Get started with a modern zero trust remote access solution: Microsoft Global Secure Access
š Get started with a modern Zero Trust remote access solution! Say goodbye to outdated VPNs š and embrace the future of secure connectivity with Microsoft Global Secure Access Private Access. š Built on the principle of least privilege, this solution ensures users only access the resources they need. Combined with Conditional Access, it provides powerful, policy-driven protection for both specific and broad on-premises resources. Whether youāre just starting your cloud journey or ready to break free from legacy VPNs, Global Secure Access Private Access is the game changer youāve been waiting for. š In this session, weāll cover: ā How to get started with Global Secure Access Private Access ā Installing & managing the Global Secure Access client ā Monitoring traffic flow for visibility and control Letās embark on this journey to enhanced security and seamless access together! šļø Date: 4 October 2025 ā° Time: 18:00 (CEST) šļø Speaker: Kasper Sven Mozart Johansen š Topic: Get started with a modern zero trust remote access solution: Microsoft Global Secure AccessEntra Group Source of Authority CONVERSION: Enabling Cloud-First Identity Management
As organizations modernize their identity infrastructure, Microsoft Entraās Group Source of Authority (SOA) Conversion feature enables a granular migration of group management from on-premises AD to Microsoft Entra ID without disabling sync or rearchitecting the entire directory. What Is Group Source of Authority? Group SOA defines where a group object is mastered either in on-prem AD or in Entra ID. With SOA conversion, administrators can selectively convert AD-synced groups into cloud-native groups, making them editable and governable directly in Entra ID. Permissions Required To perform SOA conversion, the following Microsoft Entra roles and Graph API permissions are required: Hybrid Administrator: Required to call Microsoft Graph APIs to read and update SOA of groups. Application Administrator or Cloud Application Administrator: Required to grant user consent to the app or Graph Explorer. Graph API Permission Scope: Group-OnPremisesSyncBehavior.ReadWrite.All must be granted to the app calling the onPremisesSyncBehavior endpoint. Prerequisites Before initiating SOA conversion, ensure the following: Licensing Microsoft Entra Free or Basic license is sufficient. Sync Clients Microsoft Entra Connect Sync: Minimum version 2.5.76.0 Microsoft Entra Cloud Sync: Minimum version 1.1.1370.0 Group Eligibility Groups must not be mail-enabled or tied to Exchange on-premises (DLs or MESGs). If provisioning back to AD is planned, change group scope to Universal. How to Convert Group SOA from AD to Entra Hereās a simplified step-by-step guide: Identify Target Groups Use Entra Admin Center or Graph Explorer to list synced groups. Confirm they are not Exchange-dependent. Grant Permissions Use Graph Explorer or your app registration to grant Group-OnPremisesSyncBehavior.ReadWrite.All. Execute SOA Conversion If we see Group1, which is in scope of conversion is synchronized from on-prem. Execute the below from Graph Explorer to convert āGroup1ā to cloud managed PATCH https://graph.microsoft.com/beta/groups/{group-id}/OnPremisesSyncbehavior { "isCloudManaged": true } We can verify the change by executing below query on Graph API Explorer This marks the group as cloud-managed. AD sync will stop honoring changes to this group. Validate Conversion Confirm blockOnPremisesSync = true in the Entra Admin Center. Use audit logs to verify the change. Apply Governance Apply lifecycle policies, access reviews, and provisioning rules using Entra ID Governance. Use Cases: Migrating from On-Prem to Cloud Use Case 1: Retiring Legacy AD Groups Scenario: A customer has migrated all mailboxes to Exchange Online and no longer needs certain AD groups. Solution: Convert those groups to cloud-native Entra ID groups and delete them from AD, reducing footprint and simplifying governance. Use Case 2: Governing On-Prem Apps from the Cloud Scenario: A customer uses AD security groups to secure on-prem apps (e.g., Kerberos-based apps). Solution: Convert the group SOA to Entra ID, apply governance policies, and use Group Provision to AD to sync cloud-managed groups back to AD. Use Case 3: Migrating DLs and MESGs to Cloud Scenario: A customer wants to migrate all distribution lists and mail-enabled security groups to the cloud. Solution: Convert SOA to Entra ID, recreate mail-enabled groups in Exchange Online, and decommission AD-based mail groups. Use Case 4: Enabling Access Reviews Scenario: A federal customer wants to run access reviews on group memberships but the groups are AD-synced. Solution: Convert SOA to Entra ID, enabling full access review capabilities and lifecycle workflows. Use Case 5: Hybrid Identity Cleanup Scenario: A customer is migrating from Entra Connect Sync to Cloud Sync and wants to clean up group sprawl. Solution: Use SOA conversion to move group management to the cloud, then decommission legacy sync rules and OUs. Strategic Impact Group SOA Conversion is more than a technical enhancement, itās a strategic enabler for identity modernization. It supports: AD DS minimization: Shrinking on-prem footprint. Cloud-first governance: Centralized access control and lifecycle management. Phased migration: Avoiding disruption while modernizing.Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection
