Apple Podcasts
Spotify
Youtube Music
Spreaker
Podchaser
Amazon Music
Identity used to be simple. Employees logged into corporate systems from managed devices inside a controlled network perimeter. Security teams built walls, directories stored accounts, and trust lived inside one organization. That world no longer exists. Today, customers move across apps and devices constantly. Partners collaborate across tenants. Contractors join and leave projects every week. AI agents and automated workflows request access without ever touching the traditional sign-in path older identity systems were designed for. Yet most identity architectures still behave like everything happens inside a border. That mismatch creates one of the biggest hidden operational problems in modern business: the trust gap. In this episode of the M365 FM Podcast, Mirko Peters breaks down why identity is no longer just an authentication problem. It is now a business growth problem, a customer experience problem, a governance problem, and increasingly, a digital trust problem.
THE DEATH OF THE PERIMETER
Most identity systems still rely on rebuilding trust from scratch inside every application, every onboarding flow, and every partner portal. Every time a customer registers again, every time a contractor creates another account, and every time a partner has to manually prove the same information twice, organizations create friction, duplicate data, and larger attack surfaces. The costs are massive. Research continues to show that complicated registration processes directly reduce conversion rates. Password problems still overwhelm support teams. Centralized identity silos create larger breach targets while slowing users down at the exact moment businesses want faster onboarding and smoother digital experiences. This episode explores why identity can no longer be treated as a static account sitting in a directory. Instead, the future moves toward portable trust.
WHY PORTABLE IDENTITY CHANGES EVERYTHING
Mirko explains the shift from account-centric identity to claim-centric identity. Rather than asking whether an organization owns an account record for a person, the better question becomes: What does this user, partner, customer, or system need to prove right now? That shift changes everything. The discussion covers how passkeys accelerated this transformation by replacing shared secrets with stronger proof tied to users and devices. Microsoft’s reported improvements in login speed and success rates demonstrate that stronger security and lower friction no longer need to compete against each other. The episode also explains why decentralized identity is often misunderstood inside enterprises. Decentralized identity does not mean the end of governance or enterprise control. It means trust becomes portable, verifiable, and policy-driven rather than dependent on one giant central identity store holding every attribute forever.
WHERE ENTRA EXTERNAL ID FITS
Mirko breaks down the architectural distinction many executives confuse. Entra External ID acts as the orchestration and governance layer for customer and partner identity journeys. Verified ID provides portable proof through verifiable credentials. Together, they create a hybrid model where organizations can modernize external identity without immediately abandoning every traditional CIAM pattern they already rely on. The episode also dives deep into the practical realities of migration from Azure AD B2C, including:
- Just-in-time password migration
- Modern Graph-centered architecture
- Federation and lifecycle control
GOVERNANCE, RISK, AND DIGITAL SOVEREIGNTY
Technology alone does not solve the problem. Governance becomes the central challenge. This episode explores the tension between user sovereignty, enterprise assurance, legal accountability, and operational recovery. Portable identity only works when organizations clearly define issuer trust, revocation processes, lifecycle governance, and policy enforcement. That is why Mirko frames Entra not as a magic decentralized identity platform, but as a practical orchestration layer where trust, proof, and governance can finally work together. The final section of the episode delivers a practical operating blueprint leaders can actually implement. Rather than attempting a massive identity transformation overnight, organizations should begin with one external journey where identity friction already creates visible business pain. The key questions every organization must answer are:
- What proof needs to travel?
- What policy must remain central?
- What risk events require step-up verification?
IMPLEMENTATION PAYOFF AND CONCLUSION
Identity is no longer about protecting a border. It is about carrying trust across systems, organizations, devices, and automated workflows without forcing users to repeatedly rebuild proof from zero. If you are leading Microsoft 365, Entra, Zero Trust, security architecture, identity governance, or customer identity modernization initiatives, this episode gives you a strategic framework for understanding where identity is heading next and how Microsoft’s Entra platform fits into that transition. Subscribe to the M365 FM Podcast for more deep dives into Microsoft 365 architecture, governance, automation, AI, identity, and modern enterprise strategy. Connect with Mirko Peters on LinkedIn and share the episode with teams working on identity modernization, external collaboration, CIAM, and Zero Trust transformation.
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
🚀 Want to be part of m365.fm?
Then stop just listening… and start showing up.
👉 Connect with me on LinkedIn and let’s make something happen:
- 🎙️ Be a podcast guest and share your story
- 🎧 Host your own episode (yes, seriously)
- 💡 Pitch topics the community actually wants to hear
- 🌍 Build your personal brand in the Microsoft 365 space
This isn’t just a podcast — it’s a platform for people who take action.
🔥 Most people wait. The best ones don’t.
👉 Connect with me on LinkedIn and send me a message:
"I want in"
Let’s build something awesome 👊
1
00:00:00,000 --> 00:00:05,360
Identity still gets treated like a gate, a login page, a directory, a border around an app.
2
00:00:05,360 --> 00:00:09,040
But work doesn't happen at your border anymore, and that's where the old model starts failing.
3
00:00:09,040 --> 00:00:12,960
Your customers move across channels, your partners move across tenants, and your contractors
4
00:00:12,960 --> 00:00:15,200
move in and out of projects every single day.
5
00:00:15,200 --> 00:00:19,160
Now we have AI agents and automated workflows that need access to, and they often do it
6
00:00:19,160 --> 00:00:22,720
without ever touching the need path your old identity stack expected.
7
00:00:22,720 --> 00:00:27,280
The business asks for speed and reach, but the identity layer answers with forms, passwords,
8
00:00:27,280 --> 00:00:29,280
duplicate accounts, and manual proof.
9
00:00:29,280 --> 00:00:31,040
It creates two failures at once.
10
00:00:31,040 --> 00:00:35,000
Users drop off because the friction is too high, and attackers get bigger targets because
11
00:00:35,000 --> 00:00:36,760
the data is scattered.
12
00:00:36,760 --> 00:00:40,360
Research on modern CIM keeps showing the same pattern over and over.
13
00:00:40,360 --> 00:00:44,720
Hard registration loses users, password problems, flood your support desk, and better sign
14
00:00:44,720 --> 00:00:47,880
inflows improve first time success almost immediately.
15
00:00:47,880 --> 00:00:52,440
So before we talk about Entra External ID, portable trust, or verifiable credentials, we need
16
00:00:52,440 --> 00:00:55,280
to define the real break in the model.
17
00:00:55,280 --> 00:00:56,920
The death of the perimeter.
18
00:00:56,920 --> 00:01:01,760
The old identity model came from a simple assumption, people came to your system, on your network,
19
00:01:01,760 --> 00:01:03,800
through your app, and on your terms.
20
00:01:03,800 --> 00:01:07,320
The logic was that if you control that boundary well enough, you control trust.
21
00:01:07,320 --> 00:01:11,280
That model fit a world of employees and corporate devices where everything stayed inside one
22
00:01:11,280 --> 00:01:12,280
organization.
23
00:01:12,280 --> 00:01:14,160
That world is gone, but the model stayed.
24
00:01:14,160 --> 00:01:18,600
In most organizations, identity architecture still thinks like an internal control system,
25
00:01:18,600 --> 00:01:21,080
while the business now runs like an ecosystem.
26
00:01:21,080 --> 00:01:24,960
Users move between suppliers, resellers, customer portals, and shared workspaces without
27
00:01:24,960 --> 00:01:27,360
stopping to think about which directory owns them.
28
00:01:27,360 --> 00:01:31,200
They just need to get work done by a product or approve a contract that mismatch creates
29
00:01:31,200 --> 00:01:32,200
the trust gap.
30
00:01:32,200 --> 00:01:36,040
The business wants more partner growth and faster onboarding, but the identity stack responds
31
00:01:36,040 --> 00:01:38,880
with another sign up form and another isolated user store.
32
00:01:38,880 --> 00:01:40,800
You can see the structural problem here.
33
00:01:40,800 --> 00:01:44,960
Reach expands outward, but trust still gets rebuilt from scratch inside every single
34
00:01:44,960 --> 00:01:46,040
application boundary.
35
00:01:46,040 --> 00:01:47,880
And every time that happens, you pay twice.
36
00:01:47,880 --> 00:01:49,240
First, the user pays.
37
00:01:49,240 --> 00:01:53,080
Research shows that 73% of consumers abandoned purchases because registration is too
38
00:01:53,080 --> 00:01:55,960
cumbersome, which means this isn't just a design detail.
39
00:01:55,960 --> 00:01:58,200
It's a revenue leak caused by identity friction.
40
00:01:58,200 --> 00:02:02,440
The person was ready to move, but your proof model asked them to stop, type, wait, and eventually
41
00:02:02,440 --> 00:02:03,440
give up.
42
00:02:03,440 --> 00:02:04,840
Then the organization pays.
43
00:02:04,840 --> 00:02:08,720
Password issues still drive 40% to 60% of authentication support requests.
44
00:02:08,720 --> 00:02:13,000
The same architecture that hurts your conversion rate also creates massive service desk load
45
00:02:13,000 --> 00:02:15,880
and cleanup work for teams that should be doing better things.
