About

Jiří V.

I’m Jiří, a Microsoft cloud security architect at Trask MSSP. My day job is designing identity governance for regulated enterprise tenants — PIM, Conditional Access, JIT access for Azure DevOps and GitHub, and the IaC supply chain that delivers all of it.

The thesis driving my public work: identity governance only works if the platform shipping it is itself trustworthy. PIM/CA/JIT design and IaC supply-chain integrity — Workload Identity Federation, user-assigned managed identities, no-PAT pipelines — are the same problem, not two adjacent ones.

I write and speak about that intersection: where Entra security meets DevSecOps for Microsoft cloud. Topics I return to:

PIM-for-Groups vs PIM-for-Roles vs PIM-for-Resources — when to use which, with worked examples
Conditional Access auth contexts in real privileged-access workflows, including JIT to Azure DevOps
Workload Identity Federation and UAMI patterns for self-hosted agents — getting PATs out of pipelines
Three-domain Azure Landing Zone governance with a security-first lens
Tenant-write separation of duties for Terraform/Bicep against Entra ID

If you’re an architect or platform engineer responsible for Microsoft cloud governance in an MSSP-class or regulated environment, this is for you. If you’re hardening privileged access or building secure delivery against Entra and Azure tenants, let’s talk on LinkedIn.