Entra.Chat

Maester is back with one of its biggest release since launch. In this episode, we are joined by Sam Erde, Architect at Patriot Consulting and one of Maester’s core maintainers, to walk through everything that’s landed in Maester 2.1.
Since the December release, the community has shipped 540 new commits, grown the test suite from 128 to 168 tests, and added coverage across entirely new product areas.
Here’s a taste of what’s covered:
🤖 Securing Your AI Agents (Copilot Studio) With Microsoft’s Agent 365 going GA and organisations rapidly deploying Copilot Studio agents, Maester now includes tests based directly on Microsoft’s own recommendations for securing agents. Think orphaned agents with no owner, missing authentication on MCP connections, dormant agents, risky HTTP configurations, and agents shared too broadly. If you’re deploying agents in your tenant, these tests should be running.
🔧 AI That Writes Its Own Security Tests One of the most exciting developments in this release isn’t a test, it’s a custom AI skill that writes Maester tests for you. Sam built a GitHub Copilot agent skill that understands Maester’s structure, coding conventions, and contributor guide. You describe a security check in plain English, and within minutes you get a properly structured test, helpers, and documentation. No VS Code required! You can do it straight from GitHub’s Agents tab or even the mobile app. The barrier to contributing to Maester just got a lot lower.
🛡️ Defender for Endpoint Coverage Maester now includes 24 community-contributed MDE tests covering antivirus configuration, endpoint policy posture, cloud protection, behaviour monitoring, and PUA protection. Getting these tests into shape required the new AI skill to refactor months of pending work and it delivered.
🔑 Azure DevOps Security (37+ New Tests) With AI-generated code accelerating supply chain risks, securing your DevOps pipeline has never been more critical. Maester 2.1 ships with 37+ new Azure DevOps tests, checking OAuth config, PAT token policies, external guest access, collection admin hygiene, and more.
🔗 Linked Identity Checks for Privileged Accounts A new test surfaces a common blind spot: privileged admin accounts that remain active after their linked standard user account is disabled. If someone leaves your organisation and their cloud admin account stays enabled, Maester will now catch it.
📋 CIS Benchmark Refresh & Conditional Access Improvements Community contributor Morten has refreshed the CIS benchmark tests to reflect the latest changes, plus improved the logic behind several conditional access policy checks — including automated tracking of Entra ID roles used in XSPM and commercial access quality checks.
There’s a lot more covered in the full episode, including multi-tenant reporting updates, the new dev container for contributors, a surprisingly entertaining story about two AI models dissing each other’s code reviews, and a teaser for what’s coming in the next release.
👉 Listen to the full episode for the deep dives, the war stories behind getting community PRs across the line, and Merill and Sam’s take on where AI fits into the future of security testing.
Subscribe with your favorite podcast player or watch on YouTube 👇

About Sam Erde
Sam is an Architect at Patriot Consulting who focuses on performing security assessments, securing and deploying Microsoft 365, and writing PowerShell. He has been a critical pillar for the Maester community over the last year, helping heavily refactor the codebase and streamlining community contributions.
LinkedIn - https://www.linkedin.com/in/samerde/
Sponsored by:
Would you bet your reputation on your current Microsoft 365 security posture?
Sure, you’ve checked Purview. Maybe tightened Conditional Access. We all do that.
But it’s usually the quiet stuff that bites... permissions that expanded, policies that drifted, exceptions nobody revisited.
You could assume it’s fine.
Or you could run the Microsoft 365 Security Posture Check.
It’s free.
It runs locally.
And no, it doesn’t send your tenant data back to us.
We’ll even help you set it up.
🔗 Related Links
* What’s new in Maester 2.1.0 - https://maester.dev/blog/whats-new-since-maester-2-0
📗 Chapters
00:00 Intro
05:49 Securing Copilot Studio & AI Agents
08:53 The Challenge with Defender for Endpoint Tests
013:39 Using AI to Automate Writing Security Tests
22:30 Dev Containers for Easy Contributions
24:58 New Azure DevOps Security Checks
31:02 Multi-Tenant Reporting & Xbox’s Secret
37:00 Active Directory Tests & The Future of Hybrid
43:00 The Long-Term Vision for Maester
54:48 CIS Benchmarks & Linked Identity Tests
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Identity Governance is often treated as a “nice-to-have” compliance checkbox, but as ID Governance expert Sandra Saluti reveals, it is actually the foundation of a secure, scalable environment. In this technical deep dive, we move past the marketing slides to discuss some of the common real-world “gotchas” that break Entra ID deployments.
In this episode, you will learn:
* The Golden Rule of Automation: Why you must stop using “presentation data” (like UPNs or Email addresses) as your anchor. We explain why the Object ID is the only immutable truth for your automation.
* The “Marriage Bug”: A cautionary tale of how a simple name change can break hybrid joins and lead to accidental laptop wipes and how to prevent it.
* The “Unsexy” Side of Governance: Why the most important part of your job isn’t writing PowerShell, but interviewing HR and stakeholders to map out process flow diagrams before you ever touch the portal.
* Closing the “Rehire Gap”: How to solve the common crisis where contractors lose access for 48 hours during a renewal because of lifecycle synchronization delays.
* Directory Extensions vs. Exchange Attributes: Technical advice on where to store your identity metadata for the most reliable governance.

