microsoft entra
246 TopicsMade a self-hosted Entra ID governance portal for app/identity sprawl (open source)
Our tenant ended up with hundreds of app registrations and enterprise apps, and the native portal makes you dig through a separate blade for every basic question. Who owns this app? Which secrets die next month? What hasn't been signed into in a year? Which ones have scary Graph permissions? There's no single view for any of it, and half the ownership info was missing anyway. Entra ID Governance, access reviews, PIM all exist, but they felt heavy (and licensed) for what I actually wanted, which was just a fast list I could scan for routine cleanup. So I built one. Lightweight portal that runs entirely in your own subscription: One grid for App Registrations, Enterprise Apps, Managed Identities and Privileged Users Risk flags per identity: expiring/expired creds, high-risk permissions, no owner, stale sign-in, no CA coverage Ownership tracking, review and owner-change workflow, CSV export Tenant health score and a consent posture dashboard Optional expiry email notifications (needs a SendGrid key) Reads Graph through a managed identity, so no app secrets for data access and nothing leaves your tenant Runs about $26-30/month (one B2 App Service plan). B1 is also supported, but it's noticeably slower. It's not a replacement for Entra ID Governance or PIM, more of a cheap everyday hygiene thing. Full disclosure, I used AI building this and writing this up. I designed the architecture and functionality, tested it and ran it against my own tenant. It's open source and deployable with Azure DevOps or an Azure CLI script. Data never leaves your own tenant. Repo (screenshots + setup): https://github.com/nicolaibaralmueller/entra-identity-governance-portal Would love feedback, especially what you'd want it to flag that it doesn't, or where the risk scoring feels off. Been building it on and off for a few months with a lot of iteration. Hopefully this could be useful for others as well.50Views0likes0CommentsExtend data security to the network with Microsoft Purview and Microsoft Entra
Protection that keeps up with how data moves in the AI era Enterprise data used to be easier to contain. It lived in files, in apps you managed, within boundaries you controlled. Security teams could focus on endpoints and known systems, and that was often enough. That’s no longer the case. Today, data travels constantly between trusted endpoints and unmanaged web apps, SaaS apps, and most critically, generative AI tools over the network. Employees type and paste sensitive information into prompts, upload work-related files to external services or personal cloud storage, and interact with systems that sit entirely outside the traditional enterprise perimeter. AI has expanded the risk surface for potential enterprise data loss. That’s why Microsoft Purview and Microsoft Entra now integrate to extend data security to the network layer (available in public preview). Traditional data loss prevention (DLP) approaches lack real-time visibility and enforcement, flagging incidents after data has already left the organization. In other cases, vendors rely heavily on physical network appliances that are complex and expensive to deploy, or compute resources that can add significant latency. In the era of AI, that model breaks down quickly. Real-time data protection for how work happens today To adapt to how enterprise data moves in the AI era, we’re announcing the extension of data security to the network layer, powered by Microsoft Purview and Microsoft Entra, now in public preview. This integration brings together data context and identity-aware enforcement to help protect sensitive data in transit, in real time: Detect how sensitive data is shared to shadow AI tools, unmanaged SaaS apps, and personal cloud repositories Help block the sharing of sensitive data in real time based on identity, user activity, and data context, before data leakage occurs Unify investigation workflows by correlating identity, data, and insider risk signals across Purview, Entra, and Defender Prevent employees from sharing proprietary or sensitive organizational data to potentially risky locations such as consumer AI apps. By combining Purview data classification, DLP policies, and insider risk detection with identity-aware enforcement at the network layer through Entra, organizations can dynamically apply protections based on: The sensitivity of the data Who the user is How that user has interacted with sensitive data over time Together, Purview and Entra enable a modern approach to data protection that follows the data to prevent leakage instead of relying on at-rest controls alone. Not only that, but the same Purview classification and policies that you already leverage for the rest of your enterprise data can now be applied consistently across data in motion, at rest, and in use. Learn more in the detailed blog. See the capabilities in action here. Start your free trial of Purview Suite here.Best approach to detect multiple user accounts signing in from the same physical device
Hi Everyone, Working on environment: D365 Finance & Operations (cloud). Goal: I need to detect when more than one Dynamics user account is being used from the same physical device, and ideally count how many distinct users are active on that device. The business reason is this is not permissible to login with more than one account in the same device. For example: User X has device D1, User Y has device D2. User X logged in with his account using Device D2 (which is user's Y device). I want to know if this happened, cause it's not permissible behavior in the organization. For more illustration some users have blank devices id when I see Microsoft Entra. Or if I could find out when a user logs in and integrate it with D365 F&O to store the device the user logged into in a custom log table or anything that tells me that this user account is opened on more than one device or this device has more than one logged-in user account. .44Views0likes1CommentRegistering user becomes local admin on Joined Devices
