In Microsoft 365 there is an option that allows Microsoft-certified solution providers (partners) to purchase and manage products and services for your organization or school. To enable these partners to manage your products and services you establish a partner relationship (invitation and redemption process). These permissions can be extremely far-reaching…

If you want to connect to Microsoft Graph using application permissions and a client certificate in Azure Automation PowerShell runbooks I found the approach below to be the best. Note: Two weeks after writing this blog, Managed Identities are now in public preview for cloud and hybrid Azure Automation jobs…

Introducing Conditional Access as Code. A fully automated solution to kick-start and maintain your Conditional Access deployment. The solution is published on GitHub and consists of three main components. Policy repository A collection of conditional access policies in JSON format. Policy sets Policy sets are based on the policies in the repository and form…

The blog series Part 1 — The basics Part 2 — Govern identity lifecycle Part 3 — Govern resource lifecycle Part 4 — Govern Azure AD B2B Part 5 — Govern access lifecycle Part 6 — Reach back to on-premises Let’s find out how to use Access Reviews and Entitlement Management for on-premises groups. Current situation In part five of my blog series I gave an overview of the…

The blog series Part 1 — The basics Part 2 — Govern identity lifecycle Part 3 — Govern resource lifecycle Part 4 — Govern Azure AD B2B Part 5 — Govern access lifecycle Part 6 — Reach back to on-premises If you are thinking about authorization management with Azure AD it is important…

This is a simple implementation proposal for Azure AD B2B life-cycle management with a sponsor per partner organization and fallback based on Azure AD Entitlement Management. For more information about the numerous possibilities for a B2B lifecycle in Azure AD please read my blog: Azure AD identity governance — Part…

Please make sure your conditional access policy for blocking legacy authentication includes Exchange ActiveSync clients. The previous guidance on https://docs.microsoft.com/ did not include Exchange ActiveSync, it is now updated: Block legacy authentication - Azure Active Directory To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of…docs.microsoft.com

The blog series Part 1 — The basics Part 2 — Govern identity lifecycle Part 3 — Govern resource lifecycle Part 4 — Govern Azure AD B2B Part 5 — Govern access lifecycle Part 6 — Reach back to on-premises Azure Active Directory (Azure AD) business-to-business (B2B) is a powerful tool of the…

The blog series Part 1 — The basics Part 2 — Govern identity lifecycle Part 3 — Govern resource lifecycle Part 4 — Govern Azure AD B2B Part 5 — Govern access lifecycle Part 6 — Reach back to on-premises Govern resource lifecycle As already in the last part of this blog series, we are currently…