Sponsored by:
Entra ID Gaps That Cause Outages
In Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.
Teams are left asking:
* Which applications can access Microsoft 365 data?
* Is that access still appropriate?
* Who owns the app?
Unclear answers stall reviews, weaken accountability, and slow delivery.
ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.
Subscribe with your favorite podcast player or watch on YouTube 👇

About Sandra Saluti
Sandra Saluti is a consultant at Epical working with Microsoft Entra ID and identity governance. She helps organisations design secure and practical identity solutions with a focus on governance, access management, and Zero Trust.
LinkedIn - https://www.linkedin.com/in/sandra-saluti-6866a686/
🔗 Related Links
* Sandra’s Blog - https://agderinthe.cloud/author/sandra/
📗 Chapters
00:00 Welcome to Entra Chat
03:18 Explaining Identity Governance
08:51 Handling Late Hires and Rehires
11:25 Using Directory Extensions Effectively
18:50 Stop Targeting UPNs for Automation
25:18 Managing Chaos with Guest Access Reviews
30:56 Deciding Who Approves App Access
33:51 Replacing Nested Groups with Access Packages
39:29 Closing Thoughts and Community
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Microsoft Entra security is evolving and the way organizations think about identity protection needs to evolve with it. In this episode, I’m joined by Sean Metcalf, one of the foremost identity security experts in the industry, whose work has helped shape how many organizations approach securing both Active Directory and Microsoft Entra.Sean shares the hardening steps many teams still overlook, and why advances in AI are making it easier for both defenders and attackers to work faster than ever before. From MFA and application controls to protecting privileged accounts and reducing unnecessary exposure, this conversation offers a practical look at where strong identity security starts and why getting the fundamentals right matters more than ever.
Subscribe with your favorite podcast player or watch on YouTube 👇

About Sean Metcalf
Sean Metcalf is the Identity Security Architect at TrustedSec and a renowned expert in Microsoft identity security. He holds the rare Certified Master in Active Directory certification and has spoken at major security conferences including Black Hat, DEF CON, and BlueHat on how to defend cloud and hybrid environments.
LinkedIn - https://www.linkedin.com/in/seanmmetcalf/
🔗 Related Links
* Securing Entra ID Administration: Tier 0 - https://trustedsec.com/blog/securing-entra-id-administration-tier-0
* Managing Privileged Roles in Microsoft Entra ID: A Pragmatic Approach - https://trustedsec.com/blog/managing-privileged-roles-in-microsoft-entra-id-a-pragmatic-approach
* Improve Entra ID Security More Quickly - https://adsecurity.org/?p=4825
* Microsoft Graph Skill - https://graph.pm
📗 Chapters
00:04:05 AI and the Evolution of Attacks
00:06:42 The Importance of Hardening Fundamentals
00:12:03 Securing Entra ID Quickly
00:16:24 Protecting Tokens with VBS and TPM
00:19:58 Restricting Consent and Guest Users
00:23:40 Managing Rogue Tenants
00:27:36 Cloud Admin Workstation Strategies
00:34:14 Delegated Admin Privileges
00:44:32 The Danger of Application Permissions
00:57:06 Artemis Mission Trivia
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

If you can’t immediately name your break glass accounts and the last time you tested them → you’re already at risk.
In this episode of Entra Chat, Microsoft MVP Per Torben walks through the conditional access mistakes he sees even large enterprises making, and the practical framework he actually uses with customers.
You’ll learn how to set up emergency access accounts the right way, why your CA policies should be built more like a firewall than a checklist, and the one naming convention that makes managing dozens of policies actually manageable.
🎧 Hit play, your tenant will thank you.
Sponsored by:
Entra ID Gaps That Cause Outages
In Microsoft Entra ID, outages often start small: an expired client secret, a lapsed certificate, or a suddenly failing integration. Traditional controls don’t track credential expiry or enforce application ownership, so issues appear only after something breaks.
Teams are left asking:
* Which applications can access Microsoft 365 data?
* Is that access still appropriate?
* Who owns the app?
Unclear answers stall reviews, weaken accountability, and slow delivery.
ENow App Governance Accelerator closes these gaps by highlighting expiring credentials, surfacing permission risks, and identifying ownership gaps before they disrupt operations. New Standard Tier pricing makes it accessible for organizations under 10,000 users, typically $3,500–$9,500 annually.
Subscribe with your favorite podcast player or watch on YouTube 👇