46
00:02:15,880 --> 00:02:17,760
Now look at the security side.
47
00:02:17,760 --> 00:02:21,760
Centralized identity silos don't just slow people down, they also concentrate your risk.
48
00:02:21,760 --> 00:02:25,360
If every external journey depends on your central store holding more data and more duplicated
49
00:02:25,360 --> 00:02:28,680
records, you've created a better breach target while calling it control.
50
00:02:28,680 --> 00:02:32,400
The attacker only needs to find one week pass, while your users have to survive every single
51
00:02:32,400 --> 00:02:33,400
one.
52
00:02:33,400 --> 00:02:37,600
This is where internal IAM logic and external identity reality finally split apart.
53
00:02:37,600 --> 00:02:41,800
Internal IAM is built around workforce control for known employees on known devices.
54
00:02:41,800 --> 00:02:43,280
External identity isn't like that.
55
00:02:43,280 --> 00:02:47,400
Customer identity, partner identity, and machine identity all work in a much more fluid
56
00:02:47,400 --> 00:02:48,400
system.
57
00:02:48,400 --> 00:02:52,040
The next has to cross company lines and legal boundaries without turning every interaction
58
00:02:52,040 --> 00:02:53,560
into a help desk event.
59
00:02:53,560 --> 00:02:56,600
And one level deeper, even the language gets people stuck.
60
00:02:56,600 --> 00:03:00,480
Leaders still talk about user management as if the job is just storing records and granting
61
00:03:00,480 --> 00:03:01,480
access.
62
00:03:01,480 --> 00:03:04,280
But for external identity, the job is much bigger.
63
00:03:04,280 --> 00:03:07,840
You need to verify the right thing at the right moment with the least amount of friction
64
00:03:07,840 --> 00:03:08,840
possible.
65
00:03:08,840 --> 00:03:12,920
Sometimes that's a pass key and sometimes it's a claim about a certification, a role,
66
00:03:12,920 --> 00:03:13,920
or a contract.
67
00:03:13,920 --> 00:03:16,560
That's why identity now hits more than just security outcomes.
68
00:03:16,560 --> 00:03:20,560
It hits conversion, it hits onboarding speed, and it hits how fast a new product can launch
69
00:03:20,560 --> 00:03:22,200
without creating another silo.
70
00:03:22,200 --> 00:03:26,000
Once you see identity as part of your growth infrastructure, the perimeter model stops looking
71
00:03:26,000 --> 00:03:27,000
old.
72
00:03:27,000 --> 00:03:28,000
It starts looking expensive.
73
00:03:28,000 --> 00:03:29,000
So the question changes.
74
00:03:29,000 --> 00:03:31,840
It's not, how do we protect the border better?
75
00:03:31,840 --> 00:03:36,080
The better question is, what replaces a border model when trust has to travel?
76
00:03:36,080 --> 00:03:38,680
Why portable identity changes the model?
77
00:03:38,680 --> 00:03:40,840
Portable identity changes the starting point.
78
00:03:40,840 --> 00:03:44,480
Instead of rebuilding trust inside every app, every portal, and every partner flow, you
79
00:03:44,480 --> 00:03:47,880
let trusted proof travel with the person or system that needs to act.
80
00:03:47,880 --> 00:03:50,600
That sounds simple, but it changes the whole structure.
81
00:03:50,600 --> 00:03:55,040
You are no longer asking if you have an account for a specific user sitting in a database.
82
00:03:55,040 --> 00:03:58,840
Instead, you are asking what you need this party to prove right now and whether you can
83
00:03:58,840 --> 00:04:01,320
verify that proof under your current policy.
84
00:04:01,320 --> 00:04:05,080
That is the move from account-centric identity to claim-centric identity.
85
00:04:05,080 --> 00:04:07,080
In the old approach, the account is the asset.
86
00:04:07,080 --> 00:04:10,600
You create it, store it, enrich it and protect it, but then you end up copying it into more
87
00:04:10,600 --> 00:04:12,200
places than you ever wanted.
88
00:04:12,200 --> 00:04:14,320
In the new approach, the claim is the asset.
89
00:04:14,320 --> 00:04:15,320
Are you a certified partner?
90
00:04:15,320 --> 00:04:16,680
Are you over a certain age?
91
00:04:16,680 --> 00:04:18,640
Are you approved for this transaction?
92
00:04:18,640 --> 00:04:21,280
Are you still employed by the supplier you represent?
93
00:04:21,280 --> 00:04:24,200
Those are different questions, and they do not only the same answer format.
94
00:04:24,200 --> 00:04:27,960
This clicked for a lot of teams once PASKIE started getting real traction.
95
00:04:27,960 --> 00:04:30,080
The goal was not just to remove passwords.
96
00:04:30,080 --> 00:04:33,880
The deeper shift was that SININ started relying less on shared secrets and more on stronger
97
00:04:33,880 --> 00:04:36,160
proof tied to the user and the device.
98
00:04:36,160 --> 00:04:39,440
Microsoft reported that PASKIE logins are three times faster than passwords and eight
99
00:04:39,440 --> 00:04:41,880
times faster than a password plus MFA.
100
00:04:41,880 --> 00:04:43,800
But the lesson here is not only about speed.
101
00:04:43,800 --> 00:04:48,200
It is the fact that better proof can lower friction and increase security at the same time.
102
00:04:48,200 --> 00:04:52,520
Now when people hear decentralized identity, they often jump to the wrong conclusion.
103
00:04:52,520 --> 00:04:56,560
They think it means no central control, no policy, or maybe even no enterprise role,
104
00:04:56,560 --> 00:04:57,680
but that is not the model.
105
00:04:57,680 --> 00:05:01,640
Decentralize identity in practical enterprise terms means trust does not depend on one
106
00:05:01,640 --> 00:05:04,240
giant record store being the only source of truth.
107
00:05:04,240 --> 00:05:09,160
Instead, issues provide verifiable proofs, holders present only what is needed, and verifiers
108
00:05:09,160 --> 00:05:11,440
check that proof against policy.
109
00:05:11,440 --> 00:05:13,120
Selective disclosure matters here.
110
00:05:13,120 --> 00:05:16,760
If a partner needs to prove their certification status, they should not need to hand over
111
00:05:16,760 --> 00:05:19,920
every profile detail sitting in some old onboarding form.
112
00:05:19,920 --> 00:05:23,760
If a customer needs to prove eligibility, they should not have to recreate the same identity
113
00:05:23,760 --> 00:05:25,720
story in every channel.
114
00:05:25,720 --> 00:05:28,080
Portable identity narrows the exchange.
115
00:05:28,080 --> 00:05:31,160
You prove what is needed, you verify it, and you move on.
116
00:05:31,160 --> 00:05:34,400
That also explains why executives get stuck on the word decentralization.
117
00:05:34,400 --> 00:05:37,840
They hear less central storage and assume there is less governance, but the opposite
118
00:05:37,840 --> 00:05:40,520
can be true if the model is designed well.
119
00:05:40,520 --> 00:05:41,840
Governance does not disappear.
120
00:05:41,840 --> 00:05:43,600
It moves.
121
00:05:43,600 --> 00:05:47,680
The organization still defines issuance rules, trust rules, and acceptance rules.
122
00:05:47,680 --> 00:05:51,600
The difference is that governance starts controlling verification and policy instead of
123
00:05:51,600 --> 00:05:54,800
forcing every journey to depend on account duplication.
124
00:05:54,800 --> 00:05:57,800
So digital sovereignty is not some abstract ideal here.
125
00:05:57,800 --> 00:06:02,040
In practical terms, the user controls the proof they present, while the organization controls
126
00:06:02,040 --> 00:06:04,520
the conditions under which that proof is accepted.
127
00:06:04,520 --> 00:06:08,120
The verifier checks validity, issuer trust, and policy fit.
128
00:06:08,120 --> 00:06:10,560
That is a cleaner split of roles than the old model.
129
00:06:10,560 --> 00:06:14,720
Their one platform often try to store everything, decide everything, and expose everything
130
00:06:14,720 --> 00:06:15,720
at once.
131
00:06:15,720 --> 00:06:18,000
The timing matters too because the outside world is moving.
132
00:06:18,000 --> 00:06:23,840
The W3EC Deid version 1.1 reached candidate recommendation status in March of 2026, which
133
00:06:23,840 --> 00:06:27,000
tells you the standard side is still maturing but moving forward.
134
00:06:27,000 --> 00:06:31,760
At the same time, Europe is pushing harder through Ida's 2, and the broader, verifiable
135
00:06:31,760 --> 00:06:35,840
credentials market is projected to grow fast through the next several years.
136
00:06:35,840 --> 00:06:40,160
Adoption is early, yes, it is definitely uneven, but it is not theoretical anymore.
137
00:06:40,160 --> 00:06:43,240
And there is another pressure coming from user expectations.
138
00:06:43,240 --> 00:06:47,400
Passkeys are spreading, and phishing resistant methods are becoming the baseline people expect
139
00:06:47,400 --> 00:06:49,640
from serious digital services.
