Entra @ McDonald's: Managing 2.2 million workforce identities in the cloud
George Roberts, Director of Identity Governance and Administration at McDonald's, shares his extensive experience in migrating the company's workforce identity platform from on-premises ADFS to Microsoft Entra.We also talk about challenges like handling unique frontline worker needs (including a creative paper-based MFA solution) and integrating with various applications.About GeorgeGeorge Roberts is the Director of Identity Governance and Administration at McDonald's, where he leads a global team responsible for building and delivering the enterprise identity and access platform to support over 2 million employees, partners, franchisees, and restaurant staff users worldwide. George has over 25 years of experience delivering secure, scalable, and user-friendly solutions that help McDonald's to accelerate its business. All views expressed are his own.* LinkedIn - https://linkedin.com/in/sirtwist* Bluesky - https://bsky.app/profile/sirtwi.st🔗 Related Links* Custom claims provider - https://learn.microsoft.com/en-us/entra/identity-platform/custom-claims-provider-overview* Manage an external authentication method in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage📗 Chapters00:00 Intro00:30 Overcoming ADFS Custom Claims Roadblock01:35 Global Footprint and MFA Challenges for Frontline Workers03:20 Guest Introduction: George Roberts, McDonald's04:07 George's Background and Role at McDonald's06:42 McDonald's Identity Journey: Decentralization to Centralization08:38 The Entra (Azure AD) Migration Begins13:04 Operational Benefits and Challenges of Moving to Entra16:55 Deep Dive: Custom Claims and the Virtual Directory Service23:56 Shift to API-First Mindset and Standards (SCIM)32:46 Major Challenge: MFA Solutions for Frontline Workers37:27 The Paper-Based MFA Solution40:03 Entra External Authentication Methods46:02 Ideas for Device-less Frontline Authentication50:12 Onboarding Speed Challenges in Restaurants58:06 Advice for Other Organizations: Change Management and Planning1:05:07 Anticipating Relief from Decommissioning ADFSPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
1:07:52
Inside Entra Sync: Dhanyah, the Microsoft PM for Entra Connect & Cloud Sync Reveals All
Join us for a conversation with Dhanyah Krishnamoorthy, Product Manager at Microsoft, as she discusses Microsoft Entra Connect Sync and Cloud Sync solutions for synchronizing on-premises Active Directory identities to Entra ID.Learn about Microsoft's overall strategy for syncing and what you can do to prepare for the future including security considerations and scaling guidance.Subscribe with your favorite podcast player or watch on YouTube 👇About DhanyahDhanyah Krishnamurthy is a Principal Product Manager in the Microsoft Entra product group. For the past four years, Dhanyah has focused on hybrid identity scenarios, leading the product management for critical services that help organizations manage identities between on-premises Active Directory and the cloud. She specifically owns Microsoft Entra Connect Sync and the newer Microsoft Entra Cloud Sync capabilities, designing solutions to streamline identity provisioning, enhance security, and support complex scenarios like mergers and acquisitions.LinkedIn - https://www.linkedin.com/in/dhanyah🔗 Related Links* Hybrid Identity - https://learn.microsoft.com/en-us/entra/identity/hybrid/* Comparison between Microsoft Entra Connect and cloud sync - https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync* Topologies for Microsoft Entra Connect - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-topologies* Factors influencing the performance of Microsoft Entra Connect - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-performance-factors* Group writeback with Microsoft Entra Cloud Sync - https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync📗 Chapters00:00 Intro03:16 Why Two Sync Solutions? Connect Sync vs Cloud Sync History05:17 Benefits of Cloud Sync vs Connect Sync06:23 Cloud Sync Advantage: Mergers & Acquisitions08:16 Cloud Sync Advantages: Lightweight, High Availability, Simplicity10:17 Shared Provisioning Agent Benefits10:59 Future Plans: Investing in Cloud Sync12:11 Coexistence: Using Cloud Sync & Connect Sync Together13:25 Getting Started with Cloud Sync: Group Writeback & Acquisitions15:56 Choosing the Right Tool: When to Use Cloud Sync16:34 Using the Sync Wizard for Recommendations18:03 Operational Differences & Admin Roles19:53 Group Writeback Scaling Considerations22:31 Common Customer Issues: Topologies & Configuration25:36 Scaling Guidance: When to Worry About Performance29:12 Security Considerations: Connect Sync vs Cloud Sync30:41 Connect Sync Security Hardening & Updates33:40 Cloud Sync Security & GMSA Accounts35:16 Final Thoughts & Call to ActionPodcast Apps🎙️ Entra.Chat → https://entra.chat🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
38:33
Securing a Global Giant: Inside IKEA's Identity Strategy with Martin
In this insightful discussion, Martin Sandren from IKEA joins Entra Chat to discuss the evolving landscape of IAM.The episode covers critical considerations for modern identity strategies, including the trade-offs between syncable and device-bound passkeys, the necessity of robust regression testing for Conditional Access, and advancements in identity proofing methods.Subscribe with your favorite podcast player or watch on YouTube 👇About Martin SandrenMartin Sandren is the IAM Lead at Inter IKEA, overseeing the systems that support IKEA's worldwide presence. His extensive background includes over twenty years of experience as an IAM product lead, architect, engineering manager, and developer.Beyond his role at IKEA, he is actively involved in the identity community as a frequent speaker at international conferences and a founder of the Digital Identity Amsterdam meetup and the Amsterdam chapter of IdentiBeer, and is active within the idNext foundation and IDPro.LinkedIn - https://linkedin.com/in/martinsandren/🔗 Related Links• IAM Conferences in Europe📗 Chapters00:00 Intro02:51 Martin's Journey into