About Per Torben
Per Torben is a Senior Architect at Crayon and a Microsoft MVP for Identity and Access. Based in Norway, he frequently writes highly-read posts featured on Entra.News and runs the collaborative tech blog “Agder in the Cloud”.
LinkedIn - https://www.linkedin.com/in/pertorbensorensen/
🔗 Related Links
* Agder in the Cloud - https://agderinthe.cloud
* I.D.E.A. for creating/configuring break-glass accounts
* GitHub - https://github.com/Per-Torben/I.D.E.A.
* Blog - https://agderinthe.cloud/2026/01/06/introducing-i-d-e-a-and-i-d-e-a-001/
* Protected actions: https://agderinthe.cloud/2025/02/12/protected-actions-adding-extra-guards-to-your-entra-id-gate/
* Conditional Access hardeing (series): https://agderinthe.cloud/2024/12/05/how-to-fix-the-fundamental-flaw-in-conditional-access-part-1-introduction-and-coverage-gapsCA geo filter (series): https://agderinthe.cloud/2025/11/06/diving-into-geo-filter-with-entra-conditional-access-part-1
* Entra Backup - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/backup-restore
📗 Chapters
06:22 The importance of Break Glass accounts
09:02 Securing emergency access with FIDO2 and RMAUs
18:10 Configuring Conditional Access: The “Block by Default” strategy
27:26 Managing scope and preventing accidental lockouts
29:31 Persona-based naming conventions for CA policies
35:38 Grouping settings and avoiding bloated policies
41:54 Handling exceptions and travel access with Access Packages
44:55 The flaw in Protected Actions for Conditional Access
53:38 Using the new Entra Backup feature for quick restores
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

Microsoft just dropped a massive wave of features for Entra, and the rules of Tenant Governance have officially changed.
Join us as we talk to three world-class MVPs about their hands-on experience with the new Entra Backup and Recovery and Tenant Governance features.
Our Microsoft MVP guests Nathan McNulty, Ru Campbell, and Thomas Naunheim break down the most exciting new features in Microsoft Entra.
In this episode, we explore:
* The “Shadow Tenant” Problem: One org found 700+ Entra tenants they didn’t know they had.
* Version Control for Admins: Why “Difference Reports” are a total game-changer for troubleshooting.
* Recovery Safeguards: How to protect your tenant from accidental deletions and “sneaky” background changes.
* Backup & Recovery: The truth about Entra Backup vs. Third-Party ISV tools.

Subscribe with your favorite podcast player or watch on YouTube 👇

About The Guests
Nathan, Ru, and Thomas are highly experienced MVPs specializing in identity security, governance, and Microsoft Entra.
Nathan McNulty - LinkedIn - https://www.linkedin.com/in/nathanmcnulty/
Ru Campbell - LinkedIn - https://www.linkedin.com/in/rlcam/
Thomas Naunheim LinkedIn - https://www.linkedin.com/in/thomasnaunheim/
🔗 Related Links
* Microsoft Entra Backup and Recovery Documentation - https://learn.microsoft.com/en-us/entra/backup/overview
* Microsoft Entra Tenant Governance - https://learn.microsoft.com/en-us/entra/id-governance/tenant-governance/overview
* Synced Passkeys - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-passkeys-fido2
* Microsoft Work IQ CLI (Public Preview) - https://learn.microsoft.com/en-us/microsoft-365/copilot/extensibility/workiq-overview
* Playwright https://playwright.dev/
* Entra Auth Tracer (Chrome Extension) - https://github.com/darrenjrobinson/EntraAuthTracer
* Unified Risk Score - https://learn.microsoft.com/en-us/defender-xdr/investigate-users#risk-score-tab-preview
📗 Chapters
00:00 Intro to New Entra Features
02:04 Entra Backup and Recovery Deep Dive
10:41 Difference Reports Explained
15:54 Intro to Tenant Governance
23:34 Managing Multi-Tenant Organizations
33:31 Conditional Access Optimization Agent
36:55 The Great Passkey Debate
47:22 Retirements: SP-less Auth & ACS for SharePoint
48:46 Unified Risk Score in Defender
52:38 MVP Tips of the Week
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill


Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe