Certificate-Based Authentication (CBA) in Microsoft Entra ID isn’t new. It has been quietly available for years, and it remains one of the least adopted features in the identity stack. That used to be understandable: certificates felt like legacy, passkeys were the shiny new thing, and most organizations had bigger fires to put out. That calculation…
For years, the “One Person, One License” rule for Microsoft Entra was something you heard, never something you could point at. Microsoft employees said it on stage, in blog posts, and in the occasional forum reply. But it was never written down anywhere that mattered. No Product Terms, no contract clause, nothing you could hand…
Anyone building a Privileged Access Workstation eventually hits the point where “basically clean” no longer cuts it. That is exactly where this comes in. I am currently building my Ephemeral PAW on top of Windows 365 Flex in Shared mode, and one piece turned out to be more important than expected: the guarantee that every…
A Temporary Access Pass (TAP) is one of those small things that comes up constantly. A user lost their phone and can no longer reach their MFA method. A new starter should onboard passwordless on day one and register their first passkey or FIDO2 key. Someone is migrating from the Authenticator app to a hardware…
If you manage Windows endpoints at scale, you’ve probably heard this request more than once:“Can we give users a simple way to see their device info and reach IT support – without them having to dig through Settings?” On macOS, tools like this have existed for years – a clean menu bar widget that shows…
Microsoft is pulling the plug on SSTP at the Azure VPN Gateway. As of March 31, 2026, SSTP can no longer be newly enabled. As of March 31, 2027, existing SSTP connections will stop working entirely. The official guidance points to IKEv2 or OpenVPN — but in the real world, neither is a clean replacement…
If you’ve ever configured Single Sign-On for Azure Virtual Desktop or Windows 365, you know the drill:Open PowerShell, connect to Microsoft Graph, find the service principal, set isRemoteDesktopProtocolEnabled to true, create target device groups via API calls, and hope you didn’t miss a step. It worked. But it wasn’t exactly intuitive. That has now changed.…
🧩 Why privileged App Registrations deserve the same Zero Trust treatment as admins Conditional Access is one of the strongest security controls in Microsoft Entra. We use it to protect users, enforce MFA, restrict locations, and reduce risk. But for a long time, one category of identities was largely outside that model: Workload identities. App…
On March 11, 2026, a major U.S. medtech corporation was hit by a cyberattack that wiped nearly 80,000 devices. No malware. No ransomware. The attackers compromised a single administrator account, created a new Global Administrator, and used Intune’s built-in remote wipe command to erase devices across the entire organization — in the middle of the…
Local Administrator Password Solution (LAPS) has become a cornerstone of secure endpoint management. Rotating, per‑device local admin passwords managed via Microsoft Entra ID or on‑prem AD? Perfect.But what happens when someone urgently needs that password — and the helpdesk is asleep, overloaded, or twelve time zones away? If you work in global operations, industrial environments,…