Leverage The Latest Entra ID Innovations To Master Single-Sign-On

Simplify

Security needs to be simplified. That is my mission. I’m an identity, authentication, and authorization expert using OIDC / OAUTH2. I am intimately familiar with the authentication peculiarities of the EntraID, Auth0, Okta, and Google platforms.

Most exploits over the past ten years could have been prevented by (1) using MFA and cert-based-auth (Okta, SolarWinds, Microsoft), (2) patching servers (Equifax), and (3) blocking social engineering in the account recovery flow (MGM). Of course, other measures exist, such as token binding to prevent exfiltration (Evilginx2), token audience verification by your apps (Grammarly), etc. For a complete list, please refer to 25 Simple Ways to Secure Your Apps.

I’m particularly focused on OIDC / OAUTH2 authentication in single-page applications. I want you to build your software securely. Once something is built insecurely, it can be impossible to “patch” it to be secure. If you take nothing else from this, please understand that JavaScript-based authentication flows are insecure. The IETF recently released a draft of best-practice guidance for browser apps. They warn against browser-based OAuth 2.0 clients (like msal-react and msal-angular).

Advisory Experience

My most profound expertise is with React and .NET, as they form the foundation of the Identity Bridge. However, I’ve helped people on other platforms. One client had trouble integrating Entra ID as the IDP for his Java Spring Boot application running in AWS. Another client needed to enhance their single sign-on implementation in Laravel/PHP.

I spent 14+ years in Microsoft’s Identity engineering division, advising the world’s largest companies on their IT strategies. I spent the last seven years advising the largest companies in the world on how to prevent and – inevitably – how to recover from security breaches. I’ve led efforts to root cause, mitigate, and plan prevention measures for several security breaches. I’ve conducted half a dozen Azure AD Assessments. Before that, I designed the Audit and B2B features for Azure AD. I was also responsible for the Identity division’s demo environment, configuring it using security best practices from Azure Bastion to shield our environment from the Internet to Privileged Identity Management for just-in-time permissions. My team developed the guidance presented to industry analysts like Gartner on best practices for securing cloud infrastructure.

Development Experience

I’ve recently completed the development of the Identity Bridge, a high-performance Azure AD sync engine. I developed the front end (TypeScript/React/Azure AD/Telerik KendoReact) and hired a team of backend developers (ASP.NET Core, Azure Service Bus, CosmosDB). We perform parallel reads and writes decoupled through Azure Service Bus message queuing. We store configuration in CosmosDB and manage it through a REST API. We have encountered and fixed many “broken in Azure but works on my machine” issues.

  • Security best practices: Phishing Resistant MFA, Privileged Identity Management, Azure Bastion
  • Cloud Architecture and Development in Azure: Azure Functions/Web App Service/Service Bus/CosmosDB/SignalR
  • DevOps best practices: CI/CD Pipelines, Git, Azure DevOps, Bicep Infrastructure as Code

Here are security courses I recommend to bolster your security knowledge: 

  • SANS SEC540: Cloud Security and DevSecOps Automation 5-day course 
  • Pragmatic Web Security: Cutting-edge React security 1-day workshop
  • Pragmatic Web Security: API Security Best Practices 2-day workshop