Entra & Early IAM Experiences05:35 Early Entra Wins: Simplified Sign-in Logging07:02 Value of Microsoft's Preview Feature Model (Private/Public/GA)09:39 Evolution of Federation: SAML/OIDC Then vs Now13:22 The Rise of SCIM for User Provisioning14:47 Cloud Standardization vs On-Prem Customization Trade-offs16:48 Identity Governance & Multi-Tenant Organizations (MTO)19:01 The Power & Complexity of Conditional Access20:23 Resilience & Offline Scenarios in IAM23:12 Challenges with Guest User Management & Governance26:16 Cross-Tenant Sync vs Connected Organizations27:49 The "Schrodinger's Cat" Problem with Guest Accounts30:58 Mastering Conditional Access Policies: Best Practices & Pitfalls32:41 Shifting Security Focus: From Network to Identity Defense-in-Depth34:04 Adapting Security for Different User Populations (Frontline Workers)35:21 Leveraging ITDR, Risky User Signals & Red Teaming38:00 Importance of Regression Testing CA Policies (Meister Tool)39:08 Edge Cases: SSPR & Certificate-Based Authentication Conflicts40:37 Securing Conditional Access Group Memberships42:40 Identity Proofing, Onboarding & Phishing Risks46:01 Wishlist: Granular Read Permissions in Entra48:36 Passkeys & Phishing-Resistant MFA: Progress & Challenges (Android Usability)50:01 Strategy: Syncable vs Device-Bound Passkeys51:58 Embracing Standards: SSF & CAPE Protocols53:04 Advice for Newcomers to the Identity & Access Management Field54:55 Closing RemarksPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
55:07
What nobody tells you about managing Microsoft 365 guest access with Samantha
In this episode we discuss the evolution of guest access from SharePoint to Entra ID, the challenges of managing guest identities, and the importance of security and governance. Our conversation covers key topics including cross-tenant access settings, identity governance, B2B direct connect, and licensing considerations. Samantha also shares practical advice and best practices for organizations to secure their tenants and streamline external collaboration.Subscribe with your favorite podcast player or watch on YouTube 👇LinkedIn - https://www.linkedin.com/in/samkloos/🔗 Related Links* Overview: Cross-tenant access with Microsoft Entra External ID * Cross-tenant access activity workbook* B2B direct connect overview* Entra Security Recommendations📗 Chapters00:00 The Evolution of Guest Access04:49 Guest Access Settings and Best Practices23:00 Cross Tenant Access Settings Demystified36:06 B2B Direct Connect48:09 Guest Licensing: Key Considerations56:10 Entitlement Management and Guest UsersPodcast Apps🎧 Apple Podcast → https://entra.chat/apple📺 YouTube → https://entra.chat/youtube📺 Spotify → https://entra.chat/spotify🎧 Overcast → https://entra.chat/overcast🎧 Pocketcast → https://entra.chat/pocketcast🎧 Others → https://entra.chat/rssMerill's socials📺 YouTube → youtube.com/@merillx👔 LinkedIn → linkedin.com/in/merill🐤 Twitter → twitter.com/merill🕺 TikTok → tiktok.com/@merillf🦋 Bluesky → bsky.app/profile/merill.net🐘 Mastodon → infosec.exchange/@merill🧵 Threads → threads.net/@merillf🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
--------
1:05:31
Operational Groups in Entra with Nathan McNulty
Entra.Chat Podcast - https://entra.chatIn this insightful episode, Nathan McNulty, Senior Security Solutions Architect at Patriot Consulting, shares his extensive experience deploying and securing Microsoft Entra environments. With a background spanning civil engineering, education, and critical infrastructure, Nathan brings practical wisdom from managing environments with 50,000+ users and 90,000+ devices.Subscribe with your favorite podcast player or watch on YouTube 👇The conversation explores realistic approaches to securing BYOD, building effective conditional access policies using a "castle" framework, and leveraging administrative units to partition permissions efficiently. Nathan reveals his innovative "operational groups" automation technique that helps classify users by authentication methods, enabling granular security controls without manual effort. The episode also covers authentication methods migration strategies, extension attributes, and modern cloud automation approaches that replace traditional server-based scripts.Whether you're looking to improve your conditional access strategy, smoothly migrate authentication methods, or automate Entra management tasks, Nathan's field-tested insights will help you secure your environment more effectively while reducing administrative overhead.Nathan McNulty* Web - https://nathanmcnulty.com/* LinkedIn - https://www.linkedin.com/in/nathanmcnulty/* Bluesky - https://bsky.app/profile/nathanmcnulty.com* X - https://x.com/nathanmcnultyRelated Links* Operational Groups scripts - https://github.com/nathanmcnulty/nathanmcnulty/tree/master/Entra/operational-groups* Maester DevOps - https://maester.dev/docs/monitoring/github* Authentication Methods Migration - https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage* Administrative units - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units* Restricted management administrative units - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe
Entra Chat is a weekly podcast hosted by Merill Fernando and delivers practical insights for Microsoft administrators and security professionals through conversations with identity experts who've been in the trenches.
Episodes feature seasoned Entra practitioners sharing real-world deployment experiences and Microsoft Entra team members who build the features you use daily.
Get the inside track on best practices, implementation strategies, and upcoming capabilities directly from those who design and deploy Microsoft identity solutions.
Join us for actionable takeaways you can apply immediately in your Microsoft 365, Azure, and Entra environments.
---
Entra.Chat, its content and opinions are my (Merill Fernando) own and do not reflect the views of my employer (Microsoft). All postings are provided “AS IS” with no warranties and is not supported by the author. All trademarks and copyrights belong to their owners and are used for identification only. entra.news