140
00:06:49,640 --> 00:06:53,980
Cross-border access keeps growing, and AI agents need trust models that are not built around
141
00:06:53,980 --> 00:06:56,240
typing credentials into forms.
142
00:06:56,240 --> 00:06:59,280
What used to look advanced now starts to look overdue.
143
00:06:59,280 --> 00:07:03,840
Theory is useful up to a point, but after that, leaders need to know where Microsoft actually
144
00:07:03,840 --> 00:07:04,840
fits in this shift.
145
00:07:04,840 --> 00:07:08,400
They need to know where Entra external ID helps, where it does not, and how verified
146
00:07:08,400 --> 00:07:09,920
ID enters the picture.
147
00:07:09,920 --> 00:07:12,560
Where Entra external ID fits, and where it doesn't.
148
00:07:12,560 --> 00:07:14,880
So where does Entra external ID sit in all of this?
149
00:07:14,880 --> 00:07:19,440
It is not a magic decentralized identity platform, and it is not a total replacement for every
150
00:07:19,440 --> 00:07:21,600
external identity pattern overnight.
151
00:07:21,600 --> 00:07:23,520
It is also not just a nicer sign-in page.
152
00:07:23,520 --> 00:07:25,480
Its real role is more structural.
153
00:07:25,480 --> 00:07:28,840
Entra external ID works as the control plane for external trust.
154
00:07:28,840 --> 00:07:32,760
It handles customer and partner identities, application access, and branded journeys
155
00:07:32,760 --> 00:07:34,880
in a way that fits the broader Entra model.
156
00:07:34,880 --> 00:07:39,000
That matters because most organizations do not need another isolated identity product.
157
00:07:39,000 --> 00:07:42,840
They need a way to coordinate proof in policy across external users without building another
158
00:07:42,840 --> 00:07:44,200
governance mess.
159
00:07:44,200 --> 00:07:47,080
This is also where the shift from Azure ADB to C matters.
160
00:07:47,080 --> 00:07:50,240
B2C came from a different era of the Microsoft Identity stack.
161
00:07:50,240 --> 00:07:55,240
It gave teams a lot of flexibility, but it often did so through XML heavy custom policies
162
00:07:55,240 --> 00:07:57,960
and a separate way of thinking about external users.
163
00:07:57,960 --> 00:08:00,840
Entra external ID moves onto the newer Entra Foundation.
164
00:08:00,840 --> 00:08:05,200
It uses a more graph centered model and aligns much closer to current security controls.
165
00:08:05,200 --> 00:08:08,980
For leadership, that means less architectural drift, and for engineering, it usually means
166
00:08:08,980 --> 00:08:13,400
less policy work trapped in custom structures that only a few people understand.
167
00:08:13,400 --> 00:08:17,860
That does not mean every old B2C scenario drops neatly into external ID today.
168
00:08:17,860 --> 00:08:21,380
The migration path is real, and Microsoft has invested in it, including just in time
169
00:08:21,380 --> 00:08:25,700
paths with migration, so users do not all hit a forced reset wave at once.
170
00:08:25,700 --> 00:08:28,860
But there are still feature gaps and maturity differences, especially for organizations
171
00:08:28,860 --> 00:08:32,180
that build deep custom behavior on B2C over many years.
172
00:08:32,180 --> 00:08:35,980
So the honest message is not that external ID does everything better right now.
173
00:08:35,980 --> 00:08:39,660
The honest message is that it gives you a more modern platform direction, with clearer
174
00:08:39,660 --> 00:08:42,100
alignment to where Microsoft is investing.
175
00:08:42,100 --> 00:08:43,740
Now what does it actually do well?
176
00:08:43,740 --> 00:08:47,100
It handles external identities as a managed operating layer.
177
00:08:47,100 --> 00:08:52,100
This includes customer sign-up, partner access, and federation with external identity providers.
178
00:08:52,100 --> 00:08:56,500
In some partner scenarios that can extend into approvals, access reviews, and automated
179
00:08:56,500 --> 00:08:59,620
off-boarding when you pair it with Entra governance capabilities.
180
00:08:59,620 --> 00:09:01,860
That is a lot bigger than authentication alone.
181
00:09:01,860 --> 00:09:06,140
It is identity orchestration for people who are not employees, but still affect your business
182
00:09:06,140 --> 00:09:07,140
directly.
183
00:09:07,140 --> 00:09:10,540
Then there is verified ID, and this is where a lot of executives blur two different things
184
00:09:10,540 --> 00:09:11,540
together.
185
00:09:11,540 --> 00:09:14,860
Entra external ID and Entra verified ID are related, but they are not the same product doing
186
00:09:14,860 --> 00:09:15,860
the same job.
187
00:09:15,860 --> 00:09:19,900
External ID is the orchestration and policy layer for external access journeys.
188
00:09:19,900 --> 00:09:24,540
Verified ID is the portable proof layer for issuing and checking verifiable credentials.
189
00:09:24,540 --> 00:09:28,980
One manages how external users get in and stay governed, while the other helps define
190
00:09:28,980 --> 00:09:32,700
what they can prove without relying on the old pattern of collecting and storing everything
191
00:09:32,700 --> 00:09:33,860
centrally.
192
00:09:33,860 --> 00:09:39,220
That distinction matters because verifiable credentials do not replace all CM needs today.
193
00:09:39,220 --> 00:09:43,700
They do not remove the need for customer identity flows, federation, or session controls.
194
00:09:43,700 --> 00:09:47,660
What they do is improve specific proof moments inside that broader system.
195
00:09:47,660 --> 00:09:50,940
A partner can prove certification or a vendor can prove their status.
196
00:09:50,940 --> 00:09:54,980
A regulated onboarding flow can verify a trusted attribute with less data sharing.
197
00:09:54,980 --> 00:09:57,340
That is strong, but it is not the hold stack.
198
00:09:57,340 --> 00:09:59,900
Most organizations will land in a hybrid model for a while.
199
00:09:59,900 --> 00:10:03,100
They will use pass keys in some journeys and federation in others.
200
00:10:03,100 --> 00:10:07,460
They will keep traditional account-based CIM where they still need it and use verifiable
201
00:10:07,460 --> 00:10:11,180
credentials where portable proof clearly reduces cost or friction.
202
00:10:11,180 --> 00:10:14,100
Entra external ID is useful here because it can act as the bridge.
203
00:10:14,100 --> 00:10:18,220
It stops you from having to make a false choice between legacy login and full portable identity
204
00:10:18,220 --> 00:10:19,220
on day one.
205
00:10:19,220 --> 00:10:20,220
There are limits.
206
00:10:20,220 --> 00:10:21,220
And they matter.
207
00:10:21,220 --> 00:10:25,820
Public case studies around decentralized identity in partner scenarios are still thin.
208
00:10:25,820 --> 00:10:30,060
Some capabilities are newer or uneven across customer and partner use cases.
209
00:10:30,060 --> 00:10:34,340
In broader non-microsoft environments, governance depth may still need extra tooling.
210
00:10:34,340 --> 00:10:38,180
If an organization expects a pure decentralized future to arrive fully packaged inside
211
00:10:38,180 --> 00:10:41,740
one Microsoft service, that expectation will break fast.
212
00:10:41,740 --> 00:10:43,860
But the affirmative model is still strong.
213
00:10:43,860 --> 00:10:48,700
Use Entra external ID as the orchestration layer between identity proof, policy enforcement,
214
00:10:48,700 --> 00:10:49,900
and life cycle control.
215
00:10:49,900 --> 00:10:54,060
Add verified ID where portable trust adds clear value and keeps central governance where
216
00:10:54,060 --> 00:10:56,060
policy and accountability need it.
217
00:10:56,060 --> 00:10:57,380
That is a practical architecture.
218
00:10:57,380 --> 00:11:00,860
It is not an ideology and it is not a rip and replace fantasy.
219
00:11:00,860 --> 00:11:05,740
And once that role becomes clear, the business case gets a lot easier to see.
220
00:11:05,740 --> 00:11:09,220
The business case, friction, trust, and measurable return.
221
00:11:09,220 --> 00:11:13,060
Once leaders start viewing external ID as an orchestration layer, the conversation turns
222
00:11:13,060 --> 00:11:14,060
practical.
223
00:11:14,060 --> 00:11:17,220
They want to know if this actually pays back or if it is just a cleaner way to tell an
224
00:11:17,220 --> 00:11:18,220
architecture story.
225
00:11:18,220 --> 00:11:22,300
The reality is that it pays back because identity friction hides in places most executives
226
00:11:22,300 --> 00:11:23,300
are already tracking.
227
00:11:23,300 --> 00:11:25,220
They just use different labels for it.
228
00:11:25,220 --> 00:11:30,220
You see it in lost registrations, lower activation rates, and abandoned onboarding flows.
229
00:11:30,220 --> 00:11:34,260
It shows up as more support tickets and more fraud controls layered on top of weak user
230
00:11:34,260 --> 00:11:35,260
journeys.
