Author
MU.A
Microsoft 365 / Entra Engineer
MU.A works hands-on with Microsoft 365, Microsoft Entra ID, Conditional Access, hybrid identity, and tenant operations. Articles on Sentinel Identity are written from the operator's seat — what the control actually does, how it fails in production, and how to remediate without guessing. Every published article is sourced against Microsoft Learn and reviewed before publication.
Articles by MU.A
51 published- What is Active Directory? A Complete Beginner's Guide (Coffee Included)
Ever wondered how a company with 5,000 employees magically makes everyone's login work on every computer? Or how your work laptop just knows what printer to use, what network drive to mount, and what apps you're allowed to open? That's Active Directory doing its thing behind the scenes. Grab a coffee. We're going to demystify the single most important piece of enterprise IT you've never seen — and by the end you'll actually get it.
- AADSTS53003: Access Has Been Blocked by Conditional Access Policies — How to Read It, Trace It, and Fix It
AADSTS53003 is the error users see when a Conditional Access policy stopped them from signing in. The error itself is deliberately vague — the actual reason is buried in the sign-in log entry for that attempt. Here's how to find the log entry, decode which policy blocked the sign-in and why, and work through the five most common causes.
- Six Books That Made Me a Better Identity Engineer
Blog posts and Microsoft Learn will teach you how to configure a feature. Books are what teach you how the feature actually works, which is what you need when the configuration doesn't behave the way the docs promised. Here are the six books that had the most impact on how I think about identity — from a canonical AD reference to a distributed-systems textbook — and why each of them earned a permanent shelf position.
- A Minimum-Viable Windows Server Home Lab for Practising Active Directory
You've read the Microsoft docs. You've watched the videos. It hasn't stuck. The reason it hasn't stuck is that Active Directory is a hands-on discipline and reading about it is not the same as breaking and fixing it yourself. Here's the smallest useful home lab that will let you actually practise — hardware, software, topology, and the first ten exercises to run through.
- Choosing a FIDO2 Security Key for a Microsoft Entra Passkey Rollout: A Practical Comparison for Admins
You've decided to roll out phishing-resistant authentication on Microsoft Entra. Now you need to pick a security key that will actually work end-to-end for your users, survive an enterprise deployment, and not bankrupt the security budget. Here's what to look for, what to avoid, and how five popular keys compare in practice.
- Access Reviews in Microsoft Entra: What They Are, How They Work, and How To Set One Up That Actually Closes the Loop
An access review is the feature that periodically asks someone (usually a manager) to confirm that the people who have access to a group, role, or application still need it. Sounds simple. The configuration choices that decide whether the loop actually closes — what to scope, who to ask, what happens when reviewers don't respond — are where the value lives. Here's the full picture, from what the feature is to how to operate it in production.
- Forwarders, Conditional Forwarders, and Stub Zones in Windows DNS: What Each One Is, How They Differ, and How To Pick the Right One
Three different mechanisms in Windows DNS that all route queries to another DNS server, all sound similar, and all solve different problems. Standard forwarders are the catch-all for everything the server doesn't own. Conditional forwarders route specific domains to specific upstreams. Stub zones cache the authoritative nameserver list for an external zone. Picking the wrong one produces silent resolution failures. Here's the decision tree for someone seeing these terms for the first time.
- Root Hints in Windows DNS: What They Are, How Recursion Uses Them, and When To Clear the File
Every Windows DNS server ships with a list of thirteen root nameservers baked in. The list is the bootstrap that lets the server resolve any name on the public internet without depending on an upstream resolver. Most admins never touch it. In two specific situations — split-brain environments and resolvers that shouldn't reach public DNS at all — leaving the default in place is actively wrong. Here's what root hints actually do, when they help, and when to empty the file.
- Windows DNS Server Configuration: What the Server-Level Settings Actually Do, and How To Harden a Fresh DNS Server in Ten Minutes
Most Windows DNS servers run on defaults that worked fine in 2008 and haven't really been revisited. A handful of those defaults — open recursion, no cache-pollution protection, no scavenging, listening on every interface — don't hold up in a modern enterprise threat environment. Here's what every server-level DNS setting actually does, and a baseline configuration sequence that takes a fresh DNS server from 'installed' to 'production-ready' in about ten minutes.
- Reverse Lookup Zones in Windows DNS: What PTR Records Are, When You Actually Need Them, and How To Set Them Up Without Surprises
A reverse lookup zone is the database on a DNS server that answers the opposite question from a forward zone — instead of 'what's the IP for this name,' it answers 'what name belongs to this IP.' Most clients don't query reverse DNS often, but the ones that do (mail systems, RDP, audit tools, monitoring) fall over noisily when reverse zones are missing or wrong. Here's the full picture, from what a reverse zone is to how to set one up across odd subnet boundaries.
