended your blast radius across planes.

170
00:06:08,960 --> 00:06:11,440
Second signal, legacy protocol residues.

171
00:06:11,440 --> 00:06:13,200
You said block legacy authentication,

172
00:06:13,200 --> 00:06:15,760
but exchange online still honors IMAP or Pope

173
00:06:15,760 --> 00:06:17,680
for certain mailboxes because a temporary exception

174
00:06:17,680 --> 00:06:18,760
sits in the tenant.

175
00:06:18,760 --> 00:06:20,680
Password spray hits legacy endpoints.

176
00:06:20,680 --> 00:06:23,400
The CA policy that would have blocked it never evaluates

177
00:06:23,400 --> 00:06:25,840
because legacy auth doesn't support modern claims.

178
00:06:25,840 --> 00:06:29,080
Hybrid made it easy to believe we blocked it on the firewall.

179
00:06:29,080 --> 00:06:31,800
The authorization compiler never checked your firewall.

180
00:06:31,800 --> 00:06:33,440
Third signal, flat group structures.

181
00:06:33,440 --> 00:06:36,320
On-prem you used OU's to reflect departments, regions,

182
00:06:36,320 --> 00:06:37,560
and admin boundaries.

183
00:06:37,560 --> 00:06:39,440
In Entra there is no OU tree.

184
00:06:39,440 --> 00:06:41,480
If you synchronize raw groups with vague names

185
00:06:41,480 --> 00:06:44,040
and broad membership, you manufacture universal keys.

186
00:06:44,040 --> 00:06:45,720
Those groups become assignments scaffolding

187
00:06:45,720 --> 00:06:47,520
for app roles and Azure RBX.

188
00:06:47,520 --> 00:06:50,720
They drift from HR London to HR to everyone who asked.

189
00:06:50,720 --> 00:06:53,960
And nobody notices because membership still syncs cleanly.

190
00:06:53,960 --> 00:06:56,840
Clean replication of bad semantics is still bad.

191
00:06:56,840 --> 00:06:57,960
Now the failure modes.

192
00:06:57,960 --> 00:07:00,720
Failure mode one shared admins.

193
00:07:00,720 --> 00:07:04,080
A help desk service account with domain admin privileges

194
00:07:04,080 --> 00:07:06,160
created to work around a legacy tool

195
00:07:06,160 --> 00:07:07,960
is synchronized into Entra.

196
00:07:07,960 --> 00:07:10,800
Added to a group that has global reader for convenience,

197
00:07:10,800 --> 00:07:13,280
then later elevated to privilege role administrator

198
00:07:13,280 --> 00:07:14,800
during a migration.

199
00:07:14,800 --> 00:07:16,040
Nobody rotated the password.

200
00:07:16,040 --> 00:07:17,360
Nobody added PM.

201
00:07:17,360 --> 00:07:20,080
That identity now escalates in the cloud

202
00:07:20,080 --> 00:07:22,680
with the same shared secret that half the team knows.

203
00:07:22,680 --> 00:07:25,320
Failure mode two, NTLM and IMAP ghosts.

204
00:07:25,320 --> 00:07:27,240
Your password hash sync works.

205
00:07:27,240 --> 00:07:30,320
Your pass through agent is healthy and federation is gone.

206
00:07:30,320 --> 00:07:33,280
But pop and IMAP are still enabled for a handful of mailboxes

207
00:07:33,280 --> 00:07:36,560
because a third party archive are needed for a week.

208
00:07:36,560 --> 00:07:39,160
Six months later, the same mailbox becomes the foothold

209
00:07:39,160 --> 00:07:40,360
for a password spray.

210
00:07:40,360 --> 00:07:42,120
Conditional access never saw the traffic.

211
00:07:42,120 --> 00:07:46,000
Your logs show legacy auth succeeded from an unexpected ASN.

212
00:07:46,000 --> 00:07:48,800
But your policy engine wasn't called failure mode three

213
00:07:48,800 --> 00:07:50,120
or use semantics lost.

214
00:07:50,120 --> 00:07:52,040
You delegated or you scoped admin rights

215
00:07:52,040 --> 00:07:53,680
to a regional IT team on prem.

216
00:07:53,680 --> 00:07:56,040
In Entra, you never created admin units.

217
00:07:56,040 --> 00:07:58,920
The same team asks for app admin to manage a local SAS.

218
00:07:58,920 --> 00:08:01,600
Your grant application administrator, tenant-wide,

219
00:08:01,600 --> 00:08:04,520
intent was regional scope, translation yielded tenant scope,

220
00:08:04,520 --> 00:08:06,640
that is not drift, that is design omission.

221
00:08:06,640 --> 00:08:09,760
Hybrid also breaks privilege boundaries during incidents.

222
00:08:09,760 --> 00:08:12,600
During a domain controller outage, password hash sync stays

223
00:08:12,600 --> 00:08:15,160
good long enough to keep authenticating cloud users.

224
00:08:15,160 --> 00:08:16,680
That feels like resilience.

225
00:08:16,680 --> 00:08:19,200
Then your responders realize their on-prem admin identities

226
00:08:19,200 --> 00:08:21,240
were also their cloud admin identities.

227
00:08:21,240 --> 00:08:24,280
They can't isolate one plane without sacrificing the other.

228
00:08:24,280 --> 00:08:26,000
Privilege accretion survived sync

229
00:08:26,000 --> 00:08:28,920
and now outage handling must account for two control planes

230
00:08:28,920 --> 00:08:30,280
with one set of credentials.

231
00:08:30,280 --> 00:08:32,680
Here's the uncomfortable truth surfacing again.

232
00:08:32,680 --> 00:08:35,800
Lift and sync erodes least privilege before day one.

233
00:08:35,800 --> 00:08:37,640
Not because synchronization is flawed,

234
00:08:37,640 --> 00:08:39,760
but because translation from OU based governance

235
00:08:39,760 --> 00:08:42,400
to role-based cloud scope was never designed.

236
00:08:42,400 --> 00:08:43,920
You synchronized identities.

237
00:08:43,920 --> 00:08:45,760
You did not synchronize boundaries.

238
00:08:45,760 --> 00:08:48,160
If you're an identity architect, this is where your design

239
00:08:48,160 --> 00:08:48,880
leaked.

240
00:08:48,880 --> 00:08:51,320
You assumed OU semantics would survive a platform

241
00:08:51,320 --> 00:08:52,840
that doesn't have OUs.

242
00:08:52,840 --> 00:08:54,120
So what should you observe today?

243
00:08:54,120 --> 00:08:56,080
Entra users flagged on-premises synced

244
00:08:56,080 --> 00:08:59,000
who hold global administrator, privileged role administrator

245
00:08:59,000 --> 00:09:00,760
or application administrator.

246
00:09:00,760 --> 00:09:04,120
Sign-in logs showing client app legacy authentication events

247
00:09:04,120 --> 00:09:06,080
tied to synchronized users.

248
00:09:06,080 --> 00:09:09,040
Groups with generic names used in Azure R back assignments

249
00:09:09,040 --> 00:09:11,040
at subscription or management group scope,

250
00:09:11,040 --> 00:09:13,200
whose owners are synchronized and unaccountable.

251
00:09:13,200 --> 00:09:16,240
No admin units or admin units without role assignments,

252
00:09:16,240 --> 00:09:18,680
meaning your regional delegations are fiction.

253
00:09:18,680 --> 00:09:21,080
Once you see those, the fixed pattern becomes obvious

254
00:09:21,080 --> 00:09:24,480
in the next section, break the inheritance, localize power,

255
00:09:24,480 --> 00:09:27,320
and separate cloud admin lifecycle from on-prem.

256
00:09:27,320 --> 00:09:29,360
Because until you sever those couplings,

257
00:09:29,360 --> 00:09:31,360
Azure will continue to faithfully compile

258
00:09:31,360 --> 00:09:33,560
your oldest assumptions into today's authorization

259
00:09:33,560 --> 00:09:34,720
decisions.

260
00:09:34,720 --> 00:09:35,880
Hybrid identity.

261
00:09:35,880 --> 00:09:38,080
Break the inheritance, localize power.

262
00:09:38,080 --> 00:09:39,720
The thing most people miss is simple.

263
00:09:39,720 --> 00:09:41,240
The cloud will faithfully preserve

264
00:09:41,240 --> 00:09:43,000
whatever privilege accretion you hand it.

265
00:09:43,000 --> 00:09:44,240
It does not negotiate.

266
00:09:44,240 --> 00:09:46,480
If you want least privilege, you have to assert it here

267
00:09:46,480 --> 00:09:48,760
at the control plane with constructs

268
00:09:48,760 --> 00:09:52,080
the engine actually understands why this matters.

269
00:09:52,080 --> 00:09:55,080
When admin identities and permissions flow from AD to Entra

270
00:09:55,080 --> 00:09:57,120
without redesign, you are not integrating.

271
00:09:57,120 --> 00:09:58,680
You are extending blast radius,

272
00:09:58,680 --> 00:09:59,880
every incident, every exception,

273
00:09:59,880 --> 00:10:02,240
every shared account now spans two planes.

274
00:10:02,240 --> 00:10:04,040
The reason this works is deterministic.

275
00:10:04,040 --> 00:10:07,080
Synchronization copies objects, authorization compiles them.

276
00:10:07,080 --> 00:10:09,560
If you remember nothing else, remember this.

277
00:10:09,560 --> 00:10:12,000
Break the inheritance before you attempt control.

278
00:10:12,000 --> 00:10:13,000
What to change?

279
00:10:13,000 --> 00:10:16,600
You need three moves that reassert intent in cloud-native terms.

280
00:10:16,600 --> 00:10:19,040
Cloud-only admin identities that never synchronize.

281
00:10:19,040 --> 00:10:22,160
Roadscope that matches reality in forced-wire admin units.

282
00:10:22,160 --> 00:10:25,200
Just in time access, so privilege exists only when needed.

283
00:10:25,200 --> 00:10:28,240
Let me show you exactly how to anchor each one.

284
00:10:28,240 --> 00:10:30,280
First, cloud-only admin roles.

285
00:10:30,280 --> 00:10:32,960
Create administrator accounts that live only in Entra.

286
00:10:32,960 --> 00:10:35,400
No on-prem UPN, no synchronization object,

287
00:10:35,400 --> 00:10:37,360
and no password sync dependency.

288
00:10:37,360 --> 00:10:40,040
Assign them administrative roles through privilege identity

289
00:10:40,040 --> 00:10:42,160
management so they are eligible not standing.

290
00:10:42,160 --> 00:10:44,240
The reason this works is you've removed the coupling

291
00:10:44,240 --> 00:10:47,080
to domain controller, health, and local machine posture.

292
00:10:47,080 --> 00:10:49,480
Your cloud admin credential can be fenced

293
00:10:49,480 --> 00:10:52,120
with phishing resistant strengths and device requirements.

294
00:10:52,120 --> 00:10:53,960
The on-prem account can't satisfy.

295
00:10:53,960 --> 00:10:55,760
Once you nail that everything else clicks,

296
00:10:55,760 --> 00:10:58,600
passwords for operational identities stop being your incident

297
00:10:58,600 --> 00:11:01,160
workaround and break glass becomes a tested path,

298
00:11:01,160 --> 00:11:02,240
not an assumption.

299
00:11:02,240 --> 00:11:04,960
Second, localize power with administrative units.

300
00:11:04,960 --> 00:11:07,040
OU semantics don't translate, therefore you must

301
00:11:07,040 --> 00:11:08,920
reintroduce scope deliberately.

302
00:11:08,920 --> 00:11:12,280
Build admin units aligned to the natural seams of your organization,

303
00:11:12,280 --> 00:11:15,800
region, subsidiary, or function, and place the users and groups

304
00:11:15,800 --> 00:11:18,200
that truly belong to that scope inside.

305
00:11:18,200 --> 00:11:20,920
Then delegate only the roles that team needs

306
00:11:20,920 --> 00:11:23,120
against that admin unit, not the tenant.

307
00:11:23,120 --> 00:11:25,600
Helpdesk user administrator, groups administrator,

308
00:11:25,600 --> 00:11:27,080
limited to that boundary.

309
00:11:27,080 --> 00:11:29,880
The game changer nobody talks about is what you don't add.

310
00:11:29,880 --> 00:11:33,600
Never add the group itself if your intent is to manage the people.

311
00:11:33,600 --> 00:11:34,760
Add the users.

312
00:11:34,760 --> 00:11:36,920
Otherwise you've created an elevation path

313
00:11:36,920 --> 00:11:38,360
by membership manipulation.

314
00:11:38,360 --> 00:11:40,000
That distinction matters.

315
00:11:40,000 --> 00:11:42,160
Third, enforce just in time with PIM.

316
00:11:42,160 --> 00:11:43,800
Standing privilege is not resilience,

317
00:11:43,800 --> 00:11:44,800
it's security dead.

318
00:11:44,800 --> 00:11:46,560
Make every privilege role eligible,

319
00:11:46,560 --> 00:11:48,920
require strong authentication at activation.

320
00:11:48,920 --> 00:11:51,520
Add an authentication context if you want a compliant device

321
00:11:51,520 --> 00:11:53,440
or a known location for elevation.

322
00:11:53,440 --> 00:11:55,760
Set maximum durations that reflect real work,

323
00:11:55,760 --> 00:11:57,240
not eight hour defaults.

324
00:11:57,240 --> 00:12:00,400
The reason this works is you're forcing the authorization compiler

325
00:12:00,400 --> 00:12:02,680
to re-evaluate risk and controls at the moment

326
00:12:02,680 --> 00:12:05,160
privilege materializes, not after the fact.

327
00:12:05,160 --> 00:12:06,960
And yes, document approvals.

328
00:12:06,960 --> 00:12:09,920
If nobody approves anything, then time is your only guardrail.

329
00:12:09,920 --> 00:12:11,840
Treat durations as blast radius windows.

330
00:12:11,840 --> 00:12:13,360
Now here's where most people mess up.

331
00:12:13,360 --> 00:12:15,520
They block synchronized global admins,

332
00:12:15,520 --> 00:12:17,640
but leave synchronized application administrators,

333
00:12:17,640 --> 00:12:19,120
cloud-app security administrators,

334
00:12:19,120 --> 00:12:21,520
or exchange administrators intact rationalizing.

335
00:12:21,520 --> 00:12:22,880
It's not global, it's not.

336
00:12:22,880 --> 00:12:25,200
It is not, but those roles compose attack parts

337
00:12:25,200 --> 00:12:27,760
when combined with app ownership and consent flows.

338
00:12:27,760 --> 00:12:29,760
Remove synchronization for any identity

339
00:12:29,760 --> 00:12:31,560
that holds tenant-level roles.

340
00:12:31,560 --> 00:12:33,400
If you must delegate to synchronized users

341
00:12:33,400 --> 00:12:35,200
for business operations, keep those roles

342
00:12:35,200 --> 00:12:38,000
scoped to admin units or application objects

343
00:12:38,000 --> 00:12:41,240
and keep the path to tenant-wide rights cloud-only.

344
00:12:41,240 --> 00:12:43,880
Evidence you can pull today to verify progress.

