How much experience have you had with Entra? Assuming the attributes set in directory you can do ABAC and RBAC with dynamic groups. Acces reviews for recertification. Add identity governance feature for self service access packages. PIM for admins. Group write back for AD. Where are you stuck?

Nice! How does this compare to Azure Firewall Analytics. Can you do the same there? How does Sentinel help? I'm also reviewing Azure firewall rules.

Update. Cloud app "windows cloud login" was the one I was missing. CA SIF policy with device filter did the trick.

I was using an app bundle I think called Windows 365 so I thought I was covered, but it didn't include everything. Just glad I didn't have to disable SSO

Update-It was Windows Cloud Login app registration I needed in every time SIF policy. Device filter on device ownership so only applies to byod.

Thanks @jeftek.com . Your doc recommendation guided me to the Windows Cloud Login app. This was the one I was missing to make sure users MFA on reconnect if Windows App session is left running. Don't need to disable SSO. 🙏

Workload Identity feature licences not expensive. Limits access in case secret gets compromised. Alternative to service accounts that bypassed MFA but compensated with network location CA policies.
learn.microsoft.com/en-us/entra/...

Thanks for the link. I'll dig in further to this.
learn.microsoft.com/en-us/azure/...

If I disconnect, leave Windows app running, and come back hours later I can still SSO into remote desktop without password or MFA. Not sure how the RDP connection is authenticated. Haven't spotted interaction with entra in sign-in logs when you connect. RDP is Kerberos to the Windows desktop?

Thanks. Signing up. I recently made a tool to setup Tiered Admin Model if it helps you. Next figuring out how to tier Admin Units in Entra.
github.com/alexmags/ADT...

Hi Jef. Got idle session timeout. But missing re-auth if they or someone else tries to reconnect.

Hi Nathan. Have CA policy set to every time for Win365 cloud app. If you restart Windows app or hit refresh in Windows App to get latest list of desktops you have to reauth. But connect (RDP) gets you in without reauth.

Anything in Entra sign-in logs user agent string?

Hi Donna. Is there a way to timeout Windows App ability to SSO without password or MFA? If you leave Windows App running somewhere, people can get in to your stuff. Looking for options or fun police will make me disable SSO😭

Service accounts were the safest way for automation scripts to authenticate because you could apply CA policies to limit use to specific IPs or devices. But now you can buy Workload Identity licences and protect app registrations with CA policies too. Time to switch.