- Forward Lookup Zones in Windows DNS: What They Are, How AD-Integrated Zones Work, and How To Set One Up Properly
A forward lookup zone is the database on a DNS server that answers 'what's the IP address for this hostname.' In a Windows Server environment running Active Directory, the choices you make when creating that zone — primary vs secondary vs AD-integrated, who replicates it, who can update records in it — determine whether your forest is robust or fragile for years afterward. Here's the full picture, written for someone who knows DNS exists but hasn't actually configured a Windows DNS server before.
- Microsoft Entra Permissions Management: CIEM Across Azure, AWS, and GCP
The gap between permissions granted and permissions used is the cloud security metric nobody can produce on demand. Identities have ten times the permissions they actually exercise, the over-grant accumulates silently, and the next breach lateral-moves on capabilities the compromised account never legitimately needed. Permissions Management is Microsoft's CIEM answer — and a measured rollout is what makes it useful instead of overwhelming.
- Entitlement Management and Access Packages: The Lifecycle Loop That Doesn't Drift
Access in any tenant past a few hundred users always drifts. Someone leaves a project, nobody removes them from the SharePoint group. Six months later you discover thirty old contractors still in a finance distribution list. Entitlement Management is the answer that's supposed to make that not happen, and it works when you set it up right.
- Privileged Identity Management for Entra Roles: The Setup That Doesn't Backfire
PIM is one of those features that looks simple in the demo and is humbling in production. The shape that works: eligible-only assignments, justified activations with MFA, narrow approver pools for the most sensitive roles, monitored activations, and a rule everyone forgets — break-glass accounts stay outside PIM, on purpose.
- Conditional Access Authentication Context: Step-Up Auth Without Policy Sprawl
You don't actually want to require phishing-resistant MFA for every sign-in. You want it when the user reaches for a sensitive SharePoint site, activates a PIM role, or runs an action your app considers high-value. Authentication context is the dial that lets you target the step-up at the action instead of the app — and it's underused.
- Sign-in Risk and User Risk in Microsoft Entra ID Protection: A Working Setup, Not a Slide Deck
The two-policy pattern everyone half-implements: require MFA on medium sign-in risk, require password change on high user risk. The interesting part is the rest — what the signals actually catch, how to tune so the help desk doesn't drown, and the remediation flow that closes the loop without an analyst staring at a queue.
- Microsoft Entra Internet Access: What It Actually Is, When To Use It, and How To Plan a Rollout
An operator's guide to Microsoft Entra Internet Access — the identity-aware SSE for outbound internet and SaaS traffic. What problem it solves, how it compares to Defender for Cloud Apps, the rollout sequence, and the policy patterns that actually work.
- Replacing a Legacy VPN with Microsoft Entra Private Access: A Practitioner's Rollout Guide
The VPN concentrator is end of life, the renewal quote is unreasonable, and somebody noticed that authenticating fifteen thousand users against a single appliance to reach forty private apps isn't a model anyone would design today. Here's the practitioner's view of replacing it with Entra Private Access, including the deployment order that doesn't strand users.
- Cross-Tenant Synchronization in Microsoft Entra: Multi-Tenant Identity Lifecycle Without the Manual Work
Cross-Tenant Synchronization (CTS) replaces the manual B2B invite-and-redeem dance with automatic identity provisioning between two Microsoft Entra tenants. This is the operator's view: source and target tenant configuration, sync scope, deprovisioning, and the gotchas that bite real deployments.
- Federated Identity Credentials: How To Stop Holding Client Secrets for Your CI/CD Pipelines
The pattern of generating a client secret, pasting it into GitHub Actions, and forgetting about it for two years is the credential pattern every security team wants gone. Federated Identity Credentials are how it actually goes away. Here's the trust model, the setup for GitHub, Azure DevOps, and Kubernetes, and the audit query that proves you got rid of the secrets.
- Shared Mailbox Not Showing Up in Outlook? Here's How To Walk the Five Things That Might Be Wrong
The shared mailbox isn't there. Or it's there but Send As fails. Or sent items keep landing in the user's own folder. Same complaints, different layers. Here's the diagnostic order, the PowerShell that fixes the permission side, and the Outlook cache habit that resolves most of the rest.
- The Shared Mailbox Just Isn't There: Why Outlook Refuses To Show It, and What Actually Fixes It
Full Access was granted three days ago, other people see the mailbox, this one user doesn't. Restart didn't help. Patience didn't help. The fix the help-desk article suggests is to rebuild the profile, which works often enough that everyone accepts it as the answer. That isn't the actual answer. Here's what is.