345
00:12:43,880 --> 00:12:46,440
Entra users list-filtered to on-prem sync enabled

346
00:12:46,440 --> 00:12:48,840
equals true intersecting with directory role assignments.

347
00:12:48,840 --> 00:12:51,920
That surface should be empty for tenant-wide privilege roles.

348
00:12:51,920 --> 00:12:55,640
Role assignment inventory where scope equals what tenant root.

349
00:12:55,640 --> 00:12:58,080
Every principle here should be cloud-only,

350
00:12:58,080 --> 00:13:01,040
pimp, eligible, and bound to phishing-resistant strengths.

351
00:13:01,040 --> 00:13:03,000
Admin units with role assignments.

352
00:13:03,000 --> 00:13:05,280
If you have admin units, but zero assignments,

353
00:13:05,280 --> 00:13:07,000
you've built boxes with no locks.

354
00:13:07,000 --> 00:13:08,520
You haven't localized power.

355
00:13:08,520 --> 00:13:10,480
You've only drawn a map.

356
00:13:10,480 --> 00:13:12,080
Common mistakes to avoid.

357
00:13:12,080 --> 00:13:14,480
Treating AD groups is truth for cloud roles.

358
00:13:14,480 --> 00:13:15,920
Group membership in a synced group

359
00:13:15,920 --> 00:13:17,920
is not a control boundary in Entra.

360
00:13:17,920 --> 00:13:19,360
It's an entropy generator.

361
00:13:19,360 --> 00:13:21,800
If you need a group to receive a privilege role,

362
00:13:21,800 --> 00:13:25,000
make it a cloud-only group flag to accept directory roles

363
00:13:25,000 --> 00:13:27,600
and keep membership assigned, not dynamic.

364
00:13:27,600 --> 00:13:30,560
Ignoring privileged access workstations for cloud auth.

365
00:13:30,560 --> 00:13:33,080
If your admins can elevate from unmanaged devices,

366
00:13:33,080 --> 00:13:35,680
your compliant device story is a slogan.

367
00:13:35,680 --> 00:13:38,600
Type in activation to an authentication context

368
00:13:38,600 --> 00:13:41,120
that enforces a compliant, registered device

369
00:13:41,120 --> 00:13:43,840
or a hardware backed passkey, relying on pass-through

370
00:13:43,840 --> 00:13:45,680
or federation to keep auth on-prem.

371
00:13:45,680 --> 00:13:48,440
federation does not change where authorization happens.

372
00:13:48,440 --> 00:13:50,520
Conditional access still compiles in Entra.

373
00:13:50,520 --> 00:13:53,080
You've added fragility without gaining control.

374
00:13:53,080 --> 00:13:54,680
Quick win you can achieve today.

375
00:13:54,680 --> 00:13:57,120
Icelate breakglas from synchronization.

376
00:13:57,120 --> 00:13:59,360
Create two cloud-only emergency access accounts

377
00:13:59,360 --> 00:14:00,960
with long-valtered passwords

378
00:14:00,960 --> 00:14:02,680
and no conditional access enforcement

379
00:14:02,680 --> 00:14:04,400
other than location-allow listing,

380
00:14:04,400 --> 00:14:05,880
then verify two things.

381
00:14:05,880 --> 00:14:09,200
They sign in and their sign-ins show up in your logs.

382
00:14:09,200 --> 00:14:11,320
If you can't see them, you can't trust them.

383
00:14:11,320 --> 00:14:12,880
Then enumerate synchronized admins,

384
00:14:12,880 --> 00:14:15,240
remove tenant-wide roles from any synced principle

385
00:14:15,240 --> 00:14:17,120
and replace those parts with pimp-eligible

386
00:14:17,120 --> 00:14:19,840
cloud-only accounts scoped through admin units.

387
00:14:19,840 --> 00:14:22,120
That severing of inheritance is the pivot.

388
00:14:22,120 --> 00:14:25,120
Once you do it, your hybrid story stops being a liability

389
00:14:25,120 --> 00:14:26,680
and starts being a choice.

390
00:14:26,680 --> 00:14:29,960
Case study context two, conditional access policies sprawl.

391
00:14:29,960 --> 00:14:31,800
Once you sever hybrid inheritance,

392
00:14:31,800 --> 00:14:33,720
the next entropy generator is waiting.

393
00:14:33,720 --> 00:14:36,760
Conditional access, it starts elegant, a few clear policies.

394
00:14:36,760 --> 00:14:39,040
Then the complaints arrive, the outages happen

395
00:14:39,040 --> 00:14:41,880
and the execution engine gets paved over with exceptions.

396
00:14:41,880 --> 00:14:44,600
Two years in, CA becomes identity-dead central.

397
00:14:44,600 --> 00:14:47,120
The symptom pattern is consistent, policy per problem,

398
00:14:47,120 --> 00:14:48,640
exclusions per complaint,

399
00:14:48,640 --> 00:14:50,360
someone can't access a legacy app

400
00:14:50,360 --> 00:14:53,000
so you create an app-specific policy with a bypass.

401
00:14:53,000 --> 00:14:54,680
An executive gets prompted too often,

402
00:14:54,680 --> 00:14:56,000
so you exclude a group.

403
00:14:56,000 --> 00:14:57,320
A vendor needs temporary access

404
00:14:57,320 --> 00:14:59,480
so you carve out a location-allow list.

405
00:14:59,480 --> 00:15:00,720
None of these are governance,

406
00:15:00,720 --> 00:15:03,000
they are branches in code you no longer review.

407
00:15:03,000 --> 00:15:06,120
Branches multiply, dead signals are loud if you listen.

408
00:15:06,120 --> 00:15:09,160
Pause here, this is the mistake most teams don't see.

409
00:15:09,160 --> 00:15:12,120
The first is the comfort phrase, exclude break glass.

410
00:15:12,120 --> 00:15:13,880
You meant to protect emergency access.

411
00:15:13,880 --> 00:15:16,880
Instead, you hid it from evaluation and from observation.

412
00:15:16,880 --> 00:15:18,560
If a sign in never meets a policy,

413
00:15:18,560 --> 00:15:21,320
it never emits the telemetry tie to that policy.

414
00:15:21,320 --> 00:15:23,240
Break glass wasn't protected, it was invisible.

415
00:15:23,240 --> 00:15:25,080
That distinction matters.

416
00:15:25,080 --> 00:15:28,240
Second signal, app-specific bypasses with no owner.

417
00:15:28,240 --> 00:15:30,360
Look for policies that target one application

418
00:15:30,360 --> 00:15:32,720
and exclude one or two groups temporarily.

419
00:15:32,720 --> 00:15:34,720
If the policy object has no business owner,

420
00:15:34,720 --> 00:15:36,960
no expiry and no last-reviewed note,

421
00:15:36,960 --> 00:15:39,080
you're running unordated code in production.

422
00:15:39,080 --> 00:15:40,600
Ownership is governance.

423
00:15:40,600 --> 00:15:42,760
Everything else is drift.

424
00:15:42,760 --> 00:15:45,400
Third signal, overlapping controls.

425
00:15:45,400 --> 00:15:48,600
You require MFA in one policy for all cloud apps.

426
00:15:48,600 --> 00:15:51,920
You require fishing resistance strengths for privileged roles.

427
00:15:51,920 --> 00:15:54,000
You block legacy protocols in a third,

428
00:15:54,000 --> 00:15:55,760
but then you exclude trusted locations

429
00:15:55,760 --> 00:15:57,480
on the first exclude service accounts

430
00:15:57,480 --> 00:15:59,760
on the second and carve out IMAP on the third.

431
00:15:59,760 --> 00:16:02,560
The evaluation pipeline can produce contradictory results

432
00:16:02,560 --> 00:16:03,840
across paths.

433
00:16:03,840 --> 00:16:05,400
The outcome is probabilistic.

434
00:16:05,400 --> 00:16:08,440
Access depends on which branch short circuits first.

435
00:16:08,440 --> 00:16:11,200
If you remember nothing else from this section, remember this.

436
00:16:11,200 --> 00:16:13,160
Conditional access debt hides in the paths

437
00:16:13,160 --> 00:16:14,560
where policy never runs.

438
00:16:14,560 --> 00:16:15,720
If you don't fix those branches,

439
00:16:15,720 --> 00:16:18,560
your next outage will be negotiated with exceptions you can't see.

440
00:16:18,560 --> 00:16:20,760
Here's the near miss, most teams don't forget.

441
00:16:20,760 --> 00:16:23,120
An MFA provider outage overlaps with your MFA

442
00:16:23,120 --> 00:16:24,480
for all users' policy.

443
00:16:24,480 --> 00:16:26,320
Your responders try to use break glass.

444
00:16:26,320 --> 00:16:27,640
It works, technically.

445
00:16:27,640 --> 00:16:30,520
But because the account and path were excluded from policy,

446
00:16:30,520 --> 00:16:32,680
the sign-in doesn't appear where the team expects.

447
00:16:32,680 --> 00:16:34,120
No alert, no visibility.

448
00:16:34,120 --> 00:16:36,040
The responders assume they're still blocked.

449
00:16:36,040 --> 00:16:37,240
Minutes turn to hours.

450
00:16:37,240 --> 00:16:39,000
The incident drags because the escape hatch

451
00:16:39,000 --> 00:16:40,840
was never validated under failure

452
00:16:40,840 --> 00:16:43,360
and the telemetry was never wired to observation.

453
00:16:43,360 --> 00:16:44,840
If you're a security leader,

454
00:16:44,840 --> 00:16:46,840
this is the metric you should demand.

455
00:16:46,840 --> 00:16:49,400
How many privileged sign-ins show conditional access,

456
00:16:49,400 --> 00:16:50,760
not applied and why?

457
00:16:50,760 --> 00:16:53,200
Root cause every time treating conditional access

458
00:16:53,200 --> 00:16:54,440
like governance, it is not.

459
00:16:54,440 --> 00:16:57,880
It's an execution engine that compiles if then rules at sign-in.

460
00:16:57,880 --> 00:17:00,840
It will enforce perfectly even when what remains is wrong.

461
00:17:00,840 --> 00:17:02,720
Governance implies life cycle, ownership,

462
00:17:02,720 --> 00:17:05,680
review, expiry, measurement, CA does none of that for you.

463
00:17:05,680 --> 00:17:08,680
Report only mode feels like safety, but it's often pergatory.

464
00:17:08,680 --> 00:17:11,840
Policy sit there indefinitely because turning them on is scary.

465
00:17:11,840 --> 00:17:15,440
Meanwhile, temporary exceptions remain the only enforced code.

466
00:17:15,440 --> 00:17:17,320
Before we continue, you need to understand

467
00:17:17,320 --> 00:17:19,240
the evaluation flow at a glance.

468
00:17:19,240 --> 00:17:21,560
The engine loads applicable policies based

469
00:17:21,560 --> 00:17:25,000
on user, group, role, app and conditions.

470
00:17:25,000 --> 00:17:26,520
It processes blocks first.

471
00:17:26,520 --> 00:17:29,000
If any policy says block, access ends,

472
00:17:29,000 --> 00:17:32,040
then it applies grant controls, combining requirements

473
00:17:32,040 --> 00:17:35,320
with ant logic unless you explicitly configure OR.

474
00:17:35,320 --> 00:17:38,040
Exclusions remove objects from the policy scope

475
00:17:38,040 --> 00:17:39,320
before evaluation.

476
00:17:39,320 --> 00:17:41,040
That's the pathway where dead hides.

477
00:17:41,040 --> 00:17:43,480
You bypass the compiler altogether.

478
00:17:43,480 --> 00:17:45,280
Let's ground this before moving on.

479
00:17:45,280 --> 00:17:47,720
If a sign-in is excluded, no amount of monitoring

480
00:17:47,720 --> 00:17:49,920
will ever show you the control that didn't run.

481
00:17:49,920 --> 00:17:52,840
Evidence you can pull without clicking through every policy.

482
00:17:52,840 --> 00:17:55,520
Sign-in logs filtered for conditional access,

483
00:17:55,520 --> 00:17:58,000
not applied with a reason of user excluded

484
00:17:58,000 --> 00:17:59,640
or application excluded.

485
00:17:59,640 --> 00:18:00,760
Those are the blind paths.

486
00:18:00,760 --> 00:18:03,120
If they appear for privileged roles or sensitive apps,

487
00:18:03,120 --> 00:18:05,040
you have unordited code running.

488
00:18:05,040 --> 00:18:07,160
A KQL trend of legacy protocol attempts

489
00:18:07,160 --> 00:18:08,800
alongside CA results.

490
00:18:08,800 --> 00:18:11,440
If legacy traffic shows up and CA is not applied,

491
00:18:11,440 --> 00:18:13,920
you're relying on a block that never evaluates.

492
00:18:13,920 --> 00:18:16,120
That's not control, that's hope.

493
00:18:16,120 --> 00:18:19,120
A policy inventory showing count, targets and exclusions.

494
00:18:19,120 --> 00:18:20,960
If your policy count grows linearly

495
00:18:20,960 --> 00:18:23,840
while your coverage of all cloud apps shrinks,

496
00:18:23,840 --> 00:18:26,160
your trading simplicity for fragmentation.

497
00:18:26,160 --> 00:18:28,920
Now the behavioral mistake, trusted locations are treated

498
00:18:28,920 --> 00:18:30,760
as a get out of prompts zone.

499
00:18:30,760 --> 00:18:33,520
The network feels safe, but conditional access has no context

500
00:18:33,520 --> 00:18:36,880
of whether that IP range actually binds to managed devices

501
00:18:36,880 --> 00:18:38,200
or whether the traffic is proxied.

502
00:18:38,200 --> 00:18:40,200
You just taught the compiler to trust a CIDR

503
00:18:40,200 --> 00:18:41,600
more than a device posture.

504
00:18:41,600 --> 00:18:43,920
That choice outlives the justification.

505
00:18:43,920 --> 00:18:47,440
Another recurring trap, service accounts excluded from policies.

506
00:18:47,440 --> 00:18:49,880
There is no such identity class in Entra for CA.

507
00:18:49,880 --> 00:18:52,720
You created a group, you labeled it, you excluded it,

508
00:18:52,720 --> 00:18:54,720
you now have human principles hiding in a category

509
00:18:54,720 --> 00:18:57,000
the engine cannot distinguish from automation.

510
00:18:57,000 --> 00:18:59,400
Workload identities don't even evaluate CA.

511
00:18:59,400 --> 00:19:00,600
Humans do.

512
00:19:00,600 --> 00:19:03,240
Your exclusion is an entropy generator misapplied to people.

513
00:19:03,240 --> 00:19:06,320
And then there's report only limbo, team stage 10 policies,

514
00:19:06,320 --> 00:19:08,200
wait for the perfect moment to turn them on

515
00:19:08,200 --> 00:19:09,560
and leave them inert for quarters.

516
00:19:09,560 --> 00:19:12,680
Meanwhile, incident reviews keep pointing at the same gaps.

517
00:19:12,680 --> 00:19:15,360
If a policy sits in report only for more than a sprint,

518
00:19:15,360 --> 00:19:16,400
it isn't staging.

519
00:19:16,400 --> 00:19:18,040
It is in decision encoded.