This setting works exactly as named, but the confusion is understandable because the privilege is invisible in the places people normally look. Per Microsoft's official docs (assign-local-admin): at the moment of Microsoft Entra join, two principals get added to the local administrators group — the Microsoft Entra Joined Device Local Administrator role and the user performing the join. This happens only during the join operation itself. It's not a directory role assignment, so it won't show up in role assignments, audit logs, or under "Device Administrators" — that's by design. Critically: users aren't directly listed in the local admin group; the privilege is delivered through the Primary Refresh Token (PRT) at sign-in. So: To validate on the device itself, sign in as the user and run whoami /groups — you should see the device-local Administrators SID. If you just changed the setting and want to force re-evaluation, run dsregcmd /refreshprt, then sign out and back in (lock/unlock won't trigger it — you need a fresh PRT, which can take up to ~4 hours to propagate otherwise). This setting only applies to joined devices, not registered (workplace-joined) ones — so your distinction there is correct. The "Manage Additional local administrators on all Microsoft Entra joined devices" link is a separate, tenant-wide mechanism (the same Device Administrator role) — it can't be scoped to specific devices, which is also worth knowing if you're trying to limit blast radius. If you want to stop this going forward for new joins without ripping out existing admins, set "Registering user is added as local administrator" to None, and consider a Windows Autopilot profile or Intune Local Users and Groups policy to manage membership going forward — existing devices won't be retroactively changed.22Views0likes0CommentsSecuring data and access in the era of AI with Microsoft Entra and Microsoft Purview
As organizations move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage has become mission critical. In this series, Microsoft experts will show how Microsoft Entra and Microsoft Purview help you: Protect sensitive data across networks, apps, and AI interactions Govern access for users, applications, and AI agents Reduce risk while enabling innovation at scale Whether you're shaping your security strategy or implementing controls, you’ll walk away with the guidance you need to secure data and access to AI as one unified strategy. DATE TIME (PDT) TOPIC July 21 9:00 AM Secure the age of AI: Redefining trust, data and access July 22 9:00 AM Data and identity controls for the browser and network July 23 9:00 AM Unlock AI agents without sacrificing security How do I participate? Select the sessions you are interested in, then select Add to Calendar to save the date and/or the Attend button to save your spot, receive event reminders, and participate in the Q&A. Not able to attend live? This session will be recorded and available on demand shortly after airing. Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation.464Views0likes0CommentsUnlock AI agents without sacrificing security
AI agents are reaching into mailboxes, files, line-of-business apps, and the open web on behalf of your users—and the business wants more of them, faster. To scale agents safely, your security teams need to be able to verify each agent, govern what it can access, and enforce clear boundaries across every interaction. Learn how Microsoft Entra helps you discover shadow AI agents, govern agent permissions, keep BYOD and endpoint-based agents in scope, and apply Conditional Access to AI prompts and responses. Then see how Microsoft Purview provides visibility into agent activity, strengthens runtime data protection, helps detect agentic risk, and supports auditability across local agents developed on GitHub Copilot CLI, Claude Code, OpenAI Codex, and OpenClaw. Walk away with practical ways to unlock AI agents while keeping access and data protection aligned with your enterprise security needs. How do I participate? Select Add to Calendar to save the date, then click the Attend button to save your spot, receive event reminders, and participate in the Q&A. Not able to attend live? This session will be recorded and available on demand shortly after airing. Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation. This session is part of Securing data and access in the era of AI with Microsoft Entra and Microsoft Purview. View the full agenda for more insights to help you move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage.233Views0likes0CommentsData and identity controls for the browser and network
Sensitive data doesn't stay still. It moves through browsers, SaaS apps, generative AI tools, and prompts; often beyond the visibility of traditional controls. In this session, see how Microsoft Entra and Purview bring real-time visibility and control to sensitive data in motion across the network. You’ll learn how integrated data security and secure access controls can help reduce leakage risk, support responsible AI adoption, and enable modern work without slowing the business down. How do I participate? Select Add to Calendar to save the date, then click the Attend button to save your spot, receive event reminders, and participate in the Q&A. Not able to attend live? This session will be recorded and available on demand shortly after airing. Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation. This session is part of Securing data and access in the era of AI with Microsoft Entra and Microsoft Purview. View the full agenda for more insights to help you move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage.204Views0likes0CommentsSecure the age of AI: Redefining trust, data and access
