The 5 Species You’ll Meet in Entra — and How to Optimize Them

-

 [Insert National Geographic Narrator Here…]

Welcome… to the vast and vibrant land of Entra — a sprawling digital ecosystem teeming with life. Here, hundreds of species coexist in a delicate balance, each playing a unique role in the survival of the tenantlands. Some are harmless grazers. Some are apex predators. Some are invasive species that should have been removed seasons ago.

Today, we embark on an expedition deep into this identity wilderness to study several of the most fascinating creatures you’ll encounter. Observe closely. Take notes. And do not forget to feed the Admin on your way out.

The Default User (defaultious homosapiens)

The everyday creature who just wants their email to work.

Habitat: Roams freely across Outlook plains and Teams barrens. Occasionally wanders into SharePoint by accident.

Conservation Status: Vulnerable

The defaultious homosapiens is a gentle, hardworking species. They thrive in predictable environments and become distressed when confronted with unexpected MFA prompts or anything resembling a security warning. Their natural predator, hackeri evilonus, hunts them relentlessly.

Typical traits

  • Uses one device (usually outdated)
  • Confuses Microsoft accounts with work accounts
  • Treats MFA prompts like an annoyance
  • Has never clicked “Review permissions” before consenting to an app

How to protect them

  • Phishing‑resistant MFA (FIDO2, WHfB)
  • Lifecycle Workflows for clean onboarding/offboarding
  • Baseline Conditional Access
  • Group‑based access for simplicity

Why they matter

They make up the majority of the population — and the majority of your risk. Protect them, and the whole ecosystem stabilizes.

The Executive (executi demandustoomuchus)

The creature with the most access and the least tolerance for friction.

Habitat: Highly migratory. Rarely stays in the same area for more than 24 hours.

Conservation Status: Least Concern (but extremely high maintenance)

This species is majestic yet unpredictable. They carry powerful privileges and move swiftly between devices, networks, and continents. Their mating call is “Why can’t I access this?” followed by “Fix it now.”

Typical traits

  • Uses four devices interchangeably
  • Connects from airports, hotels, and conference Wi‑Fi
  • Has more roles than they should
  • Gets phished more than anyone else

How to optimize them

  • Risk‑based Conditional Access
  • PIM for all privileged roles
  • FIDO2 keys for travel
  • Dedicated VIP support workflows

Why they matter

They are prized targets for predators — and the loudest when something breaks. Managing them requires care.

The Shadow Admin (whoareyouiti whydoyous)

An invasive species with unexpected — and often dangerous — privileges.

Habitat: Lurks in the shadows of Azure AD roles, often unnoticed until audit season.

Conservation Status: Critically Endangered (or should be)

This elusive creature is the result of ancient rituals such as “just give them Global Admin for a minute.” They often forget they possess these powers, making them unpredictable and hazardous to the environment.

Typical traits

  • Holds GA, Exchange Admin, SharePoint Admin, and Teams Admin
  • Doesn’t use any of them
  • Logs in from unmanaged devices
  • Has never heard of PIM

How to optimize them

  • Audit role assignments
  • Move all roles into PIM
  • Remove standing access
  • Use Access Reviews

Why they matter

Shadow admins are responsible for many ecosystem collapses. Remove them, and the tenantlands flourish.

The Service Account (servicus overprivilegi)**

Not human — but often more dangerous than one.

Habitat: Deep within automation pipelines, Graph API thickets, and unattended scripts.

Conservation Status: Overpopulated

This species is essential to the ecosystem, but when left unchecked, it multiplies rapidly and consumes far more permissions than necessary. Many are born without owners, destined to roam the tenantlands unsupervised.

Typical traits

  • Granted Directory.ReadWrite.All “just to get it working”
  • Secrets never rotated
  • No owner assigned
  • No monitoring

How to optimize them

  • Use Managed Identities
  • Assign least‑privilege Graph permissions
  • Rotate secrets automatically
  • Tag owners and enforce Access Reviews

Why they matter

Service principals are the new domain admins. Govern them, or they will govern you.

