Skip to main content

Hello! I'm George,

senior Microsoft cloud security architect based in the Czech Republic. I work at the intersection of identity modernisation, governance, and the IaC supply chain that ships it — PIM, Conditional Access, JIT, AD FS-to-Entra ID modernisation, Workload Identity Federation, no-secret pipelines, Zero Trust posture across Entra and Azure.

Eight years through Microsoft platform work: datacenter administration (VMware, Windows Server), then MSP-class system specialism designing a replicable Entra ID security framework for SMB and mid-market customers, and now a technical lead designing the end-to-end Microsoft security stack for regulated and enterprise customers across multiple industries.

Identity Modernisation & Hardening

AD FS to Microsoft Entra ID authentication migration — federated-to-cloud cut-over patterns. End-to-end assessment of on-premises Active Directory and Entra ID (privileged access, posture, configuration drift). Tier-based AD and tenant hardening to meet regulated-industry security baselines.

Application & Cloud Security

Endpoint, cloud and identity security analysis for regulated financial-sector clients. AKS applications built end-to-end on Managed Identity for every component. AD assessment automation via Microsoft Services Hub + Azure Arc + ADO + Microsoft Graph.

Platform Architecture & Cloud Operations

Enterprise-grade sovereign multi-customer Microsoft tenant + Azure Landing Zones deployed via ADO CI/CD. Hybrid M365 tenant migrations from shared multi-org to sovereign per-org tenants. Azure Arc unified control plane PoCs for on-premises workloads. Global cybersecurity policy delivery across international corporate groups.

What I write about
#

The common thread across this work is the same question: how do you build a Microsoft cloud environment you can actually prove? Not document — prove. The answer is always the same shape: declare the desired state in code, deliver it by pipeline, and make the delta auditable.

Everything-as-code — Conditional Access as code, PIM as code, Defender baselines as code, M365 tenant settings as code, Azure infrastructure as code — is the technique. The identity architecture that governs who is allowed to run those pipelines is what makes it trustworthy. That is the editorial frame for this blog.

Four categories: Identity & Privileged Access, Secure Delivery, Security Operations, Landing Zone Architecture.