Episode 5

How is Entra Conditional Access Central to Securing M365?

In this week’s episode of ThreatCast Threatscape’s Ru Campbell is joined by Merill Fernando, Principal Product Manager in the customer experience team at Microsoft. Merill discusses his extensive experience with helping enterprise organisations to effectively deploy and utilise Microsoft Entra ID, the importance of realistic, workable security controls, and the open-source culture at Microsoft that’s generating important tools for meeting customers’ evolving needs.


Merill Fernando on How is Entra Conditional Access Central to Securing M365?


Working closely with customers and delivering their feedback to the product team, Merill touches on how his experience as an administrator has shaped his approach to developing Microsoft’s tools with the user and their real-world challenges in mind. 

Conditional access is central to securing almost everything within Microsoft 365 Security. But while the tools to manage conditional access might be available within an organisation’s Microsoft licence, they may not be being used cohesively, or in a way that can be effectively managed long-term. Ru highlights how Maester can be a valuable tool for automating the potential configuration drift that can compromise otherwise strong conditional access policies.

Nowadays multi-factor authentication is almost everywhere, and while the consumerisation of MFA has helped to familiarise corporate users with the concept and assist security teams with achieving board-level buy in, many organisations are looking for the next, more secure, step. Ru and Merill discuss how passkeys can offer this next step while streamlining the authentication process for users, improving security, and offering organisations a low-cost quick win.

Security controls are often set for maximum protection, but if productivity and practical ease of access is impaired, there’s every chance that employees may try and find common-sense workarounds, reducing crucial visibility and creating gaps in security coverage. Ru and Merill discuss how, in practice, delivering a strong (and evolving) defence can be a compromise between the strictest controls and the controls which will be adhered to.

Each week Merill distributes a newsletter, Entra.news, compiling the latest updates from Microsoft Entra ID in one reliable location. Merill explains the work that goes on behind the scenes to create each week’s edition and talks about his motivation for creating the community resource. 

What is covered?