520
00:19:18,040 --> 00:19:19,760
What should you recognize in your tenant today?

521
00:19:19,760 --> 00:19:21,520
Policies that target all cloud apps

522
00:19:21,520 --> 00:19:24,720
but exclude one or more executive groups, emergency access

523
00:19:24,720 --> 00:19:26,040
or entire locations.

524
00:19:26,040 --> 00:19:28,400
App targeted policies with no metadata on owner,

525
00:19:28,400 --> 00:19:31,560
reason or expiry, conflicting ground controls across paths.

526
00:19:31,560 --> 00:19:34,360
MFA required here, fishing resistant only there,

527
00:19:34,360 --> 00:19:36,440
device compliance waived somewhere else.

528
00:19:36,440 --> 00:19:38,440
Not applied sign-ins for privileged roles.

529
00:19:38,440 --> 00:19:40,320
If you see those, you've confirmed sprawl.

530
00:19:40,320 --> 00:19:42,760
The fix is not more policies, it's fewer branches,

531
00:19:42,760 --> 00:19:44,760
stronger strengths for high value roles

532
00:19:44,760 --> 00:19:48,000
and a hard stop on exclusions without an owner and a clock.

533
00:19:48,000 --> 00:19:50,560
The execution engine will enforce whatever remains,

534
00:19:50,560 --> 00:19:52,520
make sure what remains reflects intent.

535
00:19:52,520 --> 00:19:55,440
Conditional access as authorization compiler,

536
00:19:55,440 --> 00:19:57,320
baseline, strengths and blocks.

537
00:19:57,320 --> 00:19:58,840
This is the uncomfortable truth.

538
00:19:58,840 --> 00:20:01,120
Conditional access is an authorization compiler.

539
00:20:01,120 --> 00:20:02,800
It takes context at runtime,

540
00:20:02,800 --> 00:20:04,280
who you are, what you're touching,

541
00:20:04,280 --> 00:20:06,200
where you're coming from the device posture

542
00:20:06,200 --> 00:20:07,760
and compiles it into a decision.

543
00:20:07,760 --> 00:20:09,720
Baseline first, then strengths, then blocks.

544
00:20:09,720 --> 00:20:12,080
Keep the surface small, keep the branches obvious.

545
00:20:12,080 --> 00:20:13,680
Everything else is entropy.

546
00:20:13,680 --> 00:20:14,960
Why start with a baseline?

547
00:20:14,960 --> 00:20:17,240
Because the compiler needs a predictable core.

548
00:20:17,240 --> 00:20:20,440
If you try to reason about 10 overlapping policies you won't.

549
00:20:20,440 --> 00:20:22,040
So set three and mean them.

550
00:20:22,040 --> 00:20:24,360
Baseline one, block legacy authentication.

551
00:20:24,360 --> 00:20:27,480
Not reduced, not softened, not except four, block it.

552
00:20:27,480 --> 00:20:30,120
Legacy protocols don't emit the signals the compiler needs.

553
00:20:30,120 --> 00:20:32,640
They bypass the policy pipeline by definition.

554
00:20:32,640 --> 00:20:35,800
If you leave any door open, your logs become a weather report.

555
00:20:35,800 --> 00:20:37,280
Interesting, not controlling.

556
00:20:37,280 --> 00:20:39,880
Baseline two, MFA for all users, yes all.

557
00:20:39,880 --> 00:20:41,960
The compiler should always have a second factor

558
00:20:41,960 --> 00:20:44,360
to resolve risk when signals are ambiguous.

559
00:20:44,360 --> 00:20:46,000
Use it as a flaw, not a ceiling.

560
00:20:46,000 --> 00:20:47,560
You are not promising perfect assurance.

561
00:20:47,560 --> 00:20:49,360
You are avoiding single factor chaos.

562
00:20:49,360 --> 00:20:51,320
Baseline three, fishing resistant strengths

563
00:20:51,320 --> 00:20:52,640
for admins and critical apps.

564
00:20:52,640 --> 00:20:54,800
This is where the baseline becomes opinionated.

565
00:20:54,800 --> 00:20:56,400
A privileged token minted on the back

566
00:20:56,400 --> 00:20:58,480
of a push notification is a time bomb.

567
00:20:58,480 --> 00:21:00,640
Strengths, phyto2, certificate-based,

568
00:21:00,640 --> 00:21:04,720
pass keys, bind the assertion to a device or a key.

569
00:21:04,720 --> 00:21:06,480
That distinction matters.

570
00:21:06,480 --> 00:21:08,200
The thing most people miss is that strengths

571
00:21:08,200 --> 00:21:10,160
are not just harder MFA.

572
00:21:10,160 --> 00:21:12,160
They collapse entire classes of failure.

573
00:21:12,160 --> 00:21:15,720
No prompt bombing, no shared OTPs, no sim swap recovery.

574
00:21:15,720 --> 00:21:17,800
When you require a fishing resistant strength,

575
00:21:17,800 --> 00:21:19,600
the compiler can stop asking the network

576
00:21:19,600 --> 00:21:21,120
to be your identity perimeter.

577
00:21:21,120 --> 00:21:21,920
That is the shift.

578
00:21:21,920 --> 00:21:24,680
Now how to express that cleanly without building a labyrinth?

579
00:21:24,680 --> 00:21:26,600
Think in three policies, not 13.

580
00:21:26,600 --> 00:21:29,320
Policy A, block legacy authentication.

581
00:21:29,320 --> 00:21:31,600
Target all users, all cloud apps, client apps,

582
00:21:31,600 --> 00:21:33,200
conditions set to legacy protocols.

583
00:21:33,200 --> 00:21:34,960
No exclusions, you do not need to be clever.

584
00:21:34,960 --> 00:21:36,200
You need to be complete.

585
00:21:36,200 --> 00:21:38,760
The policy B require MFA for all cloud apps.

586
00:21:38,760 --> 00:21:40,440
Target all users, all cloud apps.

587
00:21:40,440 --> 00:21:42,920
Ground controls require multi factor authentication.

588
00:21:42,920 --> 00:21:45,040
Minimal exclusions for break class only

589
00:21:45,040 --> 00:21:47,240
and time boxed, owned and logged.

590
00:21:47,240 --> 00:21:50,080
If an exception does not have an owner and an expiry,

591
00:21:50,080 --> 00:21:51,440
it is not an exception.

592
00:21:51,440 --> 00:21:52,120
It's an often.

593
00:21:52,120 --> 00:21:56,480
Policy C, require phishing resistant authentication

594
00:21:56,480 --> 00:21:59,120
strengths for privileged roles and high value apps.

595
00:21:59,120 --> 00:22:01,360
Target directory roles and the specific enterprise apps

596
00:22:01,360 --> 00:22:04,760
that move money, modify policy or administer identity.

597
00:22:04,760 --> 00:22:06,800
Ground controls require authentication strength,

598
00:22:06,800 --> 00:22:09,320
phishing resistant or consider also an authentication

599
00:22:09,320 --> 00:22:10,680
context for PM activation.

600
00:22:10,680 --> 00:22:12,600
So elevation inherits the same bar.

601
00:22:12,600 --> 00:22:14,880
This next part separates beginners from pros

602
00:22:14,880 --> 00:22:16,680
to not stack overlapping policy scopes

603
00:22:16,680 --> 00:22:19,320
that silently weaken the strongest requirement.

604
00:22:19,320 --> 00:22:21,720
The compiler evaluates blocks first,

605
00:22:21,720 --> 00:22:23,320
then it combines ground requirements

606
00:22:23,320 --> 00:22:26,840
with and logic inside a policy, but across policies,

607
00:22:26,840 --> 00:22:29,080
the effective result is the union of requirements

608
00:22:29,080 --> 00:22:31,080
applied to the requests path.

609
00:22:31,080 --> 00:22:33,520
If a weaker policy excludes the object, it vanishes.

610
00:22:33,520 --> 00:22:35,280
That's why branches matter more than counts.

611
00:22:35,280 --> 00:22:37,560
Once you nail the baseline, everything else clicks,

612
00:22:37,560 --> 00:22:39,960
you isolate high value paths with strengths.

613
00:22:39,960 --> 00:22:42,280
You block the unobservable legacy flows.

614
00:22:42,280 --> 00:22:44,360
You stop treating MFA as a universal solvent

615
00:22:44,360 --> 00:22:45,960
and start using it as table stakes.

616
00:22:45,960 --> 00:22:47,520
Now, the blocks.

617
00:22:47,520 --> 00:22:49,360
There are only two that deserve to exist.

618
00:22:49,360 --> 00:22:52,120
Block one, legacy authentication, we already covered it.

619
00:22:52,120 --> 00:22:53,240
It's non-negotiable.

620
00:22:53,240 --> 00:22:54,880
Block two, known bad risk.

621
00:22:54,880 --> 00:22:58,000
If you have Entra ID protection, P2, high user risk

622
00:22:58,000 --> 00:23:00,720
and high sign in risk are blocks, not prompts.

623
00:23:00,720 --> 00:23:03,120
If the engine believes the credential is owned by someone else,

624
00:23:03,120 --> 00:23:05,080
you don't negotiate, you cut power.

625
00:23:05,080 --> 00:23:07,200
Everything else, use grant controls, not blocks.

626
00:23:07,200 --> 00:23:09,320
You want the compiler to shape the assurance

627
00:23:09,320 --> 00:23:11,840
to the action not strand users on the wrong side of a line

628
00:23:11,840 --> 00:23:14,160
because they moved from Wi-Fi to LTE.

629
00:23:14,160 --> 00:23:16,200
Evidence that you can pull to prove this is working

630
00:23:16,200 --> 00:23:17,280
is straightforward.

631
00:23:17,280 --> 00:23:20,880
Policy evaluation flow, where legacy protocol requests show

632
00:23:20,880 --> 00:23:23,520
blocked by policy, legacy authentication

633
00:23:23,520 --> 00:23:26,360
with zero not applied for legacy client apps.

634
00:23:26,360 --> 00:23:29,040
If you see not applied, you don't have control.

635
00:23:29,040 --> 00:23:30,000
You have a story.

636
00:23:30,000 --> 00:23:32,680
Authentication methods, registration, showing coverage

637
00:23:32,680 --> 00:23:35,200
of phishing resistant credentials for every principle

638
00:23:35,200 --> 00:23:36,440
in a privileged role.

639
00:23:36,440 --> 00:23:39,320
If a role has members with only passwords and OTPs,

640
00:23:39,320 --> 00:23:42,000
you've labeled risk admin, sign in logs filtered

641
00:23:42,000 --> 00:23:44,200
to privileged roles with authentication requirement,

642
00:23:44,200 --> 00:23:45,480
phishing resistant.

643
00:23:45,480 --> 00:23:47,720
If that field isn't present, you required nothing.

644
00:23:47,720 --> 00:23:48,800
You hoped.

645
00:23:48,800 --> 00:23:50,640
Here's the shortcut nobody teaches.

646
00:23:50,640 --> 00:23:52,920
Reduce your policy count before you raise

647
00:23:52,920 --> 00:23:54,000
your policy bar.

648
00:23:54,000 --> 00:23:56,440
Every policy you don't need is a branch you won't debug

649
00:23:56,440 --> 00:23:58,520
at 2a, inventory exclusions with owners,

650
00:23:58,520 --> 00:24:00,480
delete or time box anything without one.

651
00:24:00,480 --> 00:24:02,920
Move trusted location logic to authentication context

652
00:24:02,920 --> 00:24:05,400
tied to device compliance instead of CIDOs.

653
00:24:05,400 --> 00:24:08,360
Treat service accounts as what they are, humans or workloads.

654
00:24:08,360 --> 00:24:09,440
Humans evaluate CA.

655
00:24:09,440 --> 00:24:11,720
Workloads do not exclude neither by label.

656
00:24:11,720 --> 00:24:13,520
Common mistakes to avoid.

657
00:24:13,520 --> 00:24:16,360
Requiring MFA for admins but not requiring strengths.

658
00:24:16,360 --> 00:24:18,680
You just made prompt spam your last line of defense,

659
00:24:18,680 --> 00:24:20,360
using report only as a parking lot.

660
00:24:20,360 --> 00:24:22,600
If a policy can't go to on within a sprint,

661
00:24:22,600 --> 00:24:25,320
it belongs in backlog refinement, not production.

662
00:24:25,320 --> 00:24:27,760
Carving permanent location-based bypasses.

663
00:24:27,760 --> 00:24:29,920
The compiler can't see the difference between your office

664
00:24:29,920 --> 00:24:31,360
and an IP-sproofed range.

665
00:24:31,360 --> 00:24:32,520
Device posture is real.

666
00:24:32,520 --> 00:24:34,600
IP space is theater, quick win.

667
00:24:34,600 --> 00:24:36,000
Cut to three policies.

668
00:24:36,000 --> 00:24:38,640
Require strengths for anyone who can change authorization

669
00:24:38,640 --> 00:24:41,120
or compute and run a not applied sign-in report

670
00:24:41,120 --> 00:24:42,360
for privileged roles.

671
00:24:42,360 --> 00:24:45,080
If the list is non-empty, you have blind parts.

672
00:24:45,080 --> 00:24:46,720
Reduce them before you add anything else.

673
00:24:46,720 --> 00:24:48,760
The authorization compiler will enforce what remains.

674
00:24:48,760 --> 00:24:50,640
Make sure it's worth enforcing.

675
00:24:50,640 --> 00:24:52,160
Case study context three.

676
00:24:52,160 --> 00:24:54,680
Service principles and workload identities.

677
00:24:54,680 --> 00:24:56,760
This is where the control plane goes quiet.

678
00:24:56,760 --> 00:24:58,920
No prompts, no pop-ups, no human in the loop.

679
00:24:58,920 --> 00:25:00,760
Service principles and managed identities

680
00:25:00,760 --> 00:25:03,200
are production identities that never see MFA

681
00:25:03,200 --> 00:25:06,840
and rarely see owners when they drift, they drift silently.

682
00:25:06,840 --> 00:25:07,800
Why this matters?

683
00:25:07,800 --> 00:25:09,320
The system treats a workload the same way

684
00:25:09,320 --> 00:25:11,160
it treats a person in one critical regard.

685
00:25:11,160 --> 00:25:13,560
It means tokens that can administer your tenant.

686
00:25:13,560 --> 00:25:16,080
But unlike people, workloads don't get challenged.

687
00:25:16,080 --> 00:25:19,320
If the scope is wrong, the compiler says yes at machine speed.

688
00:25:19,320 --> 00:25:20,880
The dead signals are consistent.

689
00:25:20,880 --> 00:25:22,400
Long-lived client secrets.

690
00:25:22,400 --> 00:25:24,640
Broad graph scopes like directory.

691
00:25:24,640 --> 00:25:26,320
Read right all for the pipeline.

692
00:25:26,320 --> 00:25:28,120
Enterprise applications with no owner.

693
00:25:28,120 --> 00:25:30,240
Certificates that expire in 2034.

694
00:25:30,240 --> 00:25:31,640
Sign-in logs that never show up

695
00:25:31,640 --> 00:25:33,200
because nothing interactive happens.

696
00:25:33,200 --> 00:25:35,600
That is not resilience, that is unobserved authority.