231
00:11:35,260 --> 00:11:38,820
Engineering teams end up spending months stitching systems together that should have never been
232
00:11:38,820 --> 00:11:40,380
separate in the first place.
233
00:11:40,380 --> 00:11:43,460
This is why identity ROI is rarely found in just one budget.
234
00:11:43,460 --> 00:11:47,020
The growth team feels it in conversion rates while service desks feel it in the sheer
235
00:11:47,020 --> 00:11:49,140
volume of incoming tickets.
236
00:11:49,140 --> 00:11:53,300
It sees it in account takeover risks and compliance teams feel it when they have to collect evidence
237
00:11:53,300 --> 00:11:54,780
for access reviews.
238
00:11:54,780 --> 00:11:58,620
Product teams feel the pain through release delays because every new external flow turns into
239
00:11:58,620 --> 00:12:01,100
yet another exception path that needs custom coding.
240
00:12:01,100 --> 00:12:05,340
The thing most people miss is that a smoother sign-in experience is not just about making things
241
00:12:05,340 --> 00:12:06,340
convenient.
242
00:12:06,340 --> 00:12:10,440
It fundamentally changes whether a person completes the journey at all and it dictates
243
00:12:10,440 --> 00:12:14,500
how much internal labor you need to keep that journey alive once it goes live.
244
00:12:14,500 --> 00:12:18,700
Recent research from 2026 on CIM is pretty blunt about these outcomes.
245
00:12:18,700 --> 00:12:23,820
Fast-worthless authentication cut the average sign-in time from 8.7 seconds down to 1.2 seconds
246
00:12:23,820 --> 00:12:28,860
and first time success rates jumped from about 76% to nearly 99%.
247
00:12:28,860 --> 00:12:32,460
Registration completion moved from 64% to almost 88%.
248
00:12:32,460 --> 00:12:36,060
Those numbers matter because they sit right at the point where identity either clears the
249
00:12:36,060 --> 00:12:38,820
path or becomes the reason your customers stall.
250
00:12:38,820 --> 00:12:41,100
The business effect is visible immediately.
251
00:12:41,100 --> 00:12:45,620
Fast-approved means less drop-off and higher first time success means fewer retries and fewer
252
00:12:45,620 --> 00:12:47,620
abandoned sessions for your users.
253
00:12:47,620 --> 00:12:51,460
Fast-ar completion rates mean your marketing spend stops leaking out through a broken identity
254
00:12:51,460 --> 00:12:52,460
layer.
255
00:12:52,460 --> 00:12:55,420
This is exactly why product and security teams need to look at the same dashboard because
256
00:12:55,420 --> 00:12:58,300
both groups are acting on the same high stakes moment.
257
00:12:58,300 --> 00:13:01,700
Support economics tell the same story from a different perspective.
258
00:13:01,700 --> 00:13:05,260
Authentication improvements, including just-in-time migration and the move to path-worthless,
259
00:13:05,260 --> 00:13:09,180
have been linked to an 81% decrease in identity-related support tickets.
260
00:13:09,180 --> 00:13:14,300
CVS Health reported a 77% reduction in help desk calls after adopting path-worthless methods,
261
00:13:14,300 --> 00:13:17,740
along with a 98% reduction in account takeovers.
262
00:13:17,740 --> 00:13:22,340
When executives ask if identity work is a cost center or a growth driver, the honest answer
263
00:13:22,340 --> 00:13:23,740
is that it is both.
264
00:13:23,740 --> 00:13:27,020
It cuts costs and protects your revenue at the same time.
265
00:13:27,020 --> 00:13:30,740
Migration is where this reality often becomes most visible to the organization.
266
00:13:30,740 --> 00:13:34,220
Old-school identity migrations usually create what I call reset shock.
267
00:13:34,220 --> 00:13:38,980
Users hit a new login page, their old password, fails to work, the reset email goes missing
268
00:13:38,980 --> 00:13:43,100
in a spam folder, and the brand takes the blame when support calls spike.
269
00:13:43,100 --> 00:13:47,220
Other external ID uses just-in-time password migration to change that pattern by validating
270
00:13:47,220 --> 00:13:51,340
legacy credentials at the first sign-in and moving the user forward without a forced
271
00:13:51,340 --> 00:13:52,900
mass reset.
272
00:13:52,900 --> 00:13:56,460
This matters less as a technical feature and more as a way to control churn.
273
00:13:56,460 --> 00:14:00,140
It eliminates that ugly moment where a platform upgrade accidentally teaches your customers
274
00:14:00,140 --> 00:14:01,140
how to leave.
275
00:14:01,140 --> 00:14:03,940
Cost conversations also need a bit more honesty than they usually get.
276
00:14:03,940 --> 00:14:07,740
If a leader only compares monthly active user pricing between two platforms, they might
277
00:14:07,740 --> 00:14:10,060
miss the much larger bill entirely.
278
00:14:10,060 --> 00:14:14,340
Credit identity means you are paying for duplicate directories, custom maintenance and inconsistent
279
00:14:14,340 --> 00:14:16,180
policies that lead to slower launches.
280
00:14:16,180 --> 00:14:19,900
A cheaper line item on a contract can still produce a much more expensive operating model
281
00:14:19,900 --> 00:14:20,900
for the business.
282
00:14:20,900 --> 00:14:25,220
The question is not just what the platform costs, but what your current fragmentation is
283
00:14:25,220 --> 00:14:28,300
costing the company every single month you keep it.
284
00:14:28,300 --> 00:14:30,860
Trust is what finally compounds the return on this investment.
285
00:14:30,860 --> 00:14:34,940
When users move through proofing and sign-in without any confusion, they see that as a sign
286
00:14:34,940 --> 00:14:36,620
of competence from your brand.
287
00:14:36,620 --> 00:14:40,700
When partners get access to the tools they need faster, they start engaging with your business
288
00:14:40,700 --> 00:14:41,700
sooner.
289
00:14:41,700 --> 00:14:45,500
When a regulated onboarding process asks only for the proof required, people see discipline
290
00:14:45,500 --> 00:14:46,980
instead of overreach.
291
00:14:46,980 --> 00:14:49,460
Trust is not a soft outcome in this environment.
292
00:14:49,460 --> 00:14:53,900
It directly affects retention, adoption and whether those external users ever come back
293
00:14:53,900 --> 00:14:55,580
for a second interaction.
294
00:14:55,580 --> 00:14:57,540
That is the ultimate executive takeaway.
295
00:14:57,540 --> 00:15:01,620
Identity choices now shape your conversion rates, your margins, your support load and your
296
00:15:01,620 --> 00:15:03,700
ability to scale and ecosystem.
297
00:15:03,700 --> 00:15:07,420
The numbers can make that case on paper, but rolling it out without creating new chaos is
298
00:15:07,420 --> 00:15:10,220
where most programs actually slow down.
299
00:15:10,220 --> 00:15:12,620
Governance, risk and the sovereignty tension.
300
00:15:12,620 --> 00:15:16,020
This is where the conversation gets difficult because the hard part isn't actually issuing
301
00:15:16,020 --> 00:15:18,700
a credential or adding a new sign-in method.
302
00:15:18,700 --> 00:15:22,740
The real challenge is deciding who gets to trust what, which rules apply and what happens
303
00:15:22,740 --> 00:15:25,700
when that trust needs to be revoked or repaired after something goes wrong.
304
00:15:25,700 --> 00:15:30,060
A lot of the hype around decentralized identity tends to skip that part.
305
00:15:30,060 --> 00:15:34,060
You can talk about user control and portability as if they are magic, but if your governance
306
00:15:34,060 --> 00:15:38,500
stays weak, you don't actually get sovereignty, you get confusion or worse, you get a cleaner
307
00:15:38,500 --> 00:15:43,380
looking version of the same old control model just pushed into a new set of tools.
308
00:15:43,380 --> 00:15:47,260
Research on portable identity governance warns us that without due process and transparent
309
00:15:47,260 --> 00:15:51,780
rules, digital identity can still exclude people and centralize power in ways that are harder
310
00:15:51,780 --> 00:15:53,260
to see.
311
00:15:53,260 --> 00:15:56,340
Executives have to hold two competing ideas in their heads at the same time.
312
00:15:56,340 --> 00:15:59,420
First, portable identity can definitely reduce your central exposure.
313
00:15:59,420 --> 00:16:04,020
You no longer need one massive system, storing every single attribute and proof exchange forever,
314
00:16:04,020 --> 00:16:07,380
which improves privacy and limits your concentration risk.
315
00:16:07,380 --> 00:16:11,820
Second, none of those technical shifts remove your fundamental duty to govern that trust.
316
00:16:11,820 --> 00:16:16,300
Someone still has to define the issuance rules and someone has to set the trust registries.
317
00:16:16,300 --> 00:16:20,420
Someone still owns the consent handling, the retention rules and the cross-border data decisions.
318
00:16:20,420 --> 00:16:22,900
The technology changes, but the accountability does not.
319
00:16:22,900 --> 00:16:25,500
This is the tension that actually matters for the business.