Passwordless Authentication with FIDO2 Security Key for Remote Desktop Connection Hello Everyone, in this blog, we will explore how to use a FIDO2 security key to access a device using Remote Desktop Connection (RDP)āa Zero Trust approach where passwordless authentication is enforced. Recently, a customer asked me whether they could secure their device and enforce passwordless authentication for RDP access. While some FIDO2 security keys can also be used as smart cards with Certificate-Based Authentication (CBA), I will cover that topic in my next blog. In this post, let's focus on how we can use Windows 10/11, the RDPAAD (Remote Desktop Protocol Azure AD Protocol), and WebAuthn to connect to Entra ID-joined or Hybrid-joined devices using a FIDO2 security key. If a user has never used or registered a FIDO2 security key, they should register it by visiting My Sign-Ins, clicking on Security Info, and selecting Add sign-in method. Once the FIDO2 security key is registered, complete the sign-in process and ensure the user can successfully authenticate to web applications using the security key. Configuring RDP for Entra ID-Joined Devices: For Entra ID-joined devices, follow these steps to enable RDP access using a FIDO2 security key: Ensure the user is a member of the local Remote Desktop Users group on the remote device. o Open PowerShell as Administrator and load the Microsoft Graph PowerShell module to connect to Entra ID (if needed). o Run the following command to add the user to the Remote Desktop Users group: o net localgroup "Remote Desktop Users" /add "AzureAD\user200@farooquetech.in" We can validate the configuration by opening Computer Management and checking the Local Users and Groups settings: Open Computer Management (compmgmt.msc). Navigate to Local Users and Groups ā Groups. Locate and open the Remote Desktop Users group. Check if the Entra ID user we added appears in the list. This confirms that the user has been successfully added and can sign-in to remote machine using RDP. At this point, we can open Remote Desktop Connection (mstsc.exe) and attempt to connect to the remote device. Open Remote Desktop Connection (mstsc.exe). Click on the Advanced tab. Under User Authentication, ensure we select "Use a web account to sign in to the remote computer." This ensures that the RDP session leverages passwordless authentication with FIDO2 and WebAuthn for secure access. Enter the NetBIOS name of the remote computer in Remote Desktop Connection (mstsc.exe) and click Connect. On the sign-in page, enter the Entra ID account for which FIDO2 Security Key authentication is enabled. When prompted to choose a passwordless authentication method, select Security Key. Insert your FIDO2 security key, follow the prompts, and complete the authentication process. This ensures a secure, passwordless RDP connection to the remote device. Put the PIN and also touch your finger on Security Key to complete authentication. A consent is prompt to allow RDP Connection, select Yes. Post Authentication, we will see the desktop successfully loads. Remote Desktop Connection Access to Hybrid Entra ID-Joined Devices: Now, let's discuss how to establish RDP access for Hybrid Entra ID-joined devices. The process for Hybrid-joined devices differs slightly because these devices are joined to both Active Directory (AD) and Entra ID. This means authentication must be validated in both directories. To achieve this, we need to register an Active Directory Read-Only Domain Controller (RODC) object in Entra ID. This RODC object helps issue a partial Kerberos Ticket Granting Ticket (TGT) to the user after authentication with Entra ID. Note: This RODC object is not linked to any on-premises AD domain controllerāit is simply an empty object in Entra ID used to enable Kerberos authentication. Enabling Entra ID Kerberos Authentication: To enable Entra ID Kerberos authentication, follow these steps: Open PowerShell as Administrator. Install the AzureADKerberos module (if not already installed): Execute below powershell commands Import-module āImport-module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1" $domain = $env:USERDNSDOMAIN $userPrincipalName = admin@mngenvmcapXXX.onmicrosoft.com $domainCred = Get-Credential (Enter the Active Directory credentials) Once the command executes successfully, we can verify that the AzureADKerberos account has been created in Active Directory. Open Active Directory Users and Computer and under Domain Controller, check AzureADKerberos RODC object is created. This completes the AzureADKerberos configuration, enabling the use of FIDO2 Security Keys for authentication. Now, to establish an RDP connection, follow the same steps outlined earlier for Entra ID-joined devices. Enforcing Phishing-Resistant Passwordless Authentication for RDP: To ensure that Remote Desktop Protocol (RDP) always uses phishing-resistant passwordless authentication, we can enforce this through Conditional Access Policies in Entra ID. Sign in to the Entra ID portal. Go to Security ā Conditional Access and create a new policy. Under Assignments, select the users or groups that require secure RDP access. In the Cloud apps or actions section, select āMicrosoft Remote Desktopā with Application ID āa4a365df-50f1-4397-bc59-1a1564b8bb9cā. Under Grant Controls, choose Require authentication strength. Select Phishing-resistant authentication, which includes FIDO2 Security Keys Save and enable the policy. Note: For Hybrid Entra Joined machine, please ensure we do not use domain admin or any other AD high privileged account to logon else partial TGT will not be issued by Entra ID. I hope you found this blog helpful! In my next blog, I will cover how FIDO2 Security Keys can also be used for on-premises Active Directory domain-joined servers. Stay tuned!Setting up Microsoft Entra Verified ID, step by step