697
00:25:35,600 --> 00:25:37,480
Here's the pattern you've already seen.

698
00:25:37,480 --> 00:25:38,880
Applied to automation.

699
00:25:38,880 --> 00:25:41,120
Intent, translation, exception.

700
00:25:41,120 --> 00:25:42,280
Often persistence.

701
00:25:42,280 --> 00:25:43,440
If you remember nothing else

702
00:25:43,440 --> 00:25:46,080
from the workload identity section, remember this.

703
00:25:46,080 --> 00:25:48,600
Every temporary elevation for a pipeline

704
00:25:48,600 --> 00:25:50,400
becomes a permanent attack path

705
00:25:50,400 --> 00:25:52,560
unless someone owns its life cycle.

706
00:25:52,560 --> 00:25:55,720
Intent, let the pipeline create app registrations

707
00:25:55,720 --> 00:25:57,000
and assign roles.

708
00:25:57,000 --> 00:26:00,680
Translation, grant directory, read right.

709
00:26:00,680 --> 00:26:02,920
All to the service principle, it's easier.

710
00:26:02,920 --> 00:26:05,840
Exception, skip rotation until after the release,

711
00:26:05,840 --> 00:26:07,240
extend the secret.

712
00:26:07,240 --> 00:26:10,680
Often, the dev who created it left,

713
00:26:10,680 --> 00:26:13,120
the app still works, nobody owns it.

714
00:26:13,120 --> 00:26:16,000
Persistence, it ships features nobody questions the scope.

715
00:26:16,000 --> 00:26:17,800
Now the incident pattern most teams deny

716
00:26:17,800 --> 00:26:19,360
until the post-mortem.

717
00:26:19,360 --> 00:26:21,880
A CICD variable leaks in a console log,

718
00:26:21,880 --> 00:26:23,640
a wiki page or an artifact.

719
00:26:23,640 --> 00:26:25,240
That variable is a client secret

720
00:26:25,240 --> 00:26:27,640
for a service principle with graph write permission.

721
00:26:27,640 --> 00:26:28,920
There is no owner to call.

722
00:26:28,920 --> 00:26:30,760
There is no rotation policy to enforce.

723
00:26:30,760 --> 00:26:32,440
The attacker doesn't need to guess a password.

724
00:26:32,440 --> 00:26:35,240
They call graph and modify app permissions,

725
00:26:35,240 --> 00:26:37,480
add credentials to an existing enterprise app

726
00:26:37,480 --> 00:26:40,280
or consent a high-risk API on behalf of your tenant.

727
00:26:40,280 --> 00:26:42,240
Nothing prompts, nothing alerts,

728
00:26:42,240 --> 00:26:44,200
unless you instrumented the right logs.

729
00:26:44,200 --> 00:26:45,120
Root cause.

730
00:26:45,120 --> 00:26:46,480
Treating a workload identity

731
00:26:46,480 --> 00:26:48,680
like a convenience instead of a principle.

732
00:26:48,680 --> 00:26:50,440
If a principle can write your directory,

733
00:26:50,440 --> 00:26:51,960
it is a shadow admin.

734
00:26:51,960 --> 00:26:53,200
Before we continue,

735
00:26:53,200 --> 00:26:55,640
you need to draw the boundary in your head.

736
00:26:55,640 --> 00:26:59,240
Service principle, managed identity and federated workload.

737
00:26:59,240 --> 00:27:01,440
The service principle is an app identity you create

738
00:27:01,440 --> 00:27:03,960
and credential with a secret or certificate.

739
00:27:03,960 --> 00:27:06,080
A managed identity is a special service principle

740
00:27:06,080 --> 00:27:08,520
as your creates and rotates for a resource.

741
00:27:08,520 --> 00:27:10,680
A federated credential lets an external system

742
00:27:10,680 --> 00:27:11,920
like GitHub Actions,

743
00:27:11,920 --> 00:27:14,840
exchange its token for yours without storing secrets.

744
00:27:14,840 --> 00:27:16,600
Each solves a different coupling problem.

745
00:27:16,600 --> 00:27:18,600
None solves over permission on its own.

746
00:27:18,600 --> 00:27:20,760
That shows up first where you gave yourself speed.

747
00:27:20,760 --> 00:27:22,200
Secrets over certificates.

748
00:27:22,200 --> 00:27:23,680
Certificates over federation.

749
00:27:23,680 --> 00:27:25,560
Owners set to the developer who created it.

750
00:27:25,560 --> 00:27:28,520
Expires set to never because rotation would break the weekend release.

751
00:27:28,520 --> 00:27:29,600
That's not an accident.

752
00:27:29,600 --> 00:27:32,440
That is design emission disguised as velocity.

753
00:27:32,440 --> 00:27:34,480
Evidence you can pull without a clicking class.

754
00:27:34,480 --> 00:27:36,160
A graph query for enterprise applications

755
00:27:36,160 --> 00:27:38,640
with app role assignments matching directory.

756
00:27:38,640 --> 00:27:40,400
And no owners, that is your high-risk list.

757
00:27:40,400 --> 00:27:43,120
If an app can write directory objects and nobody owns it,

758
00:27:43,120 --> 00:27:44,920
you have an attack path with no steward.

759
00:27:44,920 --> 00:27:46,960
Credential inventory for application registrations

760
00:27:46,960 --> 00:27:49,200
showing key credentials and password credentials

761
00:27:49,200 --> 00:27:51,000
with expiry dates beyond one year.

762
00:27:51,000 --> 00:27:53,920
Long duration correlates with forgotten rotation paths.

763
00:27:53,920 --> 00:27:56,400
Sign-in logs filtered by service principle sign-ins

764
00:27:56,400 --> 00:27:59,240
with unusual consent or app role assignment activity.

765
00:27:59,240 --> 00:28:00,320
Yes, these exist.

766
00:28:00,320 --> 00:28:02,200
If you're not looking, you won't see drift.

767
00:28:02,200 --> 00:28:03,680
Now the common failure modes.

768
00:28:03,680 --> 00:28:06,360
Failure one, one key to rule them all.

769
00:28:06,360 --> 00:28:08,520
A single service principle in a build system

770
00:28:08,520 --> 00:28:10,560
holds subscription contributor,

771
00:28:10,560 --> 00:28:12,920
key vault secrets officer and graph write.

772
00:28:12,920 --> 00:28:14,600
The pipeline needs one of those at a time.

773
00:28:14,600 --> 00:28:16,400
The principle has all of them all the time.

774
00:28:16,400 --> 00:28:18,200
Compromise equals tenant modification

775
00:28:18,200 --> 00:28:20,600
plus secrets, exfiltration plus infrastructure control.

776
00:28:20,600 --> 00:28:21,960
That is not least privileged.

777
00:28:21,960 --> 00:28:23,920
That is consolidation of blast radius.

778
00:28:23,920 --> 00:28:26,240
Failure two forever secret.

779
00:28:26,240 --> 00:28:28,080
A client secret created during an outage

780
00:28:28,080 --> 00:28:30,040
to get prod back never rotates.

781
00:28:30,040 --> 00:28:32,080
Ten months later, someone screenshots

782
00:28:32,080 --> 00:28:33,720
an environment variables page.

783
00:28:33,720 --> 00:28:35,360
The screenshot lands in a ticket.

784
00:28:35,360 --> 00:28:36,640
The secret remains valid.

785
00:28:36,640 --> 00:28:38,120
The attacker doesn't need to fish.

786
00:28:38,120 --> 00:28:40,240
They authenticate as you.

787
00:28:40,240 --> 00:28:42,720
Failure three, no owner, no review.

788
00:28:42,720 --> 00:28:45,240
An external SAS integration created via admin consent

789
00:28:45,240 --> 00:28:46,280
has owner none.

790
00:28:46,280 --> 00:28:47,600
It keeps working for years.

791
00:28:47,600 --> 00:28:48,800
The vendor changes scopes.

792
00:28:48,800 --> 00:28:50,080
Nobody gets notified.

793
00:28:50,080 --> 00:28:52,800
Your tenant silently accepts newly requested permissions

794
00:28:52,800 --> 00:28:54,840
because the app already existed.

795
00:28:54,840 --> 00:28:57,320
Governance failed at the first step, ownership.

796
00:28:57,320 --> 00:28:58,600
The uncomfortable truth.

797
00:28:58,600 --> 00:29:00,720
Conditional access won't save you here.

798
00:29:00,720 --> 00:29:02,360
Workloads do not evaluate CA.

799
00:29:02,360 --> 00:29:04,000
You cannot fix scope at sign-in.

800
00:29:04,000 --> 00:29:05,960
You can only fix scope at definition.

801
00:29:05,960 --> 00:29:07,520
What should you recognize today?

802
00:29:07,520 --> 00:29:10,440
Enterprise apps with broad graph permissions and no owners.

803
00:29:10,440 --> 00:29:12,480
Application credentials with long aspirations

804
00:29:12,480 --> 00:29:14,640
or end date time missing.

805
00:29:14,640 --> 00:29:16,440
Build systems using service principles

806
00:29:16,440 --> 00:29:19,040
with tenant-level scopes when a managed identity

807
00:29:19,040 --> 00:29:21,120
scoped to a resource would suffice.

808
00:29:21,120 --> 00:29:23,320
Human accounts labeled service excluded from CA

809
00:29:23,320 --> 00:29:25,360
because a pipeline needed a token.

810
00:29:25,360 --> 00:29:27,440
Humans evaluate CA workloads don't.

811
00:29:27,440 --> 00:29:30,240
This is a category error turned into an exception.

812
00:29:30,240 --> 00:29:32,360
Once you see those, the next move becomes obvious.

813
00:29:32,360 --> 00:29:34,320
Prefer managed identities in Azure

814
00:29:34,320 --> 00:29:36,760
to eliminate secret handling where possible.

815
00:29:36,760 --> 00:29:39,000
Use certificates over client secrets

816
00:29:39,000 --> 00:29:41,000
when you must create app registrations,

817
00:29:41,000 --> 00:29:45,360
federate external CIR-CD to avoid storing credentials

818
00:29:45,360 --> 00:29:49,240
and most importantly, cut scopes to the minimum operation needed.

819
00:29:49,240 --> 00:29:51,280
Treat workload identities as production identities

820
00:29:51,280 --> 00:29:53,320
with life cycle, ownership and rotation

821
00:29:53,320 --> 00:29:55,160
because the compiler will keep saying yes

822
00:29:55,160 --> 00:29:57,840
until you change what it's allowed to say yes to.

823
00:29:57,840 --> 00:30:01,280
Workload identities from shadow admin to governed principle.

824
00:30:01,280 --> 00:30:03,840
The foundational mistake is thinking of a service principle

825
00:30:03,840 --> 00:30:04,680
as a convenience.

826
00:30:04,680 --> 00:30:06,160
It isn't. It is a principle.

827
00:30:06,160 --> 00:30:09,040
If it can write directory objects, assign app roles

828
00:30:09,040 --> 00:30:12,120
or mint tokens that manipulate subscriptions, it is a shadow admin.

829
00:30:12,120 --> 00:30:14,840
The system doesn't care that it runs at 2 a.m. and never prompts.

830
00:30:14,840 --> 00:30:17,360
Authority without observation is still authority.

831
00:30:17,360 --> 00:30:18,360
Why this matters?

832
00:30:18,360 --> 00:30:20,040
Workload identities outnumber humans

833
00:30:20,040 --> 00:30:22,600
and the compiler never asks them for MFA.

834
00:30:22,600 --> 00:30:25,280
The consequences of doing this wrong are predictable.

835
00:30:25,280 --> 00:30:28,400
Silent privilege, durable access and escalation parts

836
00:30:28,400 --> 00:30:29,920
with no human in the loop.

837
00:30:29,920 --> 00:30:32,360
The benefit of getting it right is equally predictable.

838
00:30:32,360 --> 00:30:35,960
Scoped authority, visible ownership and bounded blast radius.

839
00:30:35,960 --> 00:30:36,960
That distinction matters

840
00:30:36,960 --> 00:30:39,200
because conditional access can't save you here.

841
00:30:39,200 --> 00:30:41,600
Your only control is definition and life cycle.

842
00:30:41,600 --> 00:30:44,920
What to do instead is not complex, but it is non-negotiable.

843
00:30:44,920 --> 00:30:47,840
First, prefer managed identities in Azure wherever possible.

844
00:30:47,840 --> 00:30:50,240
A managed identity is still a service principle,

845
00:30:50,240 --> 00:30:52,840
but the platform owns the credential and rotates it.

846
00:30:52,840 --> 00:30:56,120
You remove the class of failure called forever secret.

847
00:30:56,120 --> 00:30:57,640
More importantly, you reduce coupling.

848
00:30:57,640 --> 00:30:59,800
The identity exists in the boundary of the resource

849
00:30:59,800 --> 00:31:01,840
so it scope tends to match reality.

850
00:31:01,840 --> 00:31:04,480
A function gets function level permission to a storage account,

851
00:31:04,480 --> 00:31:06,960
not tenant level graph write for convenience.

852
00:31:06,960 --> 00:31:09,720
Second, when you must create app registrations,

853
00:31:09,720 --> 00:31:12,160
choose certificates over client secrets.

854
00:31:12,160 --> 00:31:16,080
A certificate with a sane expiry and storage in Key Vault is not perfect,

855
00:31:16,080 --> 00:31:18,440
but it collapses the easiest leak path,

856
00:31:18,440 --> 00:31:22,320
screenshots of environment variables and plain text config files.

857
00:31:22,320 --> 00:31:24,360
Pair that with short validity windows

858
00:31:24,360 --> 00:31:26,760
and a rotation schedule you actually practice.

859
00:31:26,760 --> 00:31:30,120
If you cannot rotate on demand, you do not control the principle.

860
00:31:30,120 --> 00:31:32,920
You are borrowing time from your future incident.

861
00:31:32,920 --> 00:31:34,720
Third, write size scopes.

862
00:31:34,720 --> 00:31:36,640
The reason this clicks is straightforward.

863
00:31:36,640 --> 00:31:39,080
Workload identities never get challenged at runtime.

864
00:31:39,080 --> 00:31:43,160
If you grant directory, read write all the compiler will say yes every time.

865
00:31:43,160 --> 00:31:46,240
Move to the minimum graph permission that encodes the operation.

866
00:31:46,240 --> 00:31:50,120
Use app roles on your APIs instead of broad graph grants where possible.

867
00:31:50,120 --> 00:31:53,800
At the Azure control plane, stop handing contributor at subscription

868
00:31:53,800 --> 00:31:57,320
when a resource group role or a single resource data action would suffice.

869
00:31:57,320 --> 00:31:59,000
Scope is your only guardrail.

870
00:31:59,000 --> 00:32:01,560
Fourth, assign owners and enforce life cycle.

871
00:32:01,560 --> 00:32:03,720
Owner, none is govern instead.

872
00:32:03,720 --> 00:32:08,040
Every enterprise app and app registration must have at least one accountable owner

873
00:32:08,040 --> 00:32:12,240
who is not a departed developer or a group with unknown membership.

874
00:32:12,240 --> 00:32:17,200
Owners approve permission changes, own rotation and get paged when the principle trips and alert.