320
00:16:25,500 --> 00:16:27,140
User control matters.
321
00:16:27,140 --> 00:16:28,620
Enterprises assurance matters.
322
00:16:28,620 --> 00:16:30,620
Local accountability matters.
323
00:16:30,620 --> 00:16:32,620
Operational recovery matters.
324
00:16:32,620 --> 00:16:36,580
If any one of those priorities wins completely, the whole model breaks down.
325
00:16:36,580 --> 00:16:40,900
If a user cannot recover their access, the system ends up excluding them entirely.
326
00:16:40,900 --> 00:16:45,860
If the enterprise cannot verify enough information, the system becomes unsafe for everyone.
327
00:16:45,860 --> 00:16:49,660
If legal accountability is vague, regulators will not care how elegant your architecture
328
00:16:49,660 --> 00:16:50,900
looked on paper.
329
00:16:50,900 --> 00:16:54,700
If recovery parts are missing, your support teams will just rebuild manual workarounds
330
00:16:54,700 --> 00:16:56,460
that bypass your entire design.
331
00:16:56,460 --> 00:17:00,660
That is why governance has to be more specific than just saying we trust verified credentials.
332
00:17:00,660 --> 00:17:04,740
You need a clear policy around who can issue a credential and what standards that issuer
333
00:17:04,740 --> 00:17:07,460
must meet before you accept their data.
334
00:17:07,460 --> 00:17:11,140
You have to define how trust gets established and how often that proof must be renewed or
335
00:17:11,140 --> 00:17:12,420
checked in real time.
336
00:17:12,420 --> 00:17:16,580
You also need to decide what happens when a credential is technically valid, but no longer
337
00:17:16,580 --> 00:17:18,860
appropriate for the specific context.
338
00:17:18,860 --> 00:17:22,780
A person might hold a legitimate credential, but the transaction might still need step-up
339
00:17:22,780 --> 00:17:26,020
verification because of their location or the sensitivity of the data.
340
00:17:26,020 --> 00:17:29,460
This is where Microsoft provides help in a very grounded, practical way.
341
00:17:29,460 --> 00:17:33,460
The strength of Entra is not that it magically removes the hard work of governance.
342
00:17:33,460 --> 00:17:37,380
Its real value is that it gives you the places to enforce your policy once you actually
343
00:17:37,380 --> 00:17:39,540
know what that policy should be.
344
00:17:39,540 --> 00:17:43,180
Conditional access can apply context at the exact moment of access and entitlement management
345
00:17:43,180 --> 00:17:46,300
can package or expire that access in a controlled way.
346
00:17:46,300 --> 00:17:50,500
Access reviews allow you to challenge stale permissions, while external MFA gives organizations
347
00:17:50,500 --> 00:17:53,940
room to use their preferred providers while keeping Entra in the policy loop.
348
00:17:53,940 --> 00:17:58,260
That matters because sovereignty without life cycle control eventually turns into a mess.
349
00:17:58,260 --> 00:18:02,540
A clean issuance moment will not save your organization if access stays active after a contract
350
00:18:02,540 --> 00:18:06,540
ends or if trust relationships linger after a partner loses their status.
351
00:18:06,540 --> 00:18:09,540
The new model is not about storing nothing and hoping for the best.
352
00:18:09,540 --> 00:18:13,700
It is about verifying only what is needed at the exact time it is needed under a strict
353
00:18:13,700 --> 00:18:16,740
policy with a clear ability to review and revoke.
354
00:18:16,740 --> 00:18:22,780
Research on digital identity governance also raises a point that makes many leaders uncomfortable.
355
00:18:22,780 --> 00:18:26,900
Quality design systems can actually deepen exclusion, especially when digital access becomes
356
00:18:26,900 --> 00:18:30,580
mandatory but the paths to appeal a decision stay weak.
357
00:18:30,580 --> 00:18:35,060
If you are an executive governance is not just a security issue it is an operating model
358
00:18:35,060 --> 00:18:36,060
issue.
359
00:18:36,060 --> 00:18:39,540
You have to know who gets included, who gets blocked and who is responsible for auditing
360
00:18:39,540 --> 00:18:40,540
the issuer.
361
00:18:40,540 --> 00:18:44,420
If those answers stay fuzzy your architecture will eventually drift back towards central
362
00:18:44,420 --> 00:18:45,420
control.
363
00:18:45,420 --> 00:18:49,700
Operations teams will always choose the model they can actually defend when a crisis hits.
364
00:18:49,700 --> 00:18:53,780
This leads us directly to the rollout phase because governance only works when the operating
365
00:18:53,780 --> 00:18:56,300
model changes along with it.
366
00:18:56,300 --> 00:18:58,300
The operating blueprint for a phase move.
367
00:18:58,300 --> 00:19:01,780
Don't start with ideologies, start with one journey where identity friction or trust
368
00:19:01,780 --> 00:19:05,020
failure is already costing you money, time or control.
369
00:19:05,020 --> 00:19:08,740
Partner onboarding is a great candidate but customer registration drop off or the contractor
370
00:19:08,740 --> 00:19:10,420
lifecycle work just as well.
371
00:19:10,420 --> 00:19:14,220
You need to pick one path where the current model produces visible drag because that gives
372
00:19:14,220 --> 00:19:17,420
your program a business anchor instead of just a technology slogan.
373
00:19:17,420 --> 00:19:19,660
From there the first phase is consolidation.
374
00:19:19,660 --> 00:19:24,460
You need to bring external identity orchestration into one managed layer which means reducing
375
00:19:24,460 --> 00:19:29,180
duplicate directories and standardizing your federation patterns and policy evaluations.
376
00:19:29,180 --> 00:19:33,940
The goal is to create one single place where external access decisions can be seen, governed
377
00:19:33,940 --> 00:19:35,180
and improved.
378
00:19:35,180 --> 00:19:39,420
This phase isn't flashy but it matters because portable trust cannot sit on top of total
379
00:19:39,420 --> 00:19:40,860
directory chaos.
380
00:19:40,860 --> 00:19:44,620
After that focus on reducing friction in the journeys that matter most.
381
00:19:44,620 --> 00:19:49,140
This phase passes and stronger pass wordless options where they fit and use just in time migration
382
00:19:49,140 --> 00:19:53,220
for legacy credentials when you need to avoid a hard reset event.
383
00:19:53,220 --> 00:19:57,220
You want to clean up the first run experience and tighten success paths by removing steps
384
00:19:57,220 --> 00:20:00,540
that only exist because your old systems couldn't trust each other.
385
00:20:00,540 --> 00:20:03,140
This phase proves something to the business very quickly.
386
00:20:03,140 --> 00:20:05,340
Identity can get simpler without getting weaker.
387
00:20:05,340 --> 00:20:07,900
Then add portable proof where the value is obvious.
388
00:20:07,900 --> 00:20:12,100
Don't try to decentralize every interaction right away but instead start where a reusable
389
00:20:12,100 --> 00:20:14,060
proof removes repeat work.
390
00:20:14,060 --> 00:20:18,780
Your certification is a strong case as is vendor access in regulated environments or onboarding
391
00:20:18,780 --> 00:20:21,140
flows that require repeated document checks.
392
00:20:21,140 --> 00:20:25,180
In these specific cases, verifiable credentials stop being a strategy slide and start becoming
393
00:20:25,180 --> 00:20:26,940
a practical operating tool.
394
00:20:26,940 --> 00:20:30,540
The user carries the proof, the verifier checks it and the organization no longer needs
395
00:20:30,540 --> 00:20:33,500
to rebuild the same verification every single time.
396
00:20:33,500 --> 00:20:36,140
Once that works you can widen the governance model.
397
00:20:36,140 --> 00:20:40,540
Expand your access reviews, add expiration rules and define how you handle revocations.
398
00:20:40,540 --> 00:20:45,180
Hold your trust policies by scenario rather than just by user type and carefully review what
399
00:20:45,180 --> 00:20:49,020
proof must travel with the user versus what policy must remain central.
400
00:20:49,020 --> 00:20:50,420
Those are not the same thing.
401
00:20:50,420 --> 00:20:54,420
Proof can move but accountability usually shouldn't and that is the design split leaders
402
00:20:54,420 --> 00:20:55,700
need to protect.
403
00:20:55,700 --> 00:20:59,860
Keep one decision lens through the whole rollout, what proof needs to travel, what policy needs
404
00:20:59,860 --> 00:21:05,060
to stay central, what risk event should trigger a step up, what can be automated safely and
405
00:21:05,060 --> 00:21:07,180
what still needs a human decision.
406
00:21:07,180 --> 00:21:10,940
If your teams can't answer those questions they are not ready to scale the model yet.
407
00:21:10,940 --> 00:21:15,780
The practical move is simple, pick one external journey and map every identity step, count
408
00:21:15,780 --> 00:21:20,220
every duplicate proof request, every manual approval and every place trust gets rebuilt
409
00:21:20,220 --> 00:21:21,220
from zero.
410
00:21:21,220 --> 00:21:23,180
That is where the redesign starts.