Are you confident who the people in your organization are interacting with online? Identity verification is fundamental in protecting your organization from impersonation. Get the knowledge you need to bring strong identity verification to your organization and improve confidence that digital interactions are safe and secure. The Microsoft Entra Verified ID team will kick off with a comprehensive understanding of how to set up Verified ID. We'll walk through key concepts, including Verified ID's significance in enhancing digital identity, security, and trust. Then we'll show you how to configure your environment, set up and issue your first credential, and use the Microsoft Entra admin center to manage credentials across your organization. This session is part of the Microsoft Entra Verified ID webinar series.[On demand] Never trust, always verify: Tips for Zero Trust with Intune
Get tips on how to leverage the latest automation and tooling in Microsoft Intune to enforce security policies that require healthy, compliant devices before access to apps and data is granted. Watch Never trust, always verify: Tips for Zero Trust with Intune ā now on demand ā and join the conversation at https://aka.ms/AlwaysVerify. To help you learn more, here are the links referenced in the session: Zero Trust Workshop Microsoft Zero Trustā Microsoft Cybersecurity Reference Architectures For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.Kick Start Your Security Learning with a 7-lesson, Open-Source Course
This course is designed to teach you fundamental cyber security concepts to kick start your security learning. It is vendor agnostic and is divided into small lessons that should take around 30-60 mins to complete. Each lesson has a small quiz and links to further reading if you want to dive into the topic a bit more.Unlock Your Cybersecurity Potential: Explore the Security-101 Curriculum!
In our interconnected world, cybersecurity is no longer a luxuryāitās a necessity. Whether youāre a seasoned IT professional or a curious enthusiast, understanding the fundamentals of security is crucial. Today, Iām thrilled to introduce you to a treasure trove of knowledge: the Security-101repository. What Is Security-101? The Security-101 repository, hosted on GitHub, is your gateway to mastering cybersecurity essentials. Developed by experts at Microsoft, this curriculum is designed to be accessible, practical, and engaging. Why Should You Explore Security-101? Foundational Knowledge: Whether youāre new to the field or need a refresher, Security-101 covers the basics. From the CIA Triad (Confidentiality, Integrity, and Availability) to risk management, youāll gain a solid understanding. Vendor-Agnostic Approach: No product pitches here! Security-101 focuses on principles rather than specific tools. Itās like learning to drive before choosing a car. Learn at Your Own Pace: Each lesson takes just 30-60 minutes. Perfect for busy professionals or those eager to improve during lunch breaks. Interactive Quizzes: Test your knowledge after each lesson. Reinforce what youāve learned and track your progress. You can utilize the following study plan for mastering the cybersecurity concepts covered in the Security-101 repository or come up with a self-pace study plan. Week Topic Subtopics Activities Week 1 Foundations and Basics CIA triad (Confidentiality, Integrity, Availability) Risks vs. Threats Security control concepts Read lessons on Foundational concepts. Take quizzes. Week 2 Zero Trust Architecture Zero trust model IAM in Zero trust Networking in Zero Trust Explore zero trust principles. Review related materials. Week 3 Security Operations (SecOps) Security incident response Security monitoring Security automation Study SecOps Concepts Complete quizzes Week 4 Application Security (AppSec) Secure Coding practices Web application security Secure software development Dive into AppSec topics. Week 5 Data Security Data encryption Data classification Data loss Understand data security. Take quizzes. Call to Action: Explore Security-101 Today! Hereās how you can engage: Visit the repository: Head over to the Security-101 repository. Star and bookmark itāyouāll want to return! Start with Lesson 1: Begin with the first lesson. Whether youāre sipping coffee or waiting for a code build, invest that time in your growth. Share with Peers: Spread the word! Tell your colleagues, friends, and fellow tech enthusiasts. Letās build a community of security-conscious learners. Conclusion Security isnāt an afterthought; itās woven into every digital interaction. By exploring Security-101, youāre not just learningāyouāre empowering yourself to protect data, systems, and people. Learning about Security is an essential step for anyone looking to protect their digital assets and navigate the complex landscape of cybersecurity. The course offered by Microsoft on GitHub is a comprehensive starting point that covers fundamental concepts such as the CIA triad, zero trust architecture, and various security practices. Itās vendor-agnostic, making the knowledge applicable across different platforms and technologies. By understanding the basics of cybersecurity, you can better assess risks, implement effective controls, and contribute to a safer online environment. Whether youāre a beginner or looking to refresh your knowledge, Security 101 equips you with the tools and understanding necessary to face modern security challenges. So, take the leap and start your cybersecurity learning journey today.