875
00:32:17,200 --> 00:32:20,720
Without an owner, you will always choose product velocity over control,

876
00:32:20,720 --> 00:32:23,560
not because you're reckless, but because nobody is responsible.

877
00:32:23,560 --> 00:32:27,960
Let me show you exactly how to make this practical without turning this into a clicking class.

878
00:32:27,960 --> 00:32:31,040
Inventory the threat surface with three queries in one report,

879
00:32:31,040 --> 00:32:34,920
graph enterprise apps with app role assignments matching directory,

880
00:32:34,920 --> 00:32:36,680
and owners count equal zero.

881
00:32:36,680 --> 00:32:38,880
That is your shadow admin without a steward list.

882
00:32:38,880 --> 00:32:43,360
Work that queue first, graph application registrations where password credentials and daytime

883
00:32:43,360 --> 00:32:45,480
is null or greater than three 65 days.

884
00:32:45,480 --> 00:32:47,280
Those are your forever secrets.

885
00:32:47,280 --> 00:32:51,440
Set rotation deadlines and replace secrets with certificates or federated credentials.

886
00:32:51,440 --> 00:32:55,320
Graph service principles granted roles at subscription or management group scope.

887
00:32:55,320 --> 00:32:56,680
Map each to a workload.

888
00:32:56,680 --> 00:32:59,440
If the assignment doesn't line up with a resource that needs it,

889
00:32:59,440 --> 00:33:01,720
you found consolidated blast radius.

890
00:33:01,720 --> 00:33:06,720
Sign-in logs, service principle sign-ins with consent or app role assignment activity.

891
00:33:06,720 --> 00:33:10,520
Nothing interactive should be consenting to anything if you see it that's drift.

892
00:33:10,520 --> 00:33:13,640
Then constraint creation, this is the game changer nobody talks about.

893
00:33:13,640 --> 00:33:15,320
Most drift starts at birth.

894
00:33:15,320 --> 00:33:18,400
Guard rails at creation are cheaper than cleanups later.

895
00:33:18,400 --> 00:33:24,000
Disallow user consent for apps, require admin consent workflow with ownership as a prerequisite,

896
00:33:24,000 --> 00:33:28,440
require a tag or application ID in the display name that maps to a system of record.

897
00:33:28,440 --> 00:33:31,360
If you can't trace a principle to a service, you won't decommission it.

898
00:33:31,360 --> 00:33:35,400
Enforced conditional access for admin consent portals with fishing resistant strengths

899
00:33:35,400 --> 00:33:36,920
for the humans who approve.

900
00:33:36,920 --> 00:33:40,040
The workload doesn't evaluate CA, but your approver does.

901
00:33:40,040 --> 00:33:41,600
Now the migration choices.

902
00:33:41,600 --> 00:33:46,120
If a pipeline runs in Azure, switch to a user assigned managed identity and scope it to the

903
00:33:46,120 --> 00:33:47,120
resource it touches.

904
00:33:47,120 --> 00:33:50,600
If it runs outside Azure, federate its identity instead of storing secrets.

905
00:33:50,600 --> 00:33:54,160
GitHub actions, for example, can exchange its token for yours on every run.

906
00:33:54,160 --> 00:33:58,000
Reserve app registrations with certificates for systems that neither run in Azure nor

907
00:33:58,000 --> 00:33:59,480
support federation.

908
00:33:59,480 --> 00:34:04,560
This sequence eliminates entire classes of credential handling, common mistakes to avoid.

909
00:34:04,560 --> 00:34:07,240
Consolidating roles for convenience on one principle.

910
00:34:07,240 --> 00:34:11,160
That is an entropy generator with root on three planes, split duties, one identity

911
00:34:11,160 --> 00:34:12,160
per function.

912
00:34:12,160 --> 00:34:15,000
Relying on service human accounts to acquire tokens.

913
00:34:15,000 --> 00:34:17,160
Humans evaluate CA, workloads don't.

914
00:34:17,160 --> 00:34:22,040
Your exclusion to make the pipeline work just created a persistent blind path for people.

915
00:34:22,040 --> 00:34:26,120
Treating key voters governance, storing a secret safely is not the same as scoping the

916
00:34:26,120 --> 00:34:27,760
principle correctly.

917
00:34:27,760 --> 00:34:30,360
Resort over permission is still over permission.

918
00:34:30,360 --> 00:34:32,120
Evidence of improvement looks like this.

919
00:34:32,120 --> 00:34:36,120
The high-risk graph list shrinks to zero or to a small justified set with owners.

920
00:34:36,120 --> 00:34:40,560
Credential lifetimes collapse to 90 days or certificates with automated rotation.

921
00:34:40,560 --> 00:34:45,280
Service principle sign-in logs, stabilize to predictable patterns, tie to change windows,

922
00:34:45,280 --> 00:34:47,000
not ad hoc admin activity.

923
00:34:47,000 --> 00:34:50,720
Roll assignments move down from subscription to resource group or resource level and

924
00:34:50,720 --> 00:34:54,400
from built-in contributor to narrowly defined data actions.

925
00:34:54,400 --> 00:34:56,320
Quick win, you can achieve today.

926
00:34:56,320 --> 00:34:59,120
Make your top 10 enterprise apps with directory.

927
00:34:59,120 --> 00:35:03,840
And no owner, assign owners remove unnecessary scopes and replace secrets with certificates.

928
00:35:03,840 --> 00:35:08,720
Then switch one high value pipeline to a user assigned managed identity with resource level

929
00:35:08,720 --> 00:35:09,720
scope.

930
00:35:09,720 --> 00:35:13,200
You will have removed a shadow admin, cut a blast radius in half and proven to your developers

931
00:35:13,200 --> 00:35:15,160
that governance can be faster than drift.

932
00:35:15,160 --> 00:35:17,160
Work load identity is production identity.

933
00:35:17,160 --> 00:35:19,760
Govern it like it can change your tenant because it already can.

934
00:35:19,760 --> 00:35:21,200
Case study context 4.

935
00:35:21,200 --> 00:35:23,920
B2B guest access undermining governance.

936
00:35:23,920 --> 00:35:26,720
Personal users are where your assumptions fail fastest.

937
00:35:26,720 --> 00:35:31,000
Guests don't inherit your norms, your device posture or your escalation culture.

938
00:35:31,000 --> 00:35:34,840
Architecturally, they are identities from another tenant that your control plane chooses

939
00:35:34,840 --> 00:35:36,080
to trust.

940
00:35:36,080 --> 00:35:40,400
That distinction matters because once you invite them, enter, compile their assertions into

941
00:35:40,400 --> 00:35:44,560
your authorization graph exactly like a member unless you encode the boundary.

942
00:35:44,560 --> 00:35:46,360
The pattern is predictable.

943
00:35:46,360 --> 00:35:48,440
Evender is added temporarily for a migration.

944
00:35:48,440 --> 00:35:52,880
They can't pass your prompts so someone excludes the guest group from MFA just for a

945
00:35:52,880 --> 00:35:53,880
week.

946
00:35:53,880 --> 00:35:59,040
The guest is also placed in a nested group tied to a privileged app role to speed up testing.

947
00:35:59,040 --> 00:36:01,080
Months pass, the project ends.

948
00:36:01,080 --> 00:36:02,760
Nobody runs an access review.

949
00:36:02,760 --> 00:36:07,160
The vendor consultant changes jobs, their guest object persists with the same assignments.

950
00:36:07,160 --> 00:36:11,640
Your tenant now hosts a privileged identity controlled by another company's life cycle.

951
00:36:11,640 --> 00:36:13,440
Dead signals show up in three places.

952
00:36:13,440 --> 00:36:15,080
First, hard exclusions.

953
00:36:15,080 --> 00:36:19,760
If you see conditional access policies that explicitly exclude guests and external users

954
00:36:19,760 --> 00:36:21,840
you've dissolved your perimeter.

955
00:36:21,840 --> 00:36:25,240
Guests become the path of least resistance into sensitive apps because they never meet

956
00:36:25,240 --> 00:36:26,960
the compiler's requirements.

957
00:36:26,960 --> 00:36:29,320
Second, missing reviews.

958
00:36:29,320 --> 00:36:33,760
Access review configurations that target guests but list no reviewers assigned or never

959
00:36:33,760 --> 00:36:39,320
complete are governance in name only without a human accountability loop time always wins.

960
00:36:39,320 --> 00:36:41,720
Third, nested groups.

961
00:36:41,720 --> 00:36:43,920
Guests rarely get direct role assignments.

962
00:36:43,920 --> 00:36:48,600
They arrive via a group mapped into an app role or an Azure R-Back assignment.

963
00:36:48,600 --> 00:36:51,200
Nesting hides privileged escalation under collaboration.

964
00:36:51,200 --> 00:36:53,200
Now the near miss that turns into a headline.

965
00:36:53,200 --> 00:36:57,200
A partner system integrator is added as a guest admin during a rollout.

966
00:36:57,200 --> 00:37:01,280
To keep velocity the project team excludes the guest group from phishing resistant requirements

967
00:37:01,280 --> 00:37:04,200
and carves a trusted location for their office IPs.

968
00:37:04,200 --> 00:37:05,760
The partner later merges.

969
00:37:05,760 --> 00:37:08,920
The engineers home tenant changes IDP behaviors.

970
00:37:08,920 --> 00:37:10,920
Their device compliance post year drifts.

971
00:37:10,920 --> 00:37:15,160
Meanwhile the exclusion persists and attack compromises the partner account through a commodity

972
00:37:15,160 --> 00:37:16,160
fish.

973
00:37:16,160 --> 00:37:19,960
Your logs show a legitimate guest accessing an enterprise app with admin privileges from

974
00:37:19,960 --> 00:37:21,000
an allowed IP.

975
00:37:21,000 --> 00:37:23,560
There is no MFA challenge because you excluded it.

976
00:37:23,560 --> 00:37:26,560
There is no device check because you trusted a CIDR.

977
00:37:26,560 --> 00:37:28,360
There is no review because the project closed.

978
00:37:28,360 --> 00:37:29,360
That is not a bypass.

979
00:37:29,360 --> 00:37:30,760
That is your policy.

980
00:37:30,760 --> 00:37:34,440
Root cause treating external collaboration as a people problem instead of a control plane

981
00:37:34,440 --> 00:37:35,440
problem.

982
00:37:35,440 --> 00:37:39,920
You invited identities you don't govern then applied weaker policies to avoid friction.

983
00:37:39,920 --> 00:37:43,400
You delegated privilege by group nesting a mechanism that composes invisibly.

984
00:37:43,400 --> 00:37:44,840
You never enforce life cycle.

985
00:37:44,840 --> 00:37:48,480
The execution engine enforced what remained before we continue you need to understand

986
00:37:48,480 --> 00:37:53,600
cross tenant trust inbound trust controls which signals you accept from an external tenant

987
00:37:53,600 --> 00:37:58,400
has the user done MFA there are they on a compliant device there are they hybrid joined

988
00:37:58,400 --> 00:38:02,720
if you don't configure inbound trust your compiler cannot reuse those assurances it will

989
00:38:02,720 --> 00:38:07,440
either prompt again or if you excluded guests prompt never outbound trust defines what

990
00:38:07,440 --> 00:38:12,640
your users carry into others both require intent neither exists by default in a way that matches

991
00:38:12,640 --> 00:38:17,040
your risk evidence you can pull without a clicking class sign in logs filtered to use

992
00:38:17,040 --> 00:38:22,920
a type guest with conditional access not applied due to user excluded or application excluded

993
00:38:22,920 --> 00:38:27,520
if this intersects with high value apps you've encoded exception as design access review

994
00:38:27,520 --> 00:38:32,160
summaries showing privilege groups with guests and completion rates below 100% or reviewers

995
00:38:32,160 --> 00:38:37,400
said to auto apply disabled that's persistence by paperwork enterprise app role assignments

996
00:38:37,400 --> 00:38:42,240
where principles are groups containing guests expand the groups if guests resolve to privileged

997
00:38:42,240 --> 00:38:46,880
paths you've hidden escalation in membership cross tenant access settings inbound trust

998
00:38:46,880 --> 00:38:51,760
not configured to accept strong signals or configured broadly without tenant allow lists

999
00:38:51,760 --> 00:38:57,920
everyone can bring their MFA is not a policy it's a wish common mistakes to avoid blanket guest

1000
00:38:57,920 --> 00:39:02,640
exclusions from MFA to avoid friction friction move to incident response using group nesting to

1001
00:39:02,640 --> 00:39:07,520
convey app admin instead of granting time bound access via entitlement management with expiration

1002
00:39:07,520 --> 00:39:12,480
nesting is durable packages can expire confusing redemption with governance a guest clicking

1003
00:39:12,480 --> 00:39:17,440
and invite proves email control once it does not prove ongoing legitimacy or need assuming

1004
00:39:17,440 --> 00:39:22,720
they're in our teams equals they are safe teams is an app authorizations bands far beyond chat

1005
00:39:22,720 --> 00:39:27,840
the uncomfortable truth guests bypass your internal assumptions unless you force convergence

1006
00:39:27,840 --> 00:39:32,800
you must either accept external strong signals explicitly via cross tenant trust or require

1007
00:39:32,800 --> 00:39:37,600
your own strengths anything in between is ambiguity the compiler will resolve in favor of whatever

1008
00:39:37,600 --> 00:39:41,920
branch excludes the object what should you recognize today policies excluding guests and

1009
00:39:41,920 --> 00:39:47,840
external users or trusted locations that exist solely for vendor IPs guest objects with last sign

1010
00:39:47,840 --> 00:39:52,240
in older than your review cadence still holding app roles or group memberships no entitlement

1011
00:39:52,240 --> 00:39:58,080
management catalogs for external access all guest provisioning done at hawk no quarterly access

1012
00:39:58,080 --> 00:40:02,880
reviews scope to privileged groups that include guests or reviews that complete with don't know

1013
00:40:02,880 --> 00:40:08,640
decisions auto applied to approve the fix pattern is simple not optional constraint in bound trust

1014
00:40:08,640 --> 00:40:13,280
require phishing resistant strengths for guests accessing high value apps or accept external

1015
00:40:13,280 --> 00:40:18,240
strengths only from allow listed tenants replace ad hoc nesting with entitlement packages that

1016
00:40:18,240 --> 00:40:23,760
expire by default attach access reviews and deny role elevation by group membership and turn on

1017
00:40:23,760 --> 00:40:28,480
reviews with accountable reviewers not self review for vendors external identities are not special

1018
00:40:28,480 --> 00:40:33,680
users they are another control plane input treat them as such or they will become your most durable

1019
00:40:33,680 --> 00:40:39,840
exceptions external identities constraint trust enforce life cycle guests don't break your tenant your

1020
00:40:39,840 --> 00:40:44,800
tenant breaks itself by trusting guests without constraints architecturally a guest is just an external

1021
00:40:44,800 --> 00:40:49,920
principle whose assertions you decide to accept that means two questions matter more than everything

1022
00:40:49,920 --> 00:40:54,400
else what signals will you trust from their home tenant and how long will that trust persist without

1023
00:40:54,400 --> 00:41:00,240
human review if you're a security leader this is your job decide what you will trust from whom