411
00:21:23,180 --> 00:21:25,300
Identity doesn't begin where your app begins anymore.
412
00:21:25,300 --> 00:21:29,580
It begins where trust can be verified, carried forward and enforced under policy without
413
00:21:29,580 --> 00:21:31,700
rebuilding the whole journey each time.
414
00:21:31,700 --> 00:21:34,900
So pick one external flow this week, not ten, just one.
415
00:21:34,900 --> 00:21:38,620
But every hand off, count every duplicate proof request and look at every manual approval
416
00:21:38,620 --> 00:21:42,580
where a user is asked to prove the same thing twice because your systems can't carry trust
417
00:21:42,580 --> 00:21:43,660
forward.
418
00:21:43,660 --> 00:21:45,420
That is the true cost of the old model.
419
00:21:45,420 --> 00:21:50,140
If this changed how you think about identity, subscribe to the M365FM podcast, connect
420
00:21:50,140 --> 00:21:54,620
with me, Mirko Peters on LinkedIn and leave a review, it helps more leaders find this before
421
00:21:54,620 --> 00:21:55,860
they build another silo.
00:00:00,000 --> 00:00:05,360
Identity still gets treated like a gate, a login page, a directory, a border around an app.
2
00:00:05,360 --> 00:00:09,040
But work doesn't happen at your border anymore, and that's where the old model starts failing.
3
00:00:09,040 --> 00:00:12,960
Your customers move across channels, your partners move across tenants, and your contractors
4
00:00:12,960 --> 00:00:15,200
move in and out of projects every single day.
5
00:00:15,200 --> 00:00:19,160
Now we have AI agents and automated workflows that need access to, and they often do it
6
00:00:19,160 --> 00:00:22,720
without ever touching the need path your old identity stack expected.
7
00:00:22,720 --> 00:00:27,280
The business asks for speed and reach, but the identity layer answers with forms, passwords,
8
00:00:27,280 --> 00:00:29,280
duplicate accounts, and manual proof.
9
00:00:29,280 --> 00:00:31,040
It creates two failures at once.
10
00:00:31,040 --> 00:00:35,000
Users drop off because the friction is too high, and attackers get bigger targets because
11
00:00:35,000 --> 00:00:36,760
the data is scattered.
12
00:00:36,760 --> 00:00:40,360
Research on modern CIM keeps showing the same pattern over and over.
13
00:00:40,360 --> 00:00:44,720
Hard registration loses users, password problems, flood your support desk, and better sign
14
00:00:44,720 --> 00:00:47,880
inflows improve first time success almost immediately.
15
00:00:47,880 --> 00:00:52,440
So before we talk about Entra External ID, portable trust, or verifiable credentials, we need
16
00:00:52,440 --> 00:00:55,280
to define the real break in the model.
17
00:00:55,280 --> 00:00:56,920
The death of the perimeter.
18
00:00:56,920 --> 00:01:01,760
The old identity model came from a simple assumption, people came to your system, on your network,
19
00:01:01,760 --> 00:01:03,800
through your app, and on your terms.
20
00:01:03,800 --> 00:01:07,320
The logic was that if you control that boundary well enough, you control trust.
21
00:01:07,320 --> 00:01:11,280
That model fit a world of employees and corporate devices where everything stayed inside one
22
00:01:11,280 --> 00:01:12,280
organization.
23
00:01:12,280 --> 00:01:14,160
That world is gone, but the model stayed.
24
00:01:14,160 --> 00:01:18,600
In most organizations, identity architecture still thinks like an internal control system,
25
00:01:18,600 --> 00:01:21,080
while the business now runs like an ecosystem.
26
00:01:21,080 --> 00:01:24,960
Users move between suppliers, resellers, customer portals, and shared workspaces without
27
00:01:24,960 --> 00:01:27,360
stopping to think about which directory owns them.
28
00:01:27,360 --> 00:01:31,200
They just need to get work done by a product or approve a contract that mismatch creates
29
00:01:31,200 --> 00:01:32,200
the trust gap.
30
00:01:32,200 --> 00:01:36,040
The business wants more partner growth and faster onboarding, but the identity stack responds
31
00:01:36,040 --> 00:01:38,880
with another sign up form and another isolated user store.
32
00:01:38,880 --> 00:01:40,800
You can see the structural problem here.
33
00:01:40,800 --> 00:01:44,960
Reach expands outward, but trust still gets rebuilt from scratch inside every single
34
00:01:44,960 --> 00:01:46,040
application boundary.
35
00:01:46,040 --> 00:01:47,880
And every time that happens, you pay twice.
36
00:01:47,880 --> 00:01:49,240
First, the user pays.
37
00:01:49,240 --> 00:01:53,080
Research shows that 73% of consumers abandoned purchases because registration is too
38
00:01:53,080 --> 00:01:55,960
cumbersome, which means this isn't just a design detail.
39
00:01:55,960 --> 00:01:58,200
It's a revenue leak caused by identity friction.
40
00:01:58,200 --> 00:02:02,440
The person was ready to move, but your proof model asked them to stop, type, wait, and eventually
41
00:02:02,440 --> 00:02:03,440
give up.
42
00:02:03,440 --> 00:02:04,840
Then the organization pays.
43
00:02:04,840 --> 00:02:08,720
Password issues still drive 40% to 60% of authentication support requests.
44
00:02:08,720 --> 00:02:13,000
The same architecture that hurts your conversion rate also creates massive service desk load
45
00:02:13,000 --> 00:02:15,880
and cleanup work for teams that should be doing better things.
46
00:02:15,880 --> 00:02:17,760
Now look at the security side.
47
00:02:17,760 --> 00:02:21,760
Centralized identity silos don't just slow people down, they also concentrate your risk.
48
00:02:21,760 --> 00:02:25,360
If every external journey depends on your central store holding more data and more duplicated
49
00:02:25,360 --> 00:02:28,680
records, you've created a better breach target while calling it control.
50
00:02:28,680 --> 00:02:32,400
The attacker only needs to find one week pass, while your users have to survive every single
51
00:02:32,400 --> 00:02:33,400
one.
52
00:02:33,400 --> 00:02:37,600
This is where internal IAM logic and external identity reality finally split apart.
53
00:02:37,600 --> 00:02:41,800
Internal IAM is built around workforce control for known employees on known devices.
54
00:02:41,800 --> 00:02:43,280
External identity isn't like that.
55
00:02:43,280 --> 00:02:47,400
Customer identity, partner identity, and machine identity all work in a much more fluid
56
00:02:47,400 --> 00:02:48,400
system.
57
00:02:48,400 --> 00:02:52,040
The next has to cross company lines and legal boundaries without turning every interaction
58
00:02:52,040 --> 00:02:53,560
into a help desk event.
59
00:02:53,560 --> 00:02:56,600
And one level deeper, even the language gets people stuck.
60
00:02:56,600 --> 00:03:00,480
Leaders still talk about user management as if the job is just storing records and granting
61
00:03:00,480 --> 00:03:01,480
access.
62
00:03:01,480 --> 00:03:04,280
But for external identity, the job is much bigger.
63
00:03:04,280 --> 00:03:07,840
You need to verify the right thing at the right moment with the least amount of friction
64
00:03:07,840 --> 00:03:08,840
possible.
65
00:03:08,840 --> 00:03:12,920
Sometimes that's a pass key and sometimes it's a claim about a certification, a role,
66
00:03:12,920 --> 00:03:13,920
or a contract.
67
00:03:13,920 --> 00:03:16,560
That's why identity now hits more than just security outcomes.
68
00:03:16,560 --> 00:03:20,560
It hits conversion, it hits onboarding speed, and it hits how fast a new product can launch
69
00:03:20,560 --> 00:03:22,200
without creating another silo.
70
00:03:22,200 --> 00:03:26,000
Once you see identity as part of your growth infrastructure, the perimeter model stops looking
71
00:03:26,000 --> 00:03:27,000
old.
72
00:03:27,000 --> 00:03:28,000
It starts looking expensive.
73
00:03:28,000 --> 00:03:29,000
So the question changes.
74
00:03:29,000 --> 00:03:31,840
It's not, how do we protect the border better?
75
00:03:31,840 --> 00:03:36,080
The better question is, what replaces a border model when trust has to travel?
76
00:03:36,080 --> 00:03:38,680
Why portable identity changes the model?
77
00:03:38,680 --> 00:03:40,840
Portable identity changes the starting point.
78
00:03:40,840 --> 00:03:44,480
Instead of rebuilding trust inside every app, every portal, and every partner flow, you
79
00:03:44,480 --> 00:03:47,880
let trusted proof travel with the person or system that needs to act.
80
00:03:47,880 --> 00:03:50,600
That sounds simple, but it changes the whole structure.
81
00:03:50,600 --> 00:03:55,040
You are no longer asking if you have an account for a specific user sitting in a database.
82
00:03:55,040 --> 00:03:58,840
Instead, you are asking what you need this party to prove right now and whether you can
83
00:03:58,840 --> 00:04:01,320
verify that proof under your current policy.
