[{"content":" I\u0026rsquo;m Jiří, a Microsoft cloud security architect at Trask MSSP. My day job is designing identity governance for regulated enterprise tenants — PIM, Conditional Access, JIT access for Azure DevOps and GitHub, and the IaC supply chain that delivers all of it.\nThe thesis driving my public work: identity governance only works if the platform shipping it is itself trustworthy. PIM/CA/JIT design and IaC supply-chain integrity — Workload Identity Federation, user-assigned managed identities, no-PAT pipelines — are the same problem, not two adjacent ones.\nI write and speak about that intersection: where Entra security meets DevSecOps for Microsoft cloud. Topics I return to:\nPIM-for-Groups vs PIM-for-Roles vs PIM-for-Resources — when to use which, with worked examples Conditional Access auth contexts in real privileged-access workflows, including JIT to Azure DevOps Workload Identity Federation and UAMI patterns for self-hosted agents — getting PATs out of pipelines Three-domain Azure Landing Zone governance with a security-first lens Tenant-write separation of duties for Terraform/Bicep against Entra ID If you\u0026rsquo;re an architect or platform engineer responsible for Microsoft cloud governance in an MSSP-class or regulated environment, this is for you. If you\u0026rsquo;re hardening privileged access or building secure delivery against Entra and Azure tenants, let\u0026rsquo;s talk on LinkedIn.\n","externalUrl":null,"permalink":"/about/","section":"Trust Anchor","summary":"","title":"About","type":"page"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":"","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"I\u0026rsquo;m a senior Azure/Entra ID architect / system engineer at Trask (an MSSP serving regulated enterprises across the CEE region), deeply focused on Microsoft security technologies — Entra ID, Intune, Defender XDR, and Azure Landing Zones — with hands-on expertise in cloud identity, PIM, Conditional Access, and platform governance. My career began on the IT operations floor before moving into architecture, and that field perspective still informs how I treat identity, governance, and automation as one integrated design problem rather than three siloed practices.\n","externalUrl":null,"permalink":"/","section":"Trust Anchor","summary":"","title":"Trust Anchor","type":"page"}]