1024
00:41:00,240 --> 00:41:05,120
and for how long explicitly not by accident why this matters external identities bypass your

1025
00:41:05,120 --> 00:41:10,560
internal assumptions by default they don't share your device posture your escalation paths or your

1026
00:41:10,560 --> 00:41:15,280
training if you don't encode boundaries the authorization compiler will treat them like members

1027
00:41:15,280 --> 00:41:20,720
on every path you forgot to protect that distinction matters so draw the boundary in the only place

1028
00:41:20,720 --> 00:41:27,680
that works the control plane first principle require strengths or explicitly accept external strengths

1029
00:41:27,680 --> 00:41:32,720
if a guest touches anything high value identity admin finance apps policy surfaces your options

1030
00:41:32,720 --> 00:41:37,440
are binary either require fishing resistant authentication in your tenant or configure inbound

1031
00:41:37,440 --> 00:41:42,080
cross tenant trust to accept fishing resistant signals from allow listed tenants only guests to

1032
00:41:42,080 --> 00:41:47,440
MFA somewhere is not a control with ambiguity second principle deny elevation by nesting group

1033
00:41:47,440 --> 00:41:53,280
nesting is durable opaque and composes privilege silently if a guest needs elevated access package it

1034
00:41:53,280 --> 00:41:57,280
use entitlement management with an access package that includes the app role or group

1035
00:41:57,280 --> 00:42:02,480
an expiry and an access review time boxes are blast radius windows nesting is persistence disguised

1036
00:42:02,480 --> 00:42:08,320
as convenience third principle enforce life cycle governance is not an invite email it's an ownership

1037
00:42:08,320 --> 00:42:13,120
loop assign a business owner for every external access package require justification and an

1038
00:42:13,120 --> 00:42:18,160
expiry at issuance attach a quarterly access review with accountable reviewers and auto apply

1039
00:42:18,160 --> 00:42:23,280
results don't know should never become a proof if a review account voucher access ends these are not

1040
00:42:23,280 --> 00:42:28,320
bureaucratic steps there entropy breaks before we continue you need to calibrate trust inbound

1041
00:42:28,320 --> 00:42:33,760
cross tenant settings that you accept three external assurances has the user completed MFA is the

1042
00:42:33,760 --> 00:42:38,320
device compliant is it hybrid joint none of these are universal if you accept them broadly your

1043
00:42:38,320 --> 00:42:43,040
outsourcing your perimeter to unknown policies accept them from named tenants with which you have

1044
00:42:43,040 --> 00:42:48,080
contractual assurance or don't accept them at all then require your own strengths evidence you

1045
00:42:48,080 --> 00:42:53,680
can surface quickly without turning this into a clicking class sign in logs for user type equals

1046
00:42:53,680 --> 00:42:59,440
guest where conditional access equals not applied due to exclusion access review statistics for

1047
00:42:59,440 --> 00:43:04,880
privilege groups that include guests with completion rates below 100% enterprise app role assignments

1048
00:43:04,880 --> 00:43:10,320
where the principle is a group containing guests inbound trust configured to trust all external MFA

1049
00:43:10,320 --> 00:43:15,120
each of those is a path of least resistance each is a policy choice now make the compiler do the

1050
00:43:15,120 --> 00:43:20,320
hard work define an authentication context called external privilege bind it to a conditional access

1051
00:43:20,320 --> 00:43:25,280
policy that requires fishing resistant strengths require that context for admin portals finance

1052
00:43:25,280 --> 00:43:30,400
systems and any app that modifies authorization link per activation for directory roles to the same

1053
00:43:30,400 --> 00:43:35,520
context if a guest ever elevates they meet the same bar as members create entitlement catalogs

1054
00:43:35,520 --> 00:43:41,520
per vendor or program package the minimum roles with a default 30 day expiry require sponsor approval

1055
00:43:41,520 --> 00:43:47,520
and business justification attach an access review that triggers at 25 days auto apply removal if the

1056
00:43:47,520 --> 00:43:52,880
review doesn't complete you are encoding decay into the privilege life cycle deny role elevation by

1057
00:43:52,880 --> 00:43:57,840
group membership in your process if a team asks to nest a guest containing group into an app role

1058
00:43:57,840 --> 00:44:03,040
the answer is no offer an expiring package instead nesting produces invisible escalation packages

1059
00:44:03,040 --> 00:44:08,240
produce predictable expiry constraint in bound trust maintain an allow list of partner tenants you

1060
00:44:08,240 --> 00:44:12,720
will accept strong signals from for everyone else require your own strength if a vendor says their

1061
00:44:12,720 --> 00:44:18,320
devices are compliant trust but verify by not trusting externally unless you've onboarded that tenant

1062
00:44:18,320 --> 00:44:23,520
explicitly common mistakes to avoid creating guest exclusion conditional access groups you've

1063
00:44:23,520 --> 00:44:27,680
taught the compiler to bypass policy for the identities least likely to meet your assumptions

1064
00:44:27,680 --> 00:44:33,440
assigning guests to tenant wide roles temporarily tenant wide is never temporary any privileged guest

1065
00:44:33,440 --> 00:44:38,880
path must be time bound and tied to an access review treating teams membership as governance teams

1066
00:44:38,880 --> 00:44:44,720
is collaboration authorization spans exchange sharepoint apps and azure if a guest exists only

1067
00:44:44,720 --> 00:44:49,520
because they're in a team they should not inherit anything outside that teams scope setting reviews

1068
00:44:49,520 --> 00:44:54,400
to self review for vendors self approval is not oversight make the sponsor accountable proof you can

1069
00:44:54,400 --> 00:44:59,840
show yourself in a week guests sign in to high value apps now show authentication requirement

1070
00:44:59,840 --> 00:45:07,520
phishing resistant or external MFA accepted trusted tenant no not applied access reviews for

1071
00:45:07,520 --> 00:45:12,880
privileged groups that include guests complete at 100% with auto apply enabled stale guests are

1072
00:45:12,880 --> 00:45:18,080
removed automatically entitlement packages exist for the top three vendors each with default expiry

1073
00:45:18,080 --> 00:45:23,600
and a named sponsor cross tenant in bound trust is set to none by default with a short allow list

1074
00:45:23,600 --> 00:45:28,880
populated intentionally the uncomfortable truth remains external identities are not special users

1075
00:45:28,880 --> 00:45:33,520
they are inputs to your authorization compiler constraint what you trust enforce when it ends

1076
00:45:33,520 --> 00:45:38,000
without that the most durable exceptions in your tenant will belong to people you don't employ

1077
00:45:38,000 --> 00:45:44,000
define the model identity debt and measurement signals identity debt is not a vibe it's an

1078
00:45:44,000 --> 00:45:48,960
operational state standing privilege plus ungoverned exceptions plus unowned identities when those

1079
00:45:48,960 --> 00:45:54,320
three coexist the authorization compiler in its decisions that diverge from intent and entropy

1080
00:45:54,320 --> 00:45:58,480
gross you don't need a philosophy to see it just a model in the right signals start with the model

1081
00:45:58,800 --> 00:46:03,920
standing privilege is any permission that exists outside the window of work tenant wide rolls

1082
00:46:03,920 --> 00:46:08,720
assigned permanently service principles with broad scopes that never expire group memberships

1083
00:46:08,720 --> 00:46:13,440
that convey ab admin until further notice ungoverned exceptions are branches in the execution

1084
00:46:13,440 --> 00:46:19,600
path with no owner and no end conditional access exclusions trusted locations report only policies

1085
00:46:19,600 --> 00:46:24,240
that make you feel good but do nothing legacy protocol carve outs that were temporary

1086
00:46:24,240 --> 00:46:30,080
unowned identities are principles human or workload without accountable stewards owner none on enterprise

1087
00:46:30,080 --> 00:46:34,720
apps service principles tied to departed developers guests without sponsors combine any two you get

1088
00:46:34,720 --> 00:46:39,600
risk combine all three you get debt now measure it if you can't inventory it you don't control it if

1089
00:46:39,600 --> 00:46:44,160
you can't measure it you can't pay it down so define a minimal signal set that maps directly

1090
00:46:44,160 --> 00:46:49,200
to the model and is cheap to collect if you're a security leader this is the part you should be

1091
00:46:49,200 --> 00:46:53,840
asking for in every review show me the signals that prove our intent still matches what the compiler

1092
00:46:53,840 --> 00:46:59,920
actually enforces signal one exclusions inventory conditional access policies for user group and

1093
00:46:59,920 --> 00:47:05,440
application exclusions the question is simple which paths bypass the compiler count them tag owner

1094
00:47:05,440 --> 00:47:10,560
stamp experience any exclusion without an owner and a clock is an orphan branch signal to legacy

1095
00:47:10,560 --> 00:47:15,600
authentication plot legacy protocol activity over time you're not proving an attack you're proving

1096
00:47:15,600 --> 00:47:20,560
unobservable access a flatline at zero means your block legacy policy is complete anything

1097
00:47:20,560 --> 00:47:26,640
above zero is either drift or an exception both are debt signal three non-expiring secrets and

1098
00:47:26,640 --> 00:47:31,520
long live credentials pull application registrations and enterprise apps with password credentials or key

1099
00:47:31,520 --> 00:47:37,360
credentials that are null or beyond 365 days filter for high risk scopes directory and flag those

1100
00:47:37,360 --> 00:47:43,680
with no owners that is shadow admin without lifecycle signal four broad scopes enumerate service

1101
00:47:43,680 --> 00:47:48,720
principles with graph permissions beyond what their workload needs and azure role assignments at

1102
00:47:48,720 --> 00:47:54,080
subscription or management groups scope the metric isn't only how many that it's how many with scopes

1103
00:47:54,080 --> 00:48:00,240
that don't map to a resource you can name signal five guest privilege list guest users in privilege

1104
00:48:00,240 --> 00:48:05,040
groups or app roles especially those introduced by anested groups cross reference with access

1105
00:48:05,040 --> 00:48:09,440
review completion if guests hold durable privilege and reviews don't complete with auto-apply you've

1106
00:48:09,440 --> 00:48:15,200
encoded persistence signal six synchronized admins join directory role assignments against on-prem

1107
00:48:15,200 --> 00:48:21,120
sync enabled any tenant wide role bound to a synced identity is coupling across planes that's not a

1108
00:48:21,120 --> 00:48:26,240
red dot that's a design decision to unwind translate those signals into a measurement set you can run

1109
00:48:26,240 --> 00:48:30,880
every week without a ceremony exception inventory count of CA exclusions with owner and expire

1110
00:48:30,880 --> 00:48:36,080
coverage secure score identity deltas not as a single number but as change over time for identity

1111
00:48:36,080 --> 00:48:42,720
controls you care about legacy off disabled MFA coverage privileged identity protections policy

1112
00:48:42,720 --> 00:48:48,720
count versus coverage number of CA policies and percentage of sign-ins evaluating at least one

1113
00:48:48,720 --> 00:48:53,840
baseline policy access review completion rates for privilege groups and guest catalogs these are

1114
00:48:53,840 --> 00:48:58,640
not vanity metrics they tell you where governance exists in practice minimal telemetry required to

1115
00:48:58,640 --> 00:49:03,760
support this three places sign-in logs filtered to conditional access not applied with reasons user

1116
00:49:03,760 --> 00:49:09,280
excluded or application excluded and client app legacy authentication enterprise app owner coverage

1117
00:49:09,280 --> 00:49:14,320
from graph giving you a consistent owner count per high risk principle access review outcomes with

1118
00:49:14,320 --> 00:49:19,600
completion status and auto-apply flags that's it you can add more later the goal is directional truth

1119
00:49:19,600 --> 00:49:25,200
with low overhead you'll notice what's missing screenshots of portals checklists of toggles

1120
00:49:25,200 --> 00:49:30,080
and weekly hand counting those are how you drift the compiler does not care how you feel about

1121
00:49:30,080 --> 00:49:34,720
complexity it cares what you told it yesterday your measurement must reflect that machine readable

1122
00:49:34,720 --> 00:49:39,360
inputs and machine observable outcomes now anchor this to the identity data accumulation loop so your

1123
00:49:39,360 --> 00:49:44,080
team speaks the same language intent leads to translation translations born exceptions exceptions

1124
00:49:44,080 --> 00:49:50,000
often when owners leave or from persist and mutate the authorization graph your signals map to each

1125
00:49:50,000 --> 00:49:56,000
step secure score and policy coverage show intent drifting at translation CA exclusions and not

1126
00:49:56,000 --> 00:50:02,160
applied sign-ins expose exceptions owner none and long live credentials identify orphans guest

1127
00:50:02,160 --> 00:50:07,200
reviews and rotation metrics reveal persistence you're not auditing feelings you're tracing state

1128
00:50:07,200 --> 00:50:12,640
propagation two portions first don't normalize debt into averages a single service principle with

1129
00:50:12,640 --> 00:50:20,000
directory read right all and no owner is not balanced by 10 low risk apps with owners this is blast

1130
00:50:20,000 --> 00:50:25,680
radius math not sentiment analysis second resist score chasing if a metric can go up while risk

1131
00:50:25,680 --> 00:50:31,040
stays flat drop it prefer signals that correspond to real blocking behavior or real life cycle action

1132
00:50:31,040 --> 00:50:36,240
the payoff is simple with six signals and three reports you can say something useful at any scale

1133
00:50:36,240 --> 00:50:41,200
where the compiler is bypassed where privilege is permanent where nobody is accountable that's

1134
00:50:41,200 --> 00:50:45,760
the definition of identity debt operationalized and once it's visible repayment stops being theater

1135
00:50:45,760 --> 00:50:50,880
it becomes work ship this week minimal enforceable baseline this is the part everyone postpones

1136
00:50:50,880 --> 00:50:55,280
don't you can ship a minimal enforceable baseline this week that reduces blast radius before it

1137
00:50:55,280 --> 00:51:00,000
reduces flexibility it won't fix history it will stop adding interest start with three baseline

1138
00:51:00,000 --> 00:51:05,040
policies the authorization compiler can execute without ambiguity policy one block legacy

1139
00:51:05,040 --> 00:51:10,640
authentication target all users all cloud apps client apps legacy protocols only no exclusions

1140
00:51:10,640 --> 00:51:15,360
this removes the unobservable path your logs go from we think to we blocked if someone claims

1141
00:51:15,360 --> 00:51:21,040
a business dependency they owe you a protocol upgrade plan not an exception policy to require

1142
00:51:21,040 --> 00:51:27,440
MFA for all users target all users all cloud apps grant multi factor authentication exclusions only

1143
00:51:27,440 --> 00:51:32,560
the two emergency accounts with an expiry and an owner attach an alert to any sign in where conditional

1144
00:51:32,560 --> 00:51:38,000
access equals not applied due to exclusion if you can't see the break glass path it doesn't exist

1145
00:51:38,000 --> 00:51:43,120
policy three require fishing resistant strengths for privileged roles and critical apps

1146
00:51:43,120 --> 00:51:48,560
target directory roles and named enterprise apps that modify identity money or policy

1147
00:51:48,560 --> 00:51:52,640
grant authentication strength fishing resistant