84
00:04:01,320 --> 00:04:05,080
That is the move from account-centric identity to claim-centric identity.
85
00:04:05,080 --> 00:04:07,080
In the old approach, the account is the asset.
86
00:04:07,080 --> 00:04:10,600
You create it, store it, enrich it and protect it, but then you end up copying it into more
87
00:04:10,600 --> 00:04:12,200
places than you ever wanted.
88
00:04:12,200 --> 00:04:14,320
In the new approach, the claim is the asset.
89
00:04:14,320 --> 00:04:15,320
Are you a certified partner?
90
00:04:15,320 --> 00:04:16,680
Are you over a certain age?
91
00:04:16,680 --> 00:04:18,640
Are you approved for this transaction?
92
00:04:18,640 --> 00:04:21,280
Are you still employed by the supplier you represent?
93
00:04:21,280 --> 00:04:24,200
Those are different questions, and they do not only the same answer format.
94
00:04:24,200 --> 00:04:27,960
This clicked for a lot of teams once PASKIE started getting real traction.
95
00:04:27,960 --> 00:04:30,080
The goal was not just to remove passwords.
96
00:04:30,080 --> 00:04:33,880
The deeper shift was that SININ started relying less on shared secrets and more on stronger
97
00:04:33,880 --> 00:04:36,160
proof tied to the user and the device.
98
00:04:36,160 --> 00:04:39,440
Microsoft reported that PASKIE logins are three times faster than passwords and eight
99
00:04:39,440 --> 00:04:41,880
times faster than a password plus MFA.
100
00:04:41,880 --> 00:04:43,800
But the lesson here is not only about speed.
101
00:04:43,800 --> 00:04:48,200
It is the fact that better proof can lower friction and increase security at the same time.
102
00:04:48,200 --> 00:04:52,520
Now when people hear decentralized identity, they often jump to the wrong conclusion.
103
00:04:52,520 --> 00:04:56,560
They think it means no central control, no policy, or maybe even no enterprise role,
104
00:04:56,560 --> 00:04:57,680
but that is not the model.
105
00:04:57,680 --> 00:05:01,640
Decentralize identity in practical enterprise terms means trust does not depend on one
106
00:05:01,640 --> 00:05:04,240
giant record store being the only source of truth.
107
00:05:04,240 --> 00:05:09,160
Instead, issues provide verifiable proofs, holders present only what is needed, and verifiers
108
00:05:09,160 --> 00:05:11,440
check that proof against policy.
109
00:05:11,440 --> 00:05:13,120
Selective disclosure matters here.
110
00:05:13,120 --> 00:05:16,760
If a partner needs to prove their certification status, they should not need to hand over
111
00:05:16,760 --> 00:05:19,920
every profile detail sitting in some old onboarding form.
112
00:05:19,920 --> 00:05:23,760
If a customer needs to prove eligibility, they should not have to recreate the same identity
113
00:05:23,760 --> 00:05:25,720
story in every channel.
114
00:05:25,720 --> 00:05:28,080
Portable identity narrows the exchange.
115
00:05:28,080 --> 00:05:31,160
You prove what is needed, you verify it, and you move on.
116
00:05:31,160 --> 00:05:34,400
That also explains why executives get stuck on the word decentralization.
117
00:05:34,400 --> 00:05:37,840
They hear less central storage and assume there is less governance, but the opposite
118
00:05:37,840 --> 00:05:40,520
can be true if the model is designed well.
119
00:05:40,520 --> 00:05:41,840
Governance does not disappear.
120
00:05:41,840 --> 00:05:43,600
It moves.
121
00:05:43,600 --> 00:05:47,680
The organization still defines issuance rules, trust rules, and acceptance rules.
122
00:05:47,680 --> 00:05:51,600
The difference is that governance starts controlling verification and policy instead of
123
00:05:51,600 --> 00:05:54,800
forcing every journey to depend on account duplication.
124
00:05:54,800 --> 00:05:57,800
So digital sovereignty is not some abstract ideal here.
125
00:05:57,800 --> 00:06:02,040
In practical terms, the user controls the proof they present, while the organization controls
126
00:06:02,040 --> 00:06:04,520
the conditions under which that proof is accepted.
127
00:06:04,520 --> 00:06:08,120
The verifier checks validity, issuer trust, and policy fit.
128
00:06:08,120 --> 00:06:10,560
That is a cleaner split of roles than the old model.
129
00:06:10,560 --> 00:06:14,720
Their one platform often try to store everything, decide everything, and expose everything
130
00:06:14,720 --> 00:06:15,720
at once.
131
00:06:15,720 --> 00:06:18,000
The timing matters too because the outside world is moving.
132
00:06:18,000 --> 00:06:23,840
The W3EC Deid version 1.1 reached candidate recommendation status in March of 2026, which
133
00:06:23,840 --> 00:06:27,000
tells you the standard side is still maturing but moving forward.
134
00:06:27,000 --> 00:06:31,760
At the same time, Europe is pushing harder through Ida's 2, and the broader, verifiable
135
00:06:31,760 --> 00:06:35,840
credentials market is projected to grow fast through the next several years.
136
00:06:35,840 --> 00:06:40,160
Adoption is early, yes, it is definitely uneven, but it is not theoretical anymore.
137
00:06:40,160 --> 00:06:43,240
And there is another pressure coming from user expectations.
138
00:06:43,240 --> 00:06:47,400
Passkeys are spreading, and phishing resistant methods are becoming the baseline people expect
139
00:06:47,400 --> 00:06:49,640
from serious digital services.
140
00:06:49,640 --> 00:06:53,980
Cross-border access keeps growing, and AI agents need trust models that are not built around
141
00:06:53,980 --> 00:06:56,240
typing credentials into forms.
142
00:06:56,240 --> 00:06:59,280
What used to look advanced now starts to look overdue.
143
00:06:59,280 --> 00:07:03,840
Theory is useful up to a point, but after that, leaders need to know where Microsoft actually
144
00:07:03,840 --> 00:07:04,840
fits in this shift.
145
00:07:04,840 --> 00:07:08,400
They need to know where Entra external ID helps, where it does not, and how verified
146
00:07:08,400 --> 00:07:09,920
ID enters the picture.
147
00:07:09,920 --> 00:07:12,560
Where Entra external ID fits, and where it doesn't.
148
00:07:12,560 --> 00:07:14,880
So where does Entra external ID sit in all of this?
149
00:07:14,880 --> 00:07:19,440
It is not a magic decentralized identity platform, and it is not a total replacement for every
150
00:07:19,440 --> 00:07:21,600
external identity pattern overnight.
151
00:07:21,600 --> 00:07:23,520
It is also not just a nicer sign-in page.
152
00:07:23,520 --> 00:07:25,480
Its real role is more structural.
153
00:07:25,480 --> 00:07:28,840
Entra external ID works as the control plane for external trust.
154
00:07:28,840 --> 00:07:32,760
It handles customer and partner identities, application access, and branded journeys
155
00:07:32,760 --> 00:07:34,880
in a way that fits the broader Entra model.
156
00:07:34,880 --> 00:07:39,000
That matters because most organizations do not need another isolated identity product.
157
00:07:39,000 --> 00:07:42,840
They need a way to coordinate proof in policy across external users without building another
158
00:07:42,840 --> 00:07:44,200
governance mess.
159
00:07:44,200 --> 00:07:47,080
This is also where the shift from Azure ADB to C matters.
160
00:07:47,080 --> 00:07:50,240
B2C came from a different era of the Microsoft Identity stack.
161
00:07:50,240 --> 00:07:55,240
It gave teams a lot of flexibility, but it often did so through XML heavy custom policies
162
00:07:55,240 --> 00:07:57,960
and a separate way of thinking about external users.
163
00:07:57,960 --> 00:08:00,840
Entra external ID moves onto the newer Entra Foundation.
164
00:08:00,840 --> 00:08:05,200
It uses a more graph centered model and aligns much closer to current security controls.
165
00:08:05,200 --> 00:08:08,980
For leadership, that means less architectural drift, and for engineering, it usually means
166
00:08:08,980 --> 00:08:13,400
less policy work trapped in custom structures that only a few people understand.
167
00:08:13,400 --> 00:08:17,860
That does not mean every old B2C scenario drops neatly into external ID today.
168
00:08:17,860 --> 00:08:21,380
The migration path is real, and Microsoft has invested in it, including just in time
169
00:08:21,380 --> 00:08:25,700
paths with migration, so users do not all hit a forced reset wave at once.
170
00:08:25,700 --> 00:08:28,860
But there are still feature gaps and maturity differences, especially for organizations
171
00:08:28,860 --> 00:08:32,180
that build deep custom behavior on B2C over many years.
172
00:08:32,180 --> 00:08:35,980
So the honest message is not that external ID does everything better right now.
173
00:08:35,980 --> 00:08:39,660
The honest message is that it gives you a more modern platform direction, with clearer
174
00:08:39,660 --> 00:08:42,100
alignment to where Microsoft is investing.
175
00:08:42,100 --> 00:08:43,740
Now what does it actually do well?
