Jef Kazimer

@IAMERICAbooted @merill No promises but definitely something I want to explore more for sure.

@JefTek @merill ❤️. Thank you Jef!!

. @merill we need to talk. I will be filing a ticket today. This is a perfect example of people reading documentation and not understanding what impacts the recommendation may have. Adding high severity attack surface is not the way. A better way to govern is having updated and accurate CMDB for lifecycle management and owners of business decisions. Every time an employee leaves, there should be an automated process to replace them in the CMDB with their manager until a new owner is assigned. As for adding the owners to app registrations - do not do this. A better solution is to use service principals that govern. Only cloud app admins, app admins, privileged role admins, and global admins should be allowed to alter manifests, secrets, federations, certs+keys, redirect URIs, and delegated permissions. Not app owners at the Entra level.

@IAMERICAbooted @merill Yes this is part of where custom security attributes (CSA) are used in applications. In the docs we call them out for use as governance attributes but I think we can elevate this. I’d like to have a common sponsor attribute we can use in our built in governance flows

@JefTek @merill This can be fixed by adding the owners in the properties pane instead of adding them in the owners pane. When owners leave, it can be automatically updated with their manager and signaled to evaluate new owners for lifecycle governance

@IAMERICAbooted @merill Understood. I look to improve the capabilities so customers get value from it so more see the value in using those capabilities. I’ve wanted to look at a universal sponsor for apps and groups for awhile so thanks for the reminder.

@JefTek @merill Unfortunately, lost orgs are not using Entra Governance in my experience.

@IAMERICAbooted @merill Anything more specific you can share? I assume exploring the designated owner account to be able to configure application?

@JefTek @merill Correct Jeff. People exploiting this are not just Russia and China anymore

@IAMERICAbooted @merill To have designated people as custodians or decision makers but without ability to make configuration changes? If you look at how we have sponsors on other entities which are responsible for limited lifecycle tasks and approvals but can’t manage configuration?

@IAMERICAbooted @merill I think there is a bit of conflated terminology here. Owner in Entra entities typically is a designated user who has ability to manage and responsibility. So 2 owners who are responsible to and have ability to manage config of that application. I think you want …

A colleague encouraged me to share some of my AI prompting tips. I often see people struggle with tasks that somehow just work well for me, yet it's hard to figure out what differs in the approach. Beyond the tools and models, here are my tricks for achieving better results 🧵👇

@claudeai pov: you're celebrating claude's new features while knowing it's the same tool that's going to replace you by end of 2026

@claudeai Our future.

@callmidavid @claudeai Save your receipts for your toolbox so you can return it. Just wait till robots get cheap enough to use AI to do manual tasks.

@claudeai Time to become a Plumber Thanks for taking my job, Anthropic

Introducing Claude Design by Anthropic Labs: make prototypes, slides, and one-pagers by talking to Claude. Powered by Claude Opus 4.7, our most capable vision model. Available in research preview on the Pro, Max, Team, and Enterprise plans, rolling out throughout the day.

@ChikwadoCy @IAMERICAbooted Indeed. Securing ALL the agents is going to be key. They will out scale users.

@JefTek @IAMERICAbooted Not just security agents, all of not most AI agents.

Who can tell me how many agents are connected to your Microsoft tenant and what are they doing? This is a problem I'm going solve.

If you have a conditional access policy scoped to user action "Register security information" starting May 2026 the registration of Windows Hello for Business and macOS Platform SSO credentials will be in scope. #EntraID

On-prem is going to make a come back, yes or no?

@IAMERICAbooted Ah you meant WAF controls at the end point not the IDP. Got it.

@JefTek Its beyond that Jeff :) it has to do with SaaS apps being enumerable from the internet due to sp-initiated authn implementations. If its on the internet, attackers will do what attackers do :)

Who can tell me what benefit having Named Locations/IP Allowlists when you already have FIDO2 for authn to SaaS? Think like an attacker. I'll wait, hopefully not too long.

@IAMERICAbooted I can still walk up to an airport kiosk and use a FIDO2 key to get a token that could be stolen for example. Or maybe not wanting you to use your grandmothers PC to access work services even if using PR auth. Right control for right threat.

@IAMERICAbooted We have to think of authentication strengths of PR methods as an AND control and not the only control. Think layered controls. Require Phishing Resistant auth AND compliant device. Or PR auth AND allowed network.

This is a great overview of how organizations can modernize their access controls beyond the legacy group construct when using Microsoft Entra as the control plane for access. #identity #security agderinthe.cloud/2026/03/12/ret…. .

@IAMERICAbooted Great use case for Entra Internet Access to use those same identity based controls on the network. microsoft.com/en-us/security…

For everyone allowing unmanaged device connections to their network/m365, regular people now have full permissioned agents doing things on their behalf. 😆 🤣 😆 🤣 If you still allow access to your network from unmanaged devices, last year was the time to close that gap. Better late than never!

RIP Adam the woo. 51 is so young to pass. We really enjoyed his travel and sharing his adventures.