1148
00:51:52,640 --> 00:51:57,840
gassard kei dahin and disinati yad sad saddan optionally require an authentication context that

1149
00:51:57,840 --> 00:52:03,600
enforces compliant device for pm activation this collapses prompt bombing and oTP social engineering

1150
00:52:03,600 --> 00:52:08,240
on the parts that matter governance moves next these are not toggles they are intent encoded

1151
00:52:08,240 --> 00:52:12,960
to test it break glass accounts cloud only long vaulted passwords excluded only from MFA

1152
00:52:12,960 --> 00:52:17,920
and allow listed by location to a narrow egress you control document where they live who can open

1153
00:52:17,920 --> 00:52:22,880
the vault and how long it takes validate sign and showing logs and that only the baseline block legacy

1154
00:52:22,880 --> 00:52:27,840
policy evaluates put a calendar reminder to test monthly break glass isn't a username it's a

1155
00:52:27,840 --> 00:52:33,280
practice pathway privilege identity management for every tenant wide role set assignments to eligible

1156
00:52:33,280 --> 00:52:38,480
require strong authentication at activation set durations measured in work not days and require

1157
00:52:38,480 --> 00:52:43,840
justification if you have p2 link and authentication context so elevation inherits fishing resistant

1158
00:52:43,840 --> 00:52:49,360
requirements and device posture make the compiler reevaluate risk at the moment privilege appears

1159
00:52:49,360 --> 00:52:54,080
exclusions with clocks and owners inventory current conditional access exclusions for each add an

1160
00:52:54,080 --> 00:52:59,680
owner a business reason and an expiry within 30 days anything without those three gets removed

1161
00:52:59,680 --> 00:53:04,880
this single step converts offense into time box debt you can actually pay down now life cycle for

1162
00:53:04,880 --> 00:53:10,720
nonhumans owner required on enterprise apps and app registrations hard rule no owner no production

1163
00:53:11,440 --> 00:53:18,000
surface a weekly report of owner none on principles with directory scopes and rooted to the identity queue

1164
00:53:18,000 --> 00:53:23,120
replace secrets with certificates where secrets still exist target 90 day lifetimes or automated

1165
00:53:23,120 --> 00:53:28,560
rotation for pipelines outside azure move to federated credentials for those inside switch to user

1166
00:53:28,560 --> 00:53:33,040
assigned managed identities scoped to resources they touch you're not chasing perfection you're

1167
00:53:33,040 --> 00:53:37,920
removing forever secrets and shrinking scope guest lifecycle in one move entitlement management

1168
00:53:37,920 --> 00:53:43,280
for external access create a catalog per top vendor package only the roles they need attach a 30 day

1169
00:53:43,280 --> 00:53:49,520
expiry require a sponsor and attach an access review at day 25 with auto apply block group nesting as

1170
00:53:49,520 --> 00:53:54,080
an elevation mechanism in your process if someone asks to nest the answer is use the package

1171
00:53:54,080 --> 00:54:00,480
time boxes are entropy breaks nesting is persistence scope guardrails for hybrid zero synchronized

1172
00:54:00,480 --> 00:54:05,520
global administrators cloud only admin accounts for tenant wide rolls admin units that reflect real

1173
00:54:05,520 --> 00:54:10,560
seams region subsidiary function with role assignments inside them that lets you retain regional

1174
00:54:10,560 --> 00:54:15,760
delegation without spraying tenant scope it also decouples on prem health from cloud admin parts

1175
00:54:15,760 --> 00:54:20,080
evidence beats belief prove the baseline with four checks you can run in an hour sign in logs where

1176
00:54:20,080 --> 00:54:25,200
client app equals legacy authentication and conditional access equals blocked trend should converge

1177
00:54:25,200 --> 00:54:30,080
to zero attempts or 100 percent blocked any not applied means drift conditional access not

1178
00:54:30,080 --> 00:54:35,040
applied to privileged roles the target is empty if you see exclusions firing for admins you have

1179
00:54:35,040 --> 00:54:40,320
blind parts authentication methods for members of privilege roles the column you care about reads

1180
00:54:40,320 --> 00:54:44,960
phishing resistant registered if it's empty your admin label equals risk enterprise apps with

1181
00:54:44,960 --> 00:54:50,560
directory and owners count equals zero that q is your shadow admin list work at the sprint you'll get

1182
00:54:50,560 --> 00:54:56,720
pushback will break operations standing privilege is the break PM is the safety too many prompts

1183
00:54:56,720 --> 00:55:01,280
strengths for admins risk based prompts for users block legacy and prompt noise drops

1184
00:55:01,280 --> 00:55:07,280
that we trust our network the compiler doesn't it trust signals guests slow us down packages with

1185
00:55:07,280 --> 00:55:12,400
expiry are faster than incidents the order matters less than momentum ship the three policies

1186
00:55:12,400 --> 00:55:18,400
validate break glass turn on pym time box exclusions assign owners replace one secret with a certificate

1187
00:55:18,400 --> 00:55:22,880
and one pipeline with a managed or federated identity create one external access package with

1188
00:55:22,880 --> 00:55:27,680
an auto applied review then schedule the rest this baseline isn't a destination it's a floor it

1189
00:55:27,680 --> 00:55:33,680
reduces blast radius before it reduces flexibility it trades invisible ambiguity for visible control

1190
00:55:33,680 --> 00:55:39,280
and it gives you a control plane that enforces intent not memory evidence without demos queries logs

1191
00:55:39,280 --> 00:55:43,680
diagrams we're not doing a clicking class we're going to show you how the control plane behaves with

1192
00:55:43,680 --> 00:55:48,480
three artifacts you can screenshot annotate and repeat diagrams logs and short queries

1193
00:55:48,480 --> 00:55:52,560
no theatrics just state and flow start with the diagrams you'll reference all year

1194
00:55:52,560 --> 00:56:01,440
diagram one conditional access evaluation flow at the top request context user role app device location

1195
00:56:01,440 --> 00:56:07,920
risk branch one exclusion strip objects from scope before evaluation branch two blocks short

1196
00:56:07,920 --> 00:56:13,040
circuit branch three grant controls combined with and inside a policy effective requirements are

1197
00:56:13,040 --> 00:56:18,000
the union across applicable policies outcome decision plus the telemetry you expect if the policy

1198
00:56:18,000 --> 00:56:23,280
actually applied label the left edge entropy generators and pin exclusions there it teaches why

1199
00:56:23,280 --> 00:56:30,960
not applied equals blind path diagram to identity that accumulation loop intent translation exception

1200
00:56:30,960 --> 00:56:36,560
often persistence rapid circle arrow around it and note the compiler sits across every hop you will

1201
00:56:36,560 --> 00:56:42,000
point to this when someone argues their one temporary bypass can't hurt now the logs because screenshots

1202
00:56:42,000 --> 00:56:48,720
of state beat opinions log one sign in filtered to privilege rolls where conditional access result equals

1203
00:56:48,720 --> 00:56:54,720
not applied at columns for result detail and authentication requirement if the detail says user

1204
00:56:54,720 --> 00:57:00,400
excluded or application excluded that's unordered code running if authentication requirement is blank

1205
00:57:00,400 --> 00:57:06,080
the compiler required nothing one screenshot one truth log two legacy authentication filter sign in

1206
00:57:06,080 --> 00:57:11,760
where client app equals legacy authentication trend the count by day overlay conditional access result

1207
00:57:11,760 --> 00:57:17,280
a block the target is a hundred percent blocked or zero volume anything else is drift hiding in a protocol

1208
00:57:17,280 --> 00:57:23,920
not a network rule log three guest access to high value apps filter on user type equals guest and app

1209
00:57:23,920 --> 00:57:28,640
equals the admin portals or finance systems add authentication requirement and conditional access

1210
00:57:28,640 --> 00:57:34,080
result if you see not applied or MFA accepted external without inbound trust allow listing

1211
00:57:34,080 --> 00:57:39,760
you've encoded ambiguity snap the trend before and after you constrain trust query next keep them

1212
00:57:39,760 --> 00:57:45,280
short readable and survivable in a change window graph query for shadow admins without a steward

1213
00:57:45,280 --> 00:57:50,800
enterprise apps where app role assignments match directory and owners count equals zero that list

1214
00:57:50,800 --> 00:57:55,680
is your emergency queue work at first graph query for forever secrets application registrations where

1215
00:57:55,680 --> 00:58:02,080
password credentials and date time is null or greater than 365 days sought by high risk scopes present

1216
00:58:02,080 --> 00:58:07,440
on related service principles tag and owner set a rotation date replace secrets with certificates

1217
00:58:07,440 --> 00:58:12,480
or federation graph query for scope bloat service principles with role assignments advornish tenant

1218
00:58:12,480 --> 00:58:17,520
or subscription scope join to their display names and tags if you can't map to a living workload

1219
00:58:17,520 --> 00:58:24,240
you found consolidated blast radius KQL excerpts you can paste into a workbook KQL privileged

1220
00:58:24,240 --> 00:58:31,200
sign in with blind paths sign in logs where is not empty tenant ed where tostring identity info

1221
00:58:31,200 --> 00:58:36,160
rolls has any global administrator privilege draw administrator application administrator

1222
00:58:36,160 --> 00:58:41,840
summarize attempts in count as you see the blind paths count if result type equals and conditional

1223
00:58:41,840 --> 00:58:50,320
access status xe-post in not applied by bn time generated one d KQL legacy of blocked versus not

1224
00:58:50,320 --> 00:58:58,400
applied sign in logs where client abused eeklil legacy authentication summarize blocked count if

1225
00:58:58,400 --> 00:59:05,840
conditional access status xos failure not applied count if conditional access status xos

1226
00:59:05,840 --> 00:59:12,880
not applied by bn time generated one d KQL guests hitting sensitive apps sign in logs

1227
00:59:12,880 --> 00:59:21,680
where user type xos guest and app display name in microsoft entra admin center as your portal s a p s

1228
00:59:21,680 --> 00:59:30,160
for hana summarize mfa req our count if authentication requirement has fishing resistant not applied

1229
00:59:30,160 --> 00:59:37,680
count if conditional access status eklur not applied by bn time generated one d add one workbook chart

1230
00:59:37,680 --> 00:59:44,080
per query left access is count color the not applied series in red architects learn fast when red

1231
00:59:44,080 --> 00:59:50,480
fades over time for workload identities you won't see prompts you'll see changes KQL service principle

1232
00:59:50,480 --> 00:59:56,800
consent an app role activity audit logs where a a de operation type in consent to application

1233
00:59:56,800 --> 01:00:04,240
add app role assignment to service principle extend actor equals toastering initiated by app.service

1234
01:00:04,240 --> 01:00:11,360
principle display name my summarize events count by bn time generated one d actor if that chart spikes

1235
01:00:11,360 --> 01:00:16,240
outside change windows you're watching drift finally create a one page evidence board top row the

1236
01:00:16,240 --> 01:00:21,920
two diagrams middle row four tiles privilege not applied legacy blocked guests strengths shadow

1237
01:00:21,920 --> 01:00:28,640
admins without owners bottom row owner non count exclusions with owner and expiry coverage secrets 365 days

1238
01:00:28,640 --> 01:00:34,960
count update weekly no meetings no narration the board tells you if entropy is growing or shrinking

1239
01:00:34,960 --> 01:00:40,160
this is the point you don't need a lab you need artifacted truth diagrams to align mental models

1240
01:00:40,160 --> 01:00:44,880
logs to show flow under the compiler queries to find the places policy never ran that's evidence

1241
01:00:44,880 --> 01:00:51,120
without demos that's how you govern at scale paying down identity debt and 90 day remediation cadence

1242
01:00:51,120 --> 01:00:56,480
this is not a heroic weekend it's a boring disciplined loop that shrinks blast radius on a schedule

1243
01:00:56,480 --> 01:01:01,520
90 days is enough to move the compiler from ambiguity to intent without paralyzing operations

1244
01:01:01,520 --> 01:01:10,000
three phases clear artifacts no ceremonies days 30 inventory isolate and stop the bleeding

1245
01:01:10,000 --> 01:01:15,040
you're not fixing history your halting interest start with exclusions pull every conditional access

1246
01:01:15,040 --> 01:01:21,280
policy and export the exclusions for each stamp and owner a reason and an expiry anything without

1247
01:01:21,280 --> 01:01:26,800
all three gets removed or sunset in seven days create a weekly alert on silence where conditional

1248
01:01:26,800 --> 01:01:32,480
access not applied due to exclusion scope to privilege rolls if a break glass path is excluded

1249
01:01:32,480 --> 01:01:37,840
at visibility now allow list the egress exclude only from mfa and validate silence show in logs if

1250
01:01:37,840 --> 01:01:43,040
you can't see it it's not a control disabled legacy protocols everywhere don't negotiate with i-map

1251
01:01:43,040 --> 01:01:47,920
pop or basic off expect noise the noise is deferred work returning to sender lock trend should

1252
01:01:47,920 --> 01:01:52,320
converge to zero attempts or one hundred percent blocked stage pm for tenant wide rolls make

1253
01:01:52,320 --> 01:01:57,520
assignments eligible require strong auth at activation set durations you can defend and require

1254
01:01:57,520 --> 01:02:03,120
justification if you have authentication contacts tie elevation to a fishing resistant strength

1255
01:02:03,120 --> 01:02:08,880
the goal is the first elevation that reevaluates risk inventory non-human authority query enterprise

1256
01:02:08,880 --> 01:02:15,600
apps with directory and no owners application registrations with secrets older than 365 days or null

1257
01:02:15,600 --> 01:02:20,560
end dates and service principles holding subscription or tenant scope rolls that list is your shadow

1258
01:02:20,560 --> 01:02:27,040
admin queue don't debate names tag owners and publish the queue finally test break glass two cloud

1259
01:02:27,040 --> 01:02:33,760
only accounts long vaulted passwords mfa excluded location allow listed execute a sign in and

1260
01:02:33,760 --> 01:02:38,640
capture the evidence visible in logs blocked by legacy policy not blocked by strengths put the

1261
01:02:38,640 --> 01:02:44,800
test on a calendar days 31 60 replace the worst paths and collapse scope this is where velocity

1262
01:02:44,800 --> 01:02:50,240
returns replace secrets with rotation for the top 10 application registrations with forever secrets

1263
01:02:50,240 --> 01:02:54,960
switch to certificates with 90 day validity or federated credentials store private keys in

1264
01:02:54,960 --> 01:02:59,840
key vault and rehearse rotation if you can't rotate on demand you don't own the principle move

1265
01:02:59,840 --> 01:03:05,200
pipelines if the automation runs in azure convert to user assigned managed identities scope to the

1266
01:03:05,200 --> 01:03:11,440
smallest resource they touch if it runs outside azure federate identity hg get up or idc to remove

1267
01:03:11,440 --> 01:03:16,480
stored credentials this removes entire classes of failure screenshots of environment variables

1268
01:03:16,480 --> 01:03:22,160
exported configs copied secrets trim conditional access to a baseline reduced to three policies block

1269
01:03:22,160 --> 01:03:28,080
legacy mfa for all fishing resistant strengths for admins and critical apps delete policies that