The Actual Admin (awesomedeus coolioses)

The keystone species holding the entire ecosystem together.

Habitat: Audit log caves, Conditional Access cliffs, and PowerShell riverbanks.

Conservation Status: Near Threatened

This rare and noble creature understands the ecosystem better than any other. They maintain balance, enforce order, and clean up the messes left by every other species. Without them, the tenantlands would collapse into chaos.

Typical traits

  • Creates “safe” policies that still break something
  • Lives in audit logs
  • Uses PowerShell and Graph more than the portal
  • Has strong opinions about Microsoft licensing

How to optimize them

  • Use PIM for all admin roles
  • Maintain break‑glass accounts
  • Automate repetitive tasks
  • Document everything

Why they matter

They are the only species capable of restoring balance when disaster strikes.

Bonus Species: The Guest User (guesta getouta)

An invasive species that can be harmless — or catastrophic.

Habitat: Appears suddenly in Teams channels, SharePoint sites, and external collaboration zones.

Conservation Status: Invasive

Guest users drift into the tenantlands through file shares, meeting invites, and cross‑tenant collaboration. Some are helpful. Some are forgotten. Some have more access than your employees. All must be monitored.

Typical traits

  • Created automatically when someone shares a file
  • No lifecycle, no owner, no governance
  • Often persists long after the project ends
  • Sometimes granted internal roles “just to get something working”
  • Uses unmanaged, unmonitored devices

How to optimize them

  • Access Reviews for all guest‑accessible groups and apps
  • Conditional Access requiring MFA and compliant/verified devices
  • Cross‑tenant access settings
  • Entitlement Management with auto‑expiring access packages
  • Restrict guest permissions

Why they matter

They are the front door to your tenant — and attackers know it.

Bringing It All Together

As the sun sets over the tenantlands, the Entra ecosystem continues its delicate dance. Each species — from the humble Default User to the mighty Actual Admin — plays a vital role in maintaining balance.

Designing identity around personas, rather than just policies, creates an environment that is:

  • more secure
  • more predictable
  • easier to govern
  • and far less chaotic

Protect the ecosystem, and the ecosystem will protect you.

Until next time, explorers.

Comments

Post a Comment

Popular posts from this blog

Using Power Automate to Update Contact Information

-
 We've all been there- you have a large organization who has out-of-date contact information. What do you do? You could go around to each department and ask them nicely to update their information, or send out an org-wide email prompting people to do so. However, this is tedious and oftentimes a pointless task. By the time you update one department, you're running to fix another. What if you could put the power back in the department's hands to do so? This is a struggle I faced recently as I was trying to find was I could conjure up some updated contact information for each department. As I did my research, I found that I was not alone in this endeavour as it seems that many IT professionals would love to make this process a little bit less painful. With this in mind, I introduce to you my latest flow! This flow will allow you to encourage users to update their contact information, without the overhead that comes with manual effort. In addition to this, this flow utilizes t...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

-
Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following: Get the user and their licenses Determine their last sign-in and the date Conditional to determine if the user is past the "cutoff" date Remove the user from a group where the license is assigned The only problem with doing this is that Power Automate does not ha...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part Two

-
Hello again! Didn't I promise you that I'd be back to wrap this up? Well, here I am to give you the second tidbit of information that you need to get this started. If you haven't already, take a look at my previous post where I go into depth about creating a custom connector in Power Automate to retrieve the latest sign-in and also gather the user's licenses. Now that we have the custom connector ready, we can now get into the meat n' potatoes of this series. In this post, I will show you the flow that makes this possible and how you can use the custom connector you have created to tie it all together! Hope you enjoy. Understanding the Logic Before we can begin creating the flow, we should first understand how the flow will work. I designed this to flow to be triggered manually, but you may want to schedule it or use another trigger. The trigger will depend on your organization's policies, so please adjust accordingly. Once triggered, the flow will use the Entra...
Read more