There is no question that AI is transforming the enterprise: changing how data moves, how decisions are made, and how risk takes shape. As agents access, interpret, and act on sensitive data, unmanaged AI use expands and traditional boundaries blur. Kicking off our series on Securing Data and Access in the Era of AI, Microsoft Entra VP of Product Sinead O’Donovan and Microsoft Purview GM of Product Maithili Dandige explain why legacy security models fall short in the age of AI—and why you need a strategy that brings together identity, access, and data protection. Want to adopt and enable AI innovation with greater control and confidence? Join us to learn how leading organizations are securing access, protecting data, and establishing trust for the next generation of AI-powered work. How do I participate? Select Add to Calendar to save the date, then click the Attend button to save your spot, receive event reminders, and participate in the Q&A. Not able to attend live? This session will be recorded and available on demand shortly after airing. Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation. This session is part of Securing data and access in the era of AI with Microsoft Entra and Microsoft Purview. View the full agenda for more insights to help you move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage.582Views1like0CommentsAgent 365 | Identity & Access Controls in Entra
Surface agents across AWS Bedrock, Google Vertex, Databricks, and Salesforce in one registry, assign Entra Agent IDs via CLI or SDK, and enforce least-privilege access through Conditional Access policies and Agent Blueprints, all without rebuilding your existing identity infrastructure. Lock down agent activity with sign-in logs that capture every authentication attempt, policy hit, and failure. Govern agents as first-class identities alongside your users, apps, and devices, and draw a hard line between managed and unmanaged AI in your organization. Vince Smith, Microsoft Entra Principal Product Manager, shares how to establish full visibility, access control, and lifecycle governance for AI agents using Microsoft Entra and Agent 365. Transform unmanaged agents into a managed agent identity. CA policy enforcement, lifecycle controls, & full audit trail—start with Agent ID in Microsoft Entra. One Agent blueprint. Multiple agent identities. Use Agent blueprints in Microsoft Entra to enforce least-privilege access for agent identities at scale. Start here. Lock down agent activity in Microsoft Entra. Get full audit visibility into every sign-in, Conditional Access decision, and failure reason. See how it works. QUICK LINKS: 00:00 — Visibility and control with Agent 365 01:39 — Multi-platform registry sync 02:29 — Assign Agent ID 04:14 — Agent Blueprints 05:24 — Conditional Access for agents 06:24 — Sign-in logs audit trail 07:03 — Unblock the agent 07:54 — Wrap up Link References Check out https://aka.ms/EntraforAgents Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -Ensuring agents don’t operate unchecked in your environment means making sure their access to data and apps, along with other agents and resources, is appropriately scoped, and no more than necessary, so they’re never overprivileged. Agent 365 gives IT and security teams a unified control plane for agent activity. They can work together using the tools they already work in every day to see which agents are in use, understand the risk, and act before issues escalate. Today, in part 3 of this Agent 365 series, we look at how, as an identity admin using Microsoft Entra, you can establish the critical foundation to prevent agents from being both overprivileged or running without the right level of visibility. -This all starts with Agent 365, which gives you visibility into your agents, control over what they can access, and governance across the entire lifecycle. As a developer, you can use the Agent 365 CLI and SDK to create and integrate an Agent ID into your agent. This ensures your agents can be managed across their lifecycle, with continuous risk evaluation and least privileged conditional access controls in Microsoft Entra, ensuring that agents can only connect to and act on the resources they truly need, for as long as they need, no more, no less. -Just like with your users and apps today, with Agent ID, agents become explicitly manageable and governable, including conditional access policies and access packages. And by assigning an Entra identity to your agents, you establish a clear boundary between managed and unmanaged AI, which makes it much easier to detect which agents need to be brought under control. Let’s start in the Microsoft 365 Admin Center to see this in action. As an IT admin, you can access Agent 365 controls to view your agents, find unmanaged AI in use, and configure tools and settings. I’m in the Agent 365 overview page, where I can find top-level insights and metrics, as well as common actions. In fact, the Registry sync controls let me configure these options, so let’s take a look. And you can see that we’ve already configured sync for AWS Bedrock and Google Vertex, which gives us visibility into agents running on those platforms. -Just to show you what’s behind this and your options, I’ll click Connect a platform. And under External platforms, we can see Bedrock and Vertex here, along with Databricks Genie and Salesforce AgentForce. The respective agents will peer in the agent registry once I sync from these platforms. That said, while we were able to see the agents from those platforms running in our environment, without respective Agent IDs, we won’t have visibility into exactly what those agents are accessing. In fact, here we can see that all of our Amazon Bedrock agents are currently unmanaged. And when I click in, we can see a few details about the agent creation date and publisher, but not much else. So we know these agents exist, but again, without an Agent ID, we don’t know exactly what these agents are accessing to be able to apply the right controls for their