- Shared Mailbox 'You Don't Have Permission' Error in Microsoft 365: Diagnostic Path and Fixes
The user clicks the shared mailbox and Outlook says 'You don't have permission.' Walk the access-flag hierarchy, deny-permission precedence, ACL inheritance, and the licensing trap that produces the same error message.
- Send As Looks Granted But the Send Still Fails: Why, And How To Fix It
The permission shows up in the admin centre. Propagation has long since finished. The user still gets 'The message could not be sent.' Almost always one of three things — confused with Send on Behalf, lost in Outlook's auto-complete cache, or pointing at a stale identity after a primary SMTP change. Here's the diagnostic and the PowerShell that closes most of these tickets.
- Microsoft 365 Distribution List or Dynamic Group Membership Not Updating: Diagnosing the Cache, Filter, and Sync Layers
Members were added but mail isn't reaching them. Dynamic group filter was changed but the group looks the same. Walk the three sync clocks (Entra Connect, EXO directory, EXO recipient cache) and the filter scope gotchas that produce these failures.
- Out of Office Not Sending in Microsoft 365: Why Automatic Replies Stop Working and How to Fix Them
OOF is turned on but external senders aren't getting replies. Walk the external-replies toggle, the once-per-sender rule, the spam-filter override, transport rules that suppress OOFs, and the remote domain configuration that controls everything.
- "Works in Edge but Not in Chrome": Conditional Access Browser Support, Explained
The same user signs in fine from one browser and gets blocked from another on the same laptop. The policy didn't change, the user didn't change, the device didn't change. So what changed? Almost always, the device evidence the browser session carried. Here's the actual model, the five failure modes that account for most of it, and the KQL to spot the pattern at scale.
- SPF, DKIM, and DMARC for Microsoft 365: A Working Guide to Getting Email Authentication Right
The wizard makes adding a domain to Microsoft 365 look like a checklist. Then six months later marketing wonders why their broadcasts are landing in spam. Here's the order to configure SPF, DKIM, and DMARC for an EXO tenant, the seven mistakes I see most often, and the staged DMARC enforcement that doesn't break payroll.
- Why Outlook Keeps Asking for Your Password (And How To Make It Stop)
The password is right. OWA works first try. Outlook prompts again anyway. The loop that defeats password managers and makes people use the web app all day. It's almost always one of five things, none of which a user can diagnose, all of which take a minute to fix once you know which one it is.
- OneDrive and SharePoint Access Denied in Microsoft 365: The Sharing Model Diagnostic
Access denied after a sharing change, broken inheritance, external sharing disabled at the tenant level, and the Conditional Access policy that produces the same error. Walk the four layers of SharePoint permission and the OneDrive sync states that surface as access errors.
- Reading the Conditional Access Sign-in Log: A Working Field Guide
Someone can't get into Outlook. Conditional Access blocked them. Most of us reach for the policy editor first, and that's the wrong tab. Here's how to read the sign-in log the way the engine actually wrote it, with KQL, AADSTS codes, and the short decision tree that closes most CA tickets in five minutes.
- Passkey Registration on Windows, iOS, and Android: What Actually Happens, and Why It Sometimes Doesn't
Passkey registration in Microsoft Entra looks like four taps in the demo. The production reality is a credential-issuance workflow with four checks running underneath. Here's the decision tree, the platform-specific failures I see most often, and a Graph-driven inventory of what your users have actually registered.
- When the Passkey Option Won't Appear in Microsoft Entra Security Info: A Walkthrough That Closes Most Tickets in Two Minutes
The passkey option isn't in Security info. Or it's there but the registration fails silently. Or it works for one colleague and not the next on the same device. Seven different failures wearing the same coat. Here's how to identify which one, with a Graph-based diagnostic script and the policy design that prevents most of them from happening at all.
- How To Roll Out MFA in Microsoft 365 Without Locking Out the CEO on a Monday Morning
MFA in a small tenant is a Saturday evening. In a real one with hybrid identity, legacy clients, service accounts, and a help desk that's already backed up, it's a months-long programme. Here's the ring-based rollout that gets you to phishing-resistant MFA without an inbox full of lockout tickets.
- Microsoft Entra Backup and Recovery: Operating Model, Incident Playbook, and the Limits Microsoft Doesn't Lead With
An operator's view of Microsoft Entra Backup and Recovery — what it can and cannot do, where it differs from on-prem AD backup, an incident response playbook for accidental bulk changes, and a separation-of-duties workflow for multi-team recovery approval.