1270
01:03:28,080 --> 01:03:34,400
overlap or weaken the bar any remaining exclusion needs an owner and a clock move trusted locations logic

1271
01:03:34,400 --> 01:03:40,320
into authentication contacts bound to device compliance stop trusting ciders as identity turn on

1272
01:03:40,320 --> 01:03:45,200
access reviews target privilege groups and guest catalogs assign accountable reviewers not

1273
01:03:45,200 --> 01:03:50,480
self review enable auto apply and set a cadence that aligns with risk reviews that don't complete

1274
01:03:50,480 --> 01:03:55,200
are not neutral their persistence localized power create administrative units that reflect real

1275
01:03:55,200 --> 01:04:01,040
seams and delegate roles inside them remove synchronized tenant wide roles ensure every principle

1276
01:04:01,040 --> 01:04:07,280
with our scope is cloud only and pimp eligible you're converting o unostalgia into scoped control

1277
01:04:07,280 --> 01:04:12,880
days 61 90 right size in force strengths and institutionalized decay this locks in the gains

1278
01:04:12,880 --> 01:04:18,640
right size graph permissions replace directory boom read right all with the minimum app roles required

1279
01:04:18,640 --> 01:04:25,120
by each workload or move to your own apis with app roles for azure are back drop scope from subscription

1280
01:04:25,120 --> 01:04:30,960
to resource group or resource and from contributor to precise data actions this is not paperwork it's

1281
01:04:30,960 --> 01:04:36,080
the only guard rail machines will see enforce fishing resistant for the parts that matter validate that

1282
01:04:36,080 --> 01:04:40,720
every member of a privileged role has a registered fishing resistant method where they don't pause

1283
01:04:40,720 --> 01:04:46,000
elevation eligibility until they do for pimp require the same strength via authentication context

1284
01:04:46,000 --> 01:04:51,520
elevation should not lower the bar institutionalize expiry entitlement packages for external access

1285
01:04:51,520 --> 01:04:58,000
get 30 day defaults a sponsor and review that day 25 with auto apply conditional access exclusions

1286
01:04:58,000 --> 01:05:04,560
expire by default application credentials expire by policy owner none triggers a ticket not a shrug

1287
01:05:04,560 --> 01:05:10,880
measure weekly three charts privilege sign-ins with not applied legacy auth blocked versus not applied

1288
01:05:10,880 --> 01:05:16,560
and guest hitting sensitive apps with authentication requirement at two counts owner none for high-risk

1289
01:05:16,560 --> 01:05:22,560
enterprise apps and secrets 365 days if red doesn't fade you didn't change state you changed

1290
01:05:22,560 --> 01:05:27,840
slogans close with the after action loop for every incident or near miss map it onto the identity

1291
01:05:27,840 --> 01:05:33,680
debt accumulation loop where did intent fail translation exception often persistence at a guard rail

1292
01:05:33,680 --> 01:05:39,280
at birth consent workflow requires an owner app creation requires tags break glass tests are

1293
01:05:39,280 --> 01:05:45,200
monthly exclusions auto expire you are encoding decay breaks what about objections will break operations

1294
01:05:45,200 --> 01:05:51,920
standing privilege is the break pim is the safety too many prompts strengths for admins risk-based

1295
01:05:51,920 --> 01:05:56,960
prompts for users vendors can't meet your bar allowless trusted tenants and accept their strengths

1296
01:05:56,960 --> 01:06:02,080
or require yours anything in between is ambiguity 90 days won't make you perfect it will make

1297
01:06:02,080 --> 01:06:06,720
ambiguity expensive that's the point the compiler will enforce what remains make sure what remains

1298
01:06:06,720 --> 01:06:11,840
reflects intent then repeat the loop entropy never stops neither should you objections rebuttals

1299
01:06:11,840 --> 01:06:16,720
and system behavior will break operations the system already did standing privilege is the

1300
01:06:16,720 --> 01:06:22,160
operational break you just don't notice until an incident forces a rollback privileged identity

1301
01:06:22,160 --> 01:06:28,240
management is the safety harness that converts always on risk into on when needed control architects

1302
01:06:28,240 --> 01:06:32,960
don't argue with gravity they install guardrails eligibility with justifications and short

1303
01:06:32,960 --> 01:06:38,320
activation windows is that guard rail the compiler re-evaluates risk at elevation that's not friction

1304
01:06:38,320 --> 01:06:43,200
that's intent enforced at the moment damage becomes possible too many prompts prompts are a symptom

1305
01:06:43,200 --> 01:06:47,440
of weaker assurance not a design goal when you require fishing resistant strengths for admins

1306
01:06:47,440 --> 01:06:53,760
and high value apps the prompts collapse no OTPs to retip no push fatigue no SMS fallbacks a device

1307
01:06:53,760 --> 01:06:59,520
bound assertion turns naggy MFA into a zero interaction key assertion for everyone else risk-based

1308
01:06:59,520 --> 01:07:04,320
prompts plus blocked legacy author reduce noise at the source you don't win by tuning prompts you win

1309
01:07:04,320 --> 01:07:09,760
by removing the failure class that created them we trust our network the compiler doesn't it sees

1310
01:07:09,760 --> 01:07:16,560
signals device posture roll absensitivity risk a c_id_r is not a signal it's a story trusted

1311
01:07:16,560 --> 01:07:21,360
locations teach the authorization compiler to treat an IP range as identity that's how you

1312
01:07:21,360 --> 01:07:26,800
smuggle and manage browsers and proxy sessions into privileged parts replace location bypasses

1313
01:07:26,800 --> 01:07:32,240
with authentication contexts bound to compliant devices you are moving trust from a route to

1314
01:07:32,240 --> 01:07:38,000
an attested state that distinction matters guests slow us down incidents slow you down more entitlement

1315
01:07:38,000 --> 01:07:42,960
packages with default expiry and auto applied access reviews ship faster than ad hoc nesting

1316
01:07:42,960 --> 01:07:49,120
because they encode the exit on issue no retro hunts no who approved this archaeology a 30 day

1317
01:07:49,120 --> 01:07:53,760
window with a sponsor you can name beats a nested group that outlifts the project and the vendor

1318
01:07:53,760 --> 01:07:58,880
external collaboration is a control plane choice encoded ones reuse it forever vendors can't

1319
01:07:58,880 --> 01:08:03,840
meet fishing resistant some can some can't the system already supports in bound trust allow list

1320
01:08:03,840 --> 01:08:08,800
tenants whose posture you contractually trust and accept their strong signals for everyone else

1321
01:08:08,800 --> 01:08:13,600
require your strength at your boundary you're not outlawing collaboration you're removing ambiguity

1322
01:08:13,600 --> 01:08:18,560
the compiler can't resolve safely absent explicit trust prompts are not friction they're your last

1323
01:08:18,560 --> 01:08:24,240
defense our admins need constant access they need constant ability to obtain access not standing

1324
01:08:24,240 --> 01:08:29,120
privileged the difference is blast radius with pm an alertable audible elevation stands in for

1325
01:08:29,120 --> 01:08:34,880
24 by 7 key pair it with short activation and authentication context you didn't slow an admin

1326
01:08:34,880 --> 01:08:40,320
you published a state change operations learns to plan work in windows incidents inherit accountability

1327
01:08:40,320 --> 01:08:45,680
by design this breaks automation workloads do not evaluate conditional access you break automation

1328
01:08:45,680 --> 01:08:51,120
when you miss label human accounts as service managed identities certificates and federated

1329
01:08:51,120 --> 01:08:55,600
credentials give machines the tokens they need without prompting scope is where you control them

1330
01:08:55,600 --> 01:09:00,560
if a pipeline fails after you remove directory read right or you didn't break automation

1331
01:09:00,560 --> 01:09:06,160
you revealed a design omission an overbroad grant that never matched the operation fix scope automation

1332
01:09:06,160 --> 01:09:11,360
returns our executives will hate this executives hate headlines more give them two things

1333
01:09:11,360 --> 01:09:16,160
strengths where privilege exists and fewer prompts where it doesn't for day-to-day usage prompt

1334
01:09:16,160 --> 01:09:21,360
frequency drops when legacy auth is blocked and risk-based CA is clean for privileged access the

1335
01:09:21,360 --> 01:09:26,720
requirement is non-negotiable a compromised executive token is a governance event the compiler

1336
01:09:26,720 --> 01:09:35,120
can't distinguish CEO from attacker using CEO strengths do this seems complex the current state is

1337
01:09:35,120 --> 01:09:41,520
complex overlapping policies phantom exclusions often secrets guests nested into admin roles the

1338
01:09:41,520 --> 01:09:47,520
baseline is simpler by construction three policies PM for privilege expiry by default owners on

1339
01:09:47,520 --> 01:09:54,080
principles fewer branches to debug at 2 a.m. less surface to explain in an audit complexities already

1340
01:09:54,080 --> 01:09:59,040
here you're deciding who owns it the system deterministically or humans improvisationally

1341
01:09:59,040 --> 01:10:04,000
will handle this with monitoring monitoring sees what the compiler executed it does not see what it

1342
01:10:04,000 --> 01:10:09,120
excluded conditional access not applied is a blind path no detection logic can infer a control

1343
01:10:09,120 --> 01:10:15,280
that never ran prevention isn't fashionable its physics reduce unobservable flows then monitor

1344
01:10:15,280 --> 01:10:21,280
the rest alerts mean something when the policy graph is small and intentional this will take too long

1345
01:10:21,280 --> 01:10:26,720
nonsense the system rewards order three policies ship this week PM can turn on in an afternoon

1346
01:10:26,720 --> 01:10:32,000
owners can be stamped by report secrets can be swapped for certificates one pipeline at a time

1347
01:10:32,000 --> 01:10:36,320
entitlement packages can start with one vendor you're not migrating platforms you're replacing

1348
01:10:36,320 --> 01:10:41,360
entropy generators with guardrails in place with evidence if you remember nothing else the authorization

1349
01:10:41,360 --> 01:10:46,560
compiler enforces what remains objections ask you to preserve ambiguity system behavior does

1350
01:10:46,560 --> 01:10:52,480
not negotiate it compiles inputs into decisions every time at scale change the inputs the outcomes follow

1351
01:10:52,480 --> 01:10:58,320
checklist what you can validate this week three policies exist applied and visible legacy

1352
01:10:58,320 --> 01:11:04,080
authentication is blocked tenant wide with zero exclusions confirmation sign-in logs show client app

1353
01:11:04,080 --> 01:11:08,880
exor legacy authentication and conditional access equal blocked with no not applied MFA for all

1354
01:11:08,880 --> 01:11:14,480
users is enabled exclusions exist only for two break glass accounts each with owner and expiry

1355
01:11:14,480 --> 01:11:20,160
confirmation conditional access policy be lists exactly two exclusions alert wired for any not

1356
01:11:20,160 --> 01:11:24,320
applied due to exclusion fishing resistant strengths are required for privileged roles and

1357
01:11:24,320 --> 01:11:30,640
named critical apps confirmation privilege sign-ins show authentication requirement equals fishing

1358
01:11:30,640 --> 01:11:36,320
resistant break glass is real tested and observable two cloud only accounts long vaulted passwords

1359
01:11:36,320 --> 01:11:41,920
excluded from MFA only allow listed to a narrow egress confirmation a scheduled monthly sign-in

1360
01:11:41,920 --> 01:11:46,560
appears in logs blocked by legacy policy not blocked by strengths evidence archived privileged

1361
01:11:46,560 --> 01:11:51,520
identity management is on not promised all tenant wide rolled set to eligible short activation

1362
01:11:51,520 --> 01:11:56,720
windows justification required an activation bound to an authentication context that enforces

1363
01:11:56,720 --> 01:12:01,360
fishing resistant strength confirmation one successful activation event captured with risk

1364
01:12:01,360 --> 01:12:07,040
re-evaluation in audit logs conditional access exclusions are governed every exclusion in every policy

1365
01:12:07,040 --> 01:12:12,720
has an owner a business reason and an expiry else 30 days confirmation exported policy inventory

1366
01:12:12,720 --> 01:12:18,080
shows 100% coverage a weekly task checks aspirations and removes or renews with justification

1367
01:12:18,080 --> 01:12:23,600
workload identities have stewards and lifetimes enterprise apps with directory permissions have

1368
01:12:23,600 --> 01:12:30,400
named owners owner non-count is zero or a known tracked queue confirmation graph report lists owners

1369
01:12:30,400 --> 01:12:36,720
for high-risk apps exceptions carry tickets application credentials have sane lifetimes secrets

1370
01:12:36,720 --> 01:12:42,800
it was 90 days or certificates with automated rotation end date time null so 365 days count is shrinking

1371
01:12:42,800 --> 01:12:48,320
confirmation weekly delta report scope is right sized service principles with subscription or tenant

1372
01:12:48,320 --> 01:12:53,360
scope map to living workloads unnecessary contributor grants are replaced with resource level

1373
01:12:53,360 --> 01:13:00,000
least privilege roles or data actions confirmation role assignment export shows scope moved down

1374
01:13:00,000 --> 01:13:05,760
and role names tightened external identities are constrained by design inbound cross tenant trust

1375
01:13:05,760 --> 01:13:11,120
is none by default with a short allow list for high-value apps guests meet fishing resistant

1376
01:13:11,120 --> 01:13:16,480
strength or supply trusted external MFA only from named tenants confirmation guests sign in to

1377
01:13:16,480 --> 01:13:23,040
sensitive apps show authentication requirement present no not applied entitlement packages exist

1378
01:13:23,040 --> 01:13:29,840
for top vendors with 30 day expiry sponsor and access reviews at day 25 with auto apply confirmation

1379
01:13:29,840 --> 01:13:36,480
access review completion it 100% stale guests removed measurements exist and update weekly

1380
01:13:36,480 --> 01:13:41,840
three charts privileged not applied counts legacy auth blocked versus not applied guests hitting

1381
01:13:41,840 --> 01:13:48,640
sensitive apps with authentication requirement present two counters owner none high risk and secrets

1382
01:13:48,640 --> 01:13:54,400
365 days confirmation a single evidence board shows red fading week over week one migration

1383
01:13:54,400 --> 01:14:00,240
proof a pipeline switch to a user assigned managed identity scope to a single resource and one forever

1384
01:14:00,240 --> 01:14:05,840
secret replaced with a certificate confirmation successful run logs plus retired credential ID

1385
01:14:05,840 --> 01:14:10,960
if any item fails you don't debate intent you adjust inputs to the authorization compiler key

1386
01:14:10,960 --> 01:14:16,640
takeaway and next move identity debt is standing privilege plus ungoverned exceptions plus unowned

1387
01:14:16,640 --> 01:14:22,080
identities inputs that the authorization compiler will faithfully turn into probabilistic outcomes

1388
01:14:22,080 --> 01:14:27,280
reduce ambiguity intent becomes enforceable ship the baseline this week three conditional access

1389
01:14:27,280 --> 01:14:33,360
policies tested break glass p_i_m_ for privilege owners and expires on exclusions one pipeline to manage

1390
01:14:33,360 --> 01:14:38,400
or federated identity subscribe for the deep dive on turning conditional access from execution

1391
01:14:38,400 --> 01:14:42,080
engine into enforceable policy