needs. -Practically speaking, our first step here is to work with the unmanaged agent creators to get their agents an Entra ID. This is where, as a developer creating and updating agents, we can use the agent 365 CLI and SDK to create an assign and Agent ID, which also includes an Agent Blueprint. I’ve used a simple prompt here to generate the code and enter configuration needed. The cool thing about Agent Blueprints is that permissions granted on the blueprint can be inherited by all agent IDs using that blueprint, and I’ll explain more about this in a moment. And because this is standard OAuth, it is interoperable across agent platforms. In fact, the agent we’re updating is the one I showed earlier that’s running on AWS Bedrock. And once the agent is republished to Agent 365, it’s ready for management. -In fact, going back to the agent registry in Agent 365, viewing the details of the agent, we can move over to the right and expand this field for identity information. We can see it has an Agent ID along with a Blueprint ID, which wasn’t there when we looked at the unmanaged agent card before. And scrolling back up and opening the Security tab, I can see that the agent already has default protections applied from Microsoft Purview and Entra, including sensitive data protections and compliance evaluation as part of the Agent 365 platform. Because the agent is an object in our directory, provided we are entitled with the right management permissions, we can grant the appropriate level of access and get visibility into its details and activities. -I’ll start by first looking at what resources the developer has configured for the agent to access. In the agent identities page, we can see our agent. Importantly, this agent now has an agent sponsor assigned. This is the person responsible for the agent, and can be the agent builder themselves or someone they designate. And viewing its access and granted permissions, we can see a list of the requested permissions the agent has configured. Notice that the grant source is inherited from the parent, which is our Agent Blueprint. A blueprint is the template for a class of agents. It holds the credentials that associated agents use for authentication. The credentials can be managed in Entra, or federated outside of Entra, or even system managed, such as with an Azure Managed Identity. It also provides a way to define identity and permissions for agents at scale. -Here we see in this case, the agent’s permissions aren’t set directly on the agent itself. They come from its parent blueprint. The first permission for Agent365.Observability is a default to capture agent telemetry. And under that, you’ll see Microsoft Graph permissions to read groups, users, and mail. Under Developer settings in the Manifest, we can view and optionally edit the details as JSON that we saw earlier in the code. -As an Entra admin, I can control who is able to consent to the agent’s permissions, which gives me both security and scale, but I also want defense in depth. In our organization, as a blanket control, we have conditional access policies to block access to all unverified agents. Under conditional access, when I click into the AWS Bedrock policy, you’ll notice that this policy targets all agent identities and blocks their access to Entra-managed resources by default. To give our now verified agent access, we’ll need to exclude it from this conditional access block policy. -Before we do that, I’ll show you this policy in action from the agent testing experience in Amazon Bedrock. I’ll have the agent perform a simple look up for a user account in our tenant. And you’ll see that it’s blocked from retrieving the user information. In fact, if I move over to this agent’s logs, I can see all the invalid grant errors. And expanding on the first one and then scrolling down to the error description, it gives more specific detail about the conditional access block and what happened. -Now, if I move back to Microsoft Entra and look at the sign-in logs, we can see all of the sign-in activities for this agent. I’ll expand the same request we just saw in the Bedrock portal and move into this specific instance. And you’ll see the failure reason is exactly what the agent developers saw in Bedrock. In fact, digging into this Conditional Access tab, we can see the corresponding policies listed that apply to this agent, along with AWS Bedrock policy on top and the corresponding failure result. Now let’s look at how we can unblock this agent. As a Microsoft Entra administrator, once we verify that this agent’s identity is established and its permissions are appropriate, we can exclude it from our conditional access block policy to allow it access. -Back in our conditional access policy settings, under Assignments, I can set up an exclude condition. Then I search for my agent by its name. Here I’m typing, “widget.” There it is. Now I’ll select it and confirm, then I just need to save my policy. That’s it. With our exclusion setup, the agent will be able to perform its operation with least privileged access and Entra. So let’s test it out. Back in the Amazon Bedrock portal, I’ll run the same prompt that failed last time, our account look up. And as you can see, this time it works, and it was able to access and display the account information for this user from our tenant. -There we have it. That’s how easy it is to integrate Entra Agent ID into your agents and bring them under management. Agent 365 with identity and access controls in Microsoft Entra provides IT and security teams the management and visibility to assess and respond to agent risks. This lets you efficiently integrate agents into your existing systems and infrastructure as first-class identities, alongside existing users, applications, and devices. To learn more, check out aka.ms/EntraforAgents. Keep checking back to Microsoft Mechanics for the latest tech updates, and thanks for watching.358Views0likes0Comments