Entra.Chat·Jun 20, 2026·1h 8m

Shadow Admins: The Non-Human Identities Hiding in Your Entra Tenant

Download audio Show notes Apple Podcasts

Show notes

What we get into:

* Application vs. delegated API permissions and why both can be shadow admins

* The most dangerous permissions to hunt for: Files.ReadWrite.All, Sites.FullControl.All and more.

* How Midnight Blizzard turned secrets buried in email into full tenant compromise

* Credential and secret sprawl why you should vault everything and move to managed identities

* Agent identities explained, and why a “sponsor” is safer than an “owner”

* App ownership as an attack path: lateral movement and privilege escalation

* Locking down workload identities with conditional access

* Deadlines that bite: EWS retirement and the ID CRL protocol retirement

* Managed devices, and going from Zero Trust to “hero trust” without burying your help desk

Subscribe with your favorite podcast player or watch on YouTube 👇

Sponsored by:

Avoiding Entra Credential Outages & Security Risks June 24 | Live Webinar | Register

An expired client secret or certificate can break SSO, automation, integrations, and business-critical applications without warning.

Do you know:

✔️ Which credentials have already expired?

✔️ Which applications depend on them?✔️Which credentials will expire next? ✔️Who owns those applications, and are they still used?

Which applications should use Managed Identities instead of secrets?

As organizations deploy more apps, automations, and AI-powered services, credential sprawl continues to grow across Entra. Join MVPs Alistair Pugin and Nicolas Blank as they walk through real-world credential failures, hidden risks, and practical strategies for identifying and remediating Entra credential issues before they lead to outages, security exposures, or audit findings.

About Erika Zelic

Erika Zelic is a well-known voice in the Microsoft security and identity community, bringing years of offensive security experience to help admins secure their cloud infrastructure.

With roots in offensive security and consulting, she now works on remediating configuration-based vulnerabilities and is known for sharing practical, no-nonsense security insights with the Entra community.

LinkedIn - https://www.linkedin.com/in/erica-z-b4169598/

🔗 Related Links

• MS Identity Tools - https://aka.ms/msid

📗 Chapters

* 02:05 The High Cost of DIY AI & Small Language Models

* 06:17 Why AI is Forcing Everyone to Harden Their Infrastructure

* 14:12 The Hidden Dangers of API Permissions

* 20:59 How Midnight Blizzard Exploited App Secrets

* 27:21 The Magic of Managed Identities & Azure Arc

* 33:38 The Nightmare of Multiple App Owners

* 43:32 Sneaky API Permissions You Need to Monitor

* 51:48 Crucial Protocol Retirements: EWS & ID CRL

* 55:24 Zero Trust: Why You MUST Enforce Managed Devices

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe

← Previous

How Microsoft Is Securing AI Agents in Entra - Conditional Access, Zero Trust & the "Block" Debate

Not every admin in your tenant is a person. Service principals, app registrations, and the new wave of agent identities can quietly hold permissions powerful enough to own your entire environment and most orgs can’t even see them. In this episode of Entra Chat, we sits down again with Erika Zellig to expose the “shadow admins” hiding in your Entra tenant, and what to do about them. What we get into: * Application vs. delegated API permissions and why both can be shadow admins * The most dangerous permissions to hunt for: Files.ReadWrite.All, Sites.FullControl.All and more. * How Midnight Blizzard turned secrets buried in email into full tenant compromise * Credential and secret sprawl why you should vault everything and move to managed identities * Agent identities explained, and why a “sponsor” is safer than an “owner” * App ownership as an attack path: lateral movement and privilege escalation * Locking down workload identities with conditional access * Deadlines that bite: EWS retirement and the ID CRL protocol retirement * Managed devices, and going from Zero Trust to “hero trust” without burying your help desk Subscribe with your favorite podcast player or watch on YouTube 👇 Sponsored by: Avoiding Entra Credential Outages & Security Risks June 24 | Live Webinar | Register An expired client secret or certificate can break SSO, automation, integrations, and business-critical applications without warning. Do you know: ✔️ Which credentials have already expired? ✔️ Which applications depend on them?✔️Which credentials will expire next? ✔️Who owns those applications, and are they still used? Which applications should use Managed Identities instead of secrets? As organizations deploy more apps, automations, and AI-powered services, credential sprawl continues to grow across Entra. Join MVPs Alistair Pugin and Nicolas Blank as they walk through real-world credential failures, hidden risks, and practical strategies for identifying and remediating Entra credential issues before they lead to outages, security exposures, or audit findings. About Erika Zelic Erika Zelic is a well-known voice in the Microsoft security and identity community, bringing years of offensive security experience to help admins secure their cloud infrastructure. With roots in offensive security and consulting, she now works on remediating configuration-based vulnerabilities and is known for sharing practical, no-nonsense security insights with the Entra community. LinkedIn - https://www.linkedin.com/in/erica-z-b4169598/ 🔗 Related Links • MS Identity Tools - https://aka.ms/msid 📗 Chapters * 02:05 The High Cost of DIY AI & Small Language Models * 06:17 Why AI is Forcing Everyone to Harden Their Infrastructure * 14:12 The Hidden Dangers of API Permissions * 20:59 How Midnight Blizzard Exploited App Secrets * 27:21 The Magic of Managed Identities & Azure Arc * 33:38 The Nightmare of Multiple App Owners * 43:32 Sneaky API Permissions You Need to Monitor * 51:48 Crucial Protocol Retirements: EWS & ID CRL * 55:24 Zero Trust: Why You MUST Enforce Managed Devices Podcast Apps 🎙️ Entra.Chat - https://entra.chat 🎧 Apple Podcast → https://entra.chat/apple 📺 YouTube → https://entra.chat/youtube 📺 Spotify → https://entra.chat/spotify 🎧 Overcast → https://entra.chat/overcast 🎧 Pocketcast → https://entra.chat/pocketcast 🎧 Others → https://entra.chat/rss Merill’s socials 📺 YouTube → youtube.com/@merillx 👔 LinkedIn → linkedin.com/in/merill 🐤 Twitter → twitter.com/merill 🕺 TikTok → tiktok.com/@merillf 🦋 Bluesky → bsky.app/profile/merill.net 🐘 Mastodon → infosec.exchange/@merill 🧵 Threads → threads.net/@merillf 🤖 GitHub → github.com/merill Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe