Chris Whitfield

@techspence See this so often, and the service accounts that have DA rarely actually need it. People just use it as the easiest way to grant access to all systems. Security accounts are often the biggest offenders with tools that won’t allow separate accounts for scans.

Privilege and service account sprawl is very real in many Active Directory environments. Account audits seem silly and boring but what’s the alternative? You have 12 year old domain admin accounts with weak passwords that get cracked instantly after Kerberoasting…

@PrzemyslawKlys The chat bits in the IDE are fine, so long as I don’t have to keep clicking retry all the time, like I do with copilot. I’ve been making progress with Claude, but only because I keep buying extra for when I hit the time limit. Will check out codex, thanks!

@merddyn Go with codex, its better. If you dont need ui on daily basis its best driver

Claude just admitted to limiting plans during peak hours after a week of drama where even 3 prompts within 30 minutes can run out 5h window on Max plan. Here we have Codex. 2x usage for 1 month plus already, super stable and when there's an issue, they admit, and reset usage. Codex is my main gun! It just needs a bit more design/ui power to be 100%.

@PrzemyslawKlys Nice frosted glass look!

Still more work to do, but components look really nice. I like the blue thingy, I guess I want blur now everywhere

@merill And sooooo many one-offs and what I like to call “rainy day” access because someone might theoretically need it…at some point…maybe

Most people think identity = login. It’s not. The hardest part of identity is what happens after login 👇 In enterprise environments, a single user might exist across: • Active Directory • HR systems • SaaS apps • Legacy databases • Custom apps built 15+ years ago 👉 And somehow… all of these need to stay in sync. This is where most teams struggle. Provisioning. Governance. Connectors. This week I sat down with @darrenjrobinson (20+ years in identity) and we broke this down. Here’s the simplest way to understand it: 🧠 Think of identity as a “central brain” Every system has its own version of a user. Identity platforms (like Entra) try to create a single source of truth. But… They don’t “replace” other systems. They coordinate them. 🔗 So how does Entra actually connect to everything? Through connectors. These are translators that: • Read users from systems • Write updates back • Map attributes (job title, department, etc.) ⚙️ What if there’s no connector? That’s where ECMA connectors come in. They let you: • Connect to any system • Use PowerShell / custom logic • Handle legacy or “weird” apps 👉 This is how real enterprises actually function. 🔄 What happens when something changes? When a user is updated: Entra evaluates rules (who should get access) Sends instructions (via SCIM) Connector translates it Target system updates the user Not instant. But fast enough + reliable. 🎭 The REAL complexity? Business logic. Examples: • “Sydney users get different access” • “Contractors expire after 30 days” • “Finance needs 3 roles across 5 systems” 👉 This is where identity projects succeed or fail. 🛡️ Then comes Identity Governance It answers: “Should this person STILL have access?” This includes: • Access reviews • Entitlement management • Audit trails 💡 Biggest takeaway: Identity isn’t just auth. It’s: → Data movement → Business rules → Security enforcement If you’re building or architecting with Entra… Understanding this layer is what separates: 👉 “it works” from 👉 “it scales securely” 🎥 Watch the full podcast entra.news/p/from-fimmim-…

@mjovanovictech EF offers so many good things…too bad it doesn’t support graph DB on SQL (or anything else I suppose). In the age of AI and knowledge graphs, that’s still baffling to me.

Here's a nice use case for EF interceptors: tracking when your entities were created or modified. You can use the ChangeTracker to check the entity state and set the appropriate fields. If you're always using this DbContext in an HTTP request, you can even pass in a UserId.

@guyrleech Yeah I had to deal with similar issue recently for azure files. Kerberos cloud trust, plus WHfB registry keys allowing Kerberos retrieval and, in some cases, host to realm mapping of storage to Kerberos.Microsoft online.com.

Got it working without further issues. FSlogix config on the client side is no different when using (legacy?) AD

Just jumping through the multitude of hoops to try and get #FSlogix profiles working with pure Entra ID - anyone else managed this yet? Anyone written a guide?

@merill @NathanMcNulty Found the issue…was using device id instead of object id for the device (quite confusing sometimes).

@NathanMcNulty @merddyn This timely post from Daniel should help f12.hu/2026/02/22/del…

So very frustrated right now. Within Entra, I can assign a custom role scope to a single device, but I can’t find a way to do the same via the graph api. Am I just missing it? @NathanMcNulty or @merill ? Tried xray, but saw nada.

