Stian A. Strysse 🛡️
@learningbydoing.cloud
Sr. Identity Architect - #learningbydoing 🛡️ Focused on #cloud, #identity, #cybersecurity, #devops, #automation, #Entra 🆔.
Fixing it with code, sharing it in blogs 🚀
Blog: https://learningbydoing.cloud 💥
LinkedIn: https://linkedin.com/in/stianstrysse 🗞️
Fixing it with code, sharing it in blogs 🚀
Blog: https://learningbydoing.cloud 💥
LinkedIn: https://linkedin.com/in/stianstrysse 🗞️
Yeah, I’m definitely doing \$batch after looking into it, isn’t that bad actually. Just need this script to be super effective when adding/removing a bunch of group members. Thanks! 🙏🏻
May 10, 2025 at 5:25 PM
Yeah, I’m definitely doing \$batch after looking into it, isn’t that bad actually. Just need this script to be super effective when adding/removing a bunch of group members. Thanks! 🙏🏻
@nathanmcnulty.com - did you ever find a way to remove group members in batches of 20, like we can for adding group members? Looking for the most efficient way to remove members. 😅
May 10, 2025 at 9:46 AM
@nathanmcnulty.com - did you ever find a way to remove group members in batches of 20, like we can for adding group members? Looking for the most efficient way to remove members. 😅
Helpful to protect against malicious or inadvertent admin actions.
Now please bring recycle bin support for security groups too, Microsoft. Come on, it’s years overdue!
Now please bring recycle bin support for security groups too, Microsoft. Come on, it’s years overdue!
February 3, 2025 at 10:45 PM
Helpful to protect against malicious or inadvertent admin actions.
Now please bring recycle bin support for security groups too, Microsoft. Come on, it’s years overdue!
Now please bring recycle bin support for security groups too, Microsoft. Come on, it’s years overdue!
Indeed. I’d love for Microsoft to implement Restricted Admin Units for appregs/SPs, so we could prevent app takeover from a lower privileged admin.
Good discussion! 👍🏻
Good discussion! 👍🏻
January 24, 2025 at 8:05 PM
Indeed. I’d love for Microsoft to implement Restricted Admin Units for appregs/SPs, so we could prevent app takeover from a lower privileged admin.
Good discussion! 👍🏻
Good discussion! 👍🏻
That we agree on, 💯
CA is a killswitch that can cripple a business in seconds. I’ve heard of several organizations that locked themselves out, one was down for 3 days. A mitigation can be a service principal with CA.ReadWrite.All scope, but then you need to secure and monitor that too…
CA is a killswitch that can cripple a business in seconds. I’ve heard of several organizations that locked themselves out, one was down for 3 days. A mitigation can be a service principal with CA.ReadWrite.All scope, but then you need to secure and monitor that too…
January 24, 2025 at 7:42 PM
That we agree on, 💯
CA is a killswitch that can cripple a business in seconds. I’ve heard of several organizations that locked themselves out, one was down for 3 days. A mitigation can be a service principal with CA.ReadWrite.All scope, but then you need to secure and monitor that too…
CA is a killswitch that can cripple a business in seconds. I’ve heard of several organizations that locked themselves out, one was down for 3 days. A mitigation can be a service principal with CA.ReadWrite.All scope, but then you need to secure and monitor that too…
That’s the thing - a breakglass account isn’t going to save the day if someone messes up a CA policy. One single policy created by mistake with scoping in all users, excluding no one, with an impossible grant, and everyone is locked out of the tenant.
January 24, 2025 at 7:21 PM
That’s the thing - a breakglass account isn’t going to save the day if someone messes up a CA policy. One single policy created by mistake with scoping in all users, excluding no one, with an impossible grant, and everyone is locked out of the tenant.
There is always a way of messing up CA policies, so I don’t feel that is an excuse :) I would not feel comfortable with a standing GA only a password away from total compromise.
Some good pointers here: t.co/0bJ4b9u9Ez
Some good pointers here: t.co/0bJ4b9u9Ez
https://www.cswrld.com/2023/12/how-to-manage-break-glass-accounts-in-microsoft-entra-id/
t.co
January 24, 2025 at 7:06 PM
There is always a way of messing up CA policies, so I don’t feel that is an excuse :) I would not feel comfortable with a standing GA only a password away from total compromise.
Some good pointers here: t.co/0bJ4b9u9Ez
Some good pointers here: t.co/0bJ4b9u9Ez
Microsoft is enforcing MFA on all accounts accessing admin portals and APIs, so I think that way of managing breakglass accounts are over.
Register 2-3 FIDO2 security keys locked up in a safe with only access for trusted individuals, test them yearly, and monitor the accounts for sign-ins. Right?
Register 2-3 FIDO2 security keys locked up in a safe with only access for trusted individuals, test them yearly, and monitor the accounts for sign-ins. Right?
January 24, 2025 at 6:37 PM
Microsoft is enforcing MFA on all accounts accessing admin portals and APIs, so I think that way of managing breakglass accounts are over.
Register 2-3 FIDO2 security keys locked up in a safe with only access for trusted individuals, test them yearly, and monitor the accounts for sign-ins. Right?
Register 2-3 FIDO2 security keys locked up in a safe with only access for trusted individuals, test them yearly, and monitor the accounts for sign-ins. Right?
Not my field of expertise, but four day work week sounds awesome 🥺
December 21, 2024 at 12:16 AM
Not my field of expertise, but four day work week sounds awesome 🥺
@merill.net is a machine, I wish I had just half of that energy 😅 Excellent work mate! 👏🏻
December 3, 2024 at 10:53 PM
@merill.net is a machine, I wish I had just half of that energy 😅 Excellent work mate! 👏🏻
Salesforce used with for their Outlook plugin, action required for any customers using it: help.salesforce.com/s/articleVie...
Help And Training Community
help.salesforce.com
December 3, 2024 at 6:03 PM
Salesforce used with for their Outlook plugin, action required for any customers using it: help.salesforce.com/s/articleVie...
That would totally rock!
November 29, 2024 at 6:44 PM
That would totally rock!
All days I’m working from my beloved home office, except for special circumstances or team events. I love it.
November 19, 2024 at 8:29 AM
All days I’m working from my beloved home office, except for special circumstances or team events. I love it.