- What Actually Happens When You Disable an Entra User: Tokens, Revocation, and Continuous Access Evaluation
Someone gets disabled in Entra and stays in Teams for forty-five minutes. Someone else's session vanishes in under sixty seconds. The difference is whether both ends speak CAE, plus a few things the documentation describes in isolation. Here's the operational model that explains both.
- Hybrid Microsoft Sign-In Architectures Compared: PHS, PTA, Federation, and AD FS
A technical guide to Password Hash Synchronization, Pass-Through Authentication, and federation with AD FS or PingFederate, centered on where validation really happens.
- Federation and Token Protocols Explained: SAML, WS-Fed, OAuth 2.0, and OpenID Connect for Microsoft Entra
A technical guide to SAML, WS-Federation, OAuth 2.0, and OpenID Connect, focused on trust transfer, actor roles, and what the backend is validating.
- Core Authentication Methods in Microsoft Identity: Kerberos, NTLM, LDAP, Passkeys, Certificates, and Windows Hello
A technical guide to Kerberos, NTLM, LDAP bind, passkeys, certificate-based authentication, and Windows Hello for Business, focused on what each method proves and how the backend validates it.
- Microsoft Authentication Protocols and Sign-In Models: From Kerberos to OpenID Connect on Microsoft Entra
A technical guide to the major authentication protocols and sign-in models used in Microsoft environments, including Kerberos, NTLM, LDAP bind, SAML, WS-Federation, OAuth 2.0, OpenID Connect, passkeys, certificate-based authentication, AD FS, and Microsoft Entra sign-in models.
- Microsoft Entra Agent ID: Security Architecture, Conditional Access, and Governance for AI Agents
A technical guide to Microsoft Entra Agent ID, including the agent identity model, Conditional Access enforcement, identity governance, risk detection, and network-level controls for AI agents.
- Microsoft Entra Passkey Sign-In Compatibility: Browser, OS, and Cross-Device Matrix for Rollout Planning
A technical guide to Microsoft Entra passkey sign-in, including same-device and cross-device flows, compatibility dependencies, and rollout design.
- Microsoft Entra Passkey Policy in Practice: Profiles, AAGUID Allowlists, and Attestation Trade-offs
A technical guide to Microsoft Entra passkey profiles, AAGUID restrictions, attestation behavior, and the control-plane logic behind passkey governance.
- AADSTS50020: Why External User Sign-Ins Fail in Microsoft Entra and How to Fix Them
A detailed technical guide to AADSTS50020 in Microsoft Entra ID, including resource-tenant identity resolution, invitation redemption, cross-tenant access, and external identity design.
- Windows Device Join and Registration Failures in Microsoft Entra: A Diagnostic Walkthrough
A detailed technical guide to Microsoft Entra join and registration failures on Windows, including device registration service flow, pending objects, dsregcmd analysis, and downstream impact on compliance and PRT.
- Microsoft Entra Primary Refresh Token (PRT) Failures on Windows: Reading dsregcmd Output and Fixing the Common Causes
A detailed technical guide to Microsoft Entra Primary Refresh Token failures on Windows, including dsregcmd analysis, device trust, broker behavior, network dependencies, and remediation design.
- Why a Compliant Device Still Gets Blocked by Microsoft Entra Conditional Access — and How to Diagnose It
A detailed technical guide to why Microsoft Entra can block a sign-in from an Intune-compliant device, including device identity proof, browser support, client certificate behavior, and Conditional Access evaluation.
- How Microsoft Entra Passkeys Work: Architecture, Registration, and Policy Controls
A technical guide to Microsoft Entra passkeys for administrators, including passkey types, registration flows, Authentication Methods policy, Conditional Access, and deployment design.
- Microsoft Entra Passkey Troubleshooting: Common Sign-In Failures and Their Root Causes
A technical troubleshooting guide for Microsoft Entra passkeys covering registration failures, Conditional Access loops, Bluetooth issues, orphaned passkeys, compatibility gaps, and Authenticator-specific problems.
- Access Tokens vs Refresh Tokens in Microsoft Entra: Lifetime, Storage, and Trust Boundaries
An engineering-level explanation of access tokens and refresh tokens in Microsoft Entra ID, including token ownership, lifetime, renewal, revocation, and common troubleshooting patterns.
- Inside the Microsoft Entra Conditional Access Evaluation Pipeline: How Policies Decide Token Issuance
A top-to-bottom engineering explanation of how Microsoft Entra Conditional Access evaluates scope, combines controls, and influences token issuance.