> Entra ID
After diving into SharePoint Active Directory & Microsoft Entra ID, formerly Azure Active Directory (AAD), became my entry to the Microsoft Security ecosystem.
Automate Accounts for Azure AD
Azure AD's B2B capability is a really powerful way to leverage identities from outside of an organization, but is it the right solution for seasonal, temporary, or white listed employees? Maybe, maybe not, and if not then the creation of cloud only accounts may require a time consuming (possibly manual) request \> approval \> provision process.
The Identity stupid!
James Carville's campaign strategy for Bill Clinton's 1992 campaign was The economy, stupid! These 3 words left no doubt to what was important, what to focus on, and the fact that getting the Economy right would make everything else possible.
Azure AD MFA managed by User Account Administrator Role
Many organizations want to delegate enabling and disabling MFA for a user to their helpdesk, but the only RBAC role that allows MFA management is the Global Administrator and no one wants to grant helpdesk technicians Global Admin access to their tenant. However, there is a way around this RBAC limitation if your organization has Azure AD Premium.
O365 MFA vs Azure AD MFA
As a Technical Solutions Professional at Microsoft who covers Identity and Security I get a lot of questions about Office 365 MFA vs. Azure Active Directory MFA around the differences, benefits, and what I suggest. Customers always assume because I concentrate on the EMS stack Microsoft offers (Intune, Azure AD, Azure Information Protection) I recommend Azure AD MFA over Office 365 MFA, but the reality is when customers really compare the experiences they will almost always go with Azure AD MFA.
SAML Security Vulnerability
Duo Labs announced on Feb 27th that it had discovered a [security vulnerability](https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations) in some SAML SSO providers. The outline of their public post showed how an attacker could authenticate so a SAML SSO provider, and then manipulate the SAML response to allow them to impersonate a user based thanks to different canonicalization algorithms.
ADFS:Certificate Authentication and A Dirty Certificate Store
I often support ADFS configurations that are used to enable Client Certificate Authentication. Typically, these deployments are straight forward - we have certificates that cover the URLs ([sts url] and certauth.[sts url] see [this article](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements) for more details), we enable the client certificate authentication and it works.