@merill @NathanMcNulty Interesting…that is the api I was trying to use.

@NathanMcNulty @merill I made a role for accessing the LAPS password of devices. In the portal, I can scope a role assignment to a single device, but trying to do the same via API just results in an error indicating the resource can’t be found.

@merddyn @merill I don't have any custom roles for devices right now, but you mean right here? I can create a custom role and take a look later today, just want to make sure I understand. Scoping permission grants I think did something with directory objects endpoint instead of device object

@techspence @UK_Daniel_Card A boulder in motion tends to stay in motion until acted on by an outside force…and THEN you have to figure out how it works so you can fix it.

@UK_Daniel_Card More to my core point here is that if you know you don't want to touch it you likely know there's problems that could bite you at any given moment

If it works, but no one wants to touch it, it probably won't be working for long.

@RudyHuyn Kind of sad to see Microsoft coming out with so many independent cli implementations instead of PowerShell. Starting to feel like the resource kit days.

All Microsoft Store capabilities are now available directly from the command line! Originally built as an internal tool for large-scale testing and data validation, it proved too powerful and practical to remain internal, so we are now making it available to everyone! From your terminal, simply type 'store' to: 🔍 Search for apps or games 🧭 Browse categories 🏆 Explore top charts 🧵 View apps by publisher 🛠️ Install, update, and manage apps and all other features provided by the Microsoft Store app.

@IAMERICAbooted Wish more people thought that way instead of rushing things into place.

Ive been testing a feature the past couple weeks in a pilot. Tomorrow, I'm going to recommend we scratch it. During testing, additional risks were identified which outweigh the benefits, imo. This is why I dont skip on testing.

@techspence True

@merddyn That is certainly also a “cost” but the orgs I see are putting all their eggs in a few baskets and completely missing a large chunk of threads because of it. Eg they have firewall, EDR and email security, that’s it pretty much

If I were an IT admin, would I move away from Active Directory? Obviously it depends on a ton of factors. I may be alone in this but I do believe Active Directory can be defensible. Now, that does come at a rather extreme cost. I’ve never say down and ran the numbers, but the capabilities you need to secure and defend AD “properly” is likely out of reach for most orgs who likely have on-prem.

@IAMERICAbooted Agreed that there should have been change control…there was not

Why are people implementing CAPs in prod without change control outside of report-only mode? Idk what its like where you are, but when I was a Global admin, we didn't do that without talking to the other global admins first and lots of testing. Ive broken people's access before. Shot happens. Thankfully with CAPs, changes are pretty fast for rollbacks.

Here's a real life example of why you need what Microsoft calls expert level skill in administration of ALL of M365 to do M365 security: We are testing a new config in SharePoint. To do this, I need to know what roles I need to do the work: SharePoint Admin - required for changes and test sites creation Groups Admin - need to create security groups Global Reader - need to look at other configs and various logs when something goes wrong Compliance Admin - I need to look at the Activity Explorer to see how changes affect labeled document tracking, create DLP policies, run specific UAL queries. The change is implemented in dev but it fails for a couple specific use cases. I need to figure out why. I look at what the users are saying, read error traces, etc. 1st user: was a problem due to limitations of technology with a specific Intune MAM policy. 2nd user: was a problem with a B2B config that was blocking certain users from a specific tenant. Preventative security configuration management requires this level of troubleshooting. It ALWAYS has user experience issues which come from various other admin center configs. Also, you will never uncover all the problems that will occur prior to implementing a change like this. To work in the heartbeat of the org, you need to have expert level admin skills or problems like these will trip you up and slow down the orgs initiatives. You have to know how to troubleshoot.

@IAMERICAbooted Unfortunately, they elected to not consult anyone else because they thought they knew it all. I do not expect them to…I expect them to collaborate, but that “takes too much time”

@merddyn Did you explain to them how enabling the CAP would break things? Do you know everything? If not, why would you expect them to?

@PrzemyslawKlys lol probably. Having better luck for .net stuff

@merddyn You’re doing it wrong I guess :-)

I'm continuing improvements of the TestimoX Monitoring. Not only from functional side, but also making sure to support Light and Darkmodes, but also target accessibility for those who need it

I don’t know who needs to hear this, but service accounts should NEVER be in Domain Admins or pretty much any other built in groups. If you have a tool that needs access to DCs, use agents running as system. For everything else, delegation is key.