176
00:08:43,740 --> 00:08:47,100
It handles external identities as a managed operating layer.
177
00:08:47,100 --> 00:08:52,100
This includes customer sign-up, partner access, and federation with external identity providers.
178
00:08:52,100 --> 00:08:56,500
In some partner scenarios that can extend into approvals, access reviews, and automated
179
00:08:56,500 --> 00:08:59,620
off-boarding when you pair it with Entra governance capabilities.
180
00:08:59,620 --> 00:09:01,860
That is a lot bigger than authentication alone.
181
00:09:01,860 --> 00:09:06,140
It is identity orchestration for people who are not employees, but still affect your business
182
00:09:06,140 --> 00:09:07,140
directly.
183
00:09:07,140 --> 00:09:10,540
Then there is verified ID, and this is where a lot of executives blur two different things
184
00:09:10,540 --> 00:09:11,540
together.
185
00:09:11,540 --> 00:09:14,860
Entra external ID and Entra verified ID are related, but they are not the same product doing
186
00:09:14,860 --> 00:09:15,860
the same job.
187
00:09:15,860 --> 00:09:19,900
External ID is the orchestration and policy layer for external access journeys.
188
00:09:19,900 --> 00:09:24,540
Verified ID is the portable proof layer for issuing and checking verifiable credentials.
189
00:09:24,540 --> 00:09:28,980
One manages how external users get in and stay governed, while the other helps define
190
00:09:28,980 --> 00:09:32,700
what they can prove without relying on the old pattern of collecting and storing everything
191
00:09:32,700 --> 00:09:33,860
centrally.
192
00:09:33,860 --> 00:09:39,220
That distinction matters because verifiable credentials do not replace all CM needs today.
193
00:09:39,220 --> 00:09:43,700
They do not remove the need for customer identity flows, federation, or session controls.
194
00:09:43,700 --> 00:09:47,660
What they do is improve specific proof moments inside that broader system.
195
00:09:47,660 --> 00:09:50,940
A partner can prove certification or a vendor can prove their status.
196
00:09:50,940 --> 00:09:54,980
A regulated onboarding flow can verify a trusted attribute with less data sharing.
197
00:09:54,980 --> 00:09:57,340
That is strong, but it is not the hold stack.
198
00:09:57,340 --> 00:09:59,900
Most organizations will land in a hybrid model for a while.
199
00:09:59,900 --> 00:10:03,100
They will use pass keys in some journeys and federation in others.
200
00:10:03,100 --> 00:10:07,460
They will keep traditional account-based CIM where they still need it and use verifiable
201
00:10:07,460 --> 00:10:11,180
credentials where portable proof clearly reduces cost or friction.
202
00:10:11,180 --> 00:10:14,100
Entra external ID is useful here because it can act as the bridge.
203
00:10:14,100 --> 00:10:18,220
It stops you from having to make a false choice between legacy login and full portable identity
204
00:10:18,220 --> 00:10:19,220
on day one.
205
00:10:19,220 --> 00:10:20,220
There are limits.
206
00:10:20,220 --> 00:10:21,220
And they matter.
207
00:10:21,220 --> 00:10:25,820
Public case studies around decentralized identity in partner scenarios are still thin.
208
00:10:25,820 --> 00:10:30,060
Some capabilities are newer or uneven across customer and partner use cases.
209
00:10:30,060 --> 00:10:34,340
In broader non-microsoft environments, governance depth may still need extra tooling.
210
00:10:34,340 --> 00:10:38,180
If an organization expects a pure decentralized future to arrive fully packaged inside
211
00:10:38,180 --> 00:10:41,740
one Microsoft service, that expectation will break fast.
212
00:10:41,740 --> 00:10:43,860
But the affirmative model is still strong.
213
00:10:43,860 --> 00:10:48,700
Use Entra external ID as the orchestration layer between identity proof, policy enforcement,
214
00:10:48,700 --> 00:10:49,900
and life cycle control.
215
00:10:49,900 --> 00:10:54,060
Add verified ID where portable trust adds clear value and keeps central governance where
216
00:10:54,060 --> 00:10:56,060
policy and accountability need it.
217
00:10:56,060 --> 00:10:57,380
That is a practical architecture.
218
00:10:57,380 --> 00:11:00,860
It is not an ideology and it is not a rip and replace fantasy.
219
00:11:00,860 --> 00:11:05,740
And once that role becomes clear, the business case gets a lot easier to see.
220
00:11:05,740 --> 00:11:09,220
The business case, friction, trust, and measurable return.
221
00:11:09,220 --> 00:11:13,060
Once leaders start viewing external ID as an orchestration layer, the conversation turns
222
00:11:13,060 --> 00:11:14,060
practical.
223
00:11:14,060 --> 00:11:17,220
They want to know if this actually pays back or if it is just a cleaner way to tell an
224
00:11:17,220 --> 00:11:18,220
architecture story.
225
00:11:18,220 --> 00:11:22,300
The reality is that it pays back because identity friction hides in places most executives
226
00:11:22,300 --> 00:11:23,300
are already tracking.
227
00:11:23,300 --> 00:11:25,220
They just use different labels for it.
228
00:11:25,220 --> 00:11:30,220
You see it in lost registrations, lower activation rates, and abandoned onboarding flows.
229
00:11:30,220 --> 00:11:34,260
It shows up as more support tickets and more fraud controls layered on top of weak user
230
00:11:34,260 --> 00:11:35,260
journeys.
231
00:11:35,260 --> 00:11:38,820
Engineering teams end up spending months stitching systems together that should have never been
232
00:11:38,820 --> 00:11:40,380
separate in the first place.
233
00:11:40,380 --> 00:11:43,460
This is why identity ROI is rarely found in just one budget.
234
00:11:43,460 --> 00:11:47,020
The growth team feels it in conversion rates while service desks feel it in the sheer
235
00:11:47,020 --> 00:11:49,140
volume of incoming tickets.
236
00:11:49,140 --> 00:11:53,300
It sees it in account takeover risks and compliance teams feel it when they have to collect evidence
237
00:11:53,300 --> 00:11:54,780
for access reviews.
238
00:11:54,780 --> 00:11:58,620
Product teams feel the pain through release delays because every new external flow turns into
239
00:11:58,620 --> 00:12:01,100
yet another exception path that needs custom coding.
240
00:12:01,100 --> 00:12:05,340
The thing most people miss is that a smoother sign-in experience is not just about making things
241
00:12:05,340 --> 00:12:06,340
convenient.
242
00:12:06,340 --> 00:12:10,440
It fundamentally changes whether a person completes the journey at all and it dictates
243
00:12:10,440 --> 00:12:14,500
how much internal labor you need to keep that journey alive once it goes live.
244
00:12:14,500 --> 00:12:18,700
Recent research from 2026 on CIM is pretty blunt about these outcomes.
245
00:12:18,700 --> 00:12:23,820
Fast-worthless authentication cut the average sign-in time from 8.7 seconds down to 1.2 seconds
246
00:12:23,820 --> 00:12:28,860
and first time success rates jumped from about 76% to nearly 99%.
247
00:12:28,860 --> 00:12:32,460
Registration completion moved from 64% to almost 88%.
248
00:12:32,460 --> 00:12:36,060
Those numbers matter because they sit right at the point where identity either clears the
249
00:12:36,060 --> 00:12:38,820
path or becomes the reason your customers stall.
250
00:12:38,820 --> 00:12:41,100
The business effect is visible immediately.
251
00:12:41,100 --> 00:12:45,620
Fast-approved means less drop-off and higher first time success means fewer retries and fewer
252
00:12:45,620 --> 00:12:47,620
abandoned sessions for your users.
253
00:12:47,620 --> 00:12:51,460
Fast-ar completion rates mean your marketing spend stops leaking out through a broken identity
254
00:12:51,460 --> 00:12:52,460
layer.
255
00:12:52,460 --> 00:12:55,420
This is exactly why product and security teams need to look at the same dashboard because
256
00:12:55,420 --> 00:12:58,300
both groups are acting on the same high stakes moment.
257
00:12:58,300 --> 00:13:01,700
Support economics tell the same story from a different perspective.
258
00:13:01,700 --> 00:13:05,260
Authentication improvements, including just-in-time migration and the move to path-worthless,
259
00:13:05,260 --> 00:13:09,180
have been linked to an 81% decrease in identity-related support tickets.
260
00:13:09,180 --> 00:13:14,300
CVS Health reported a 77% reduction in help desk calls after adopting path-worthless methods,
261
00:13:14,300 --> 00:13:17,740
along with a 98% reduction in account takeovers.
262
00:13:17,740 --> 00:13:22,340
When executives ask if identity work is a cost center or a growth driver, the honest answer
263
00:13:22,340 --> 00:13:23,740
is that it is both.
264
00:13:23,740 --> 00:13:27,020
It cuts costs and protects your revenue at the same time.
265
00:13:27,020 --> 00:13:30,740
Migration is where this reality often becomes most visible to the organization.
266
00:13:30,740 --> 00:13:34,220
Old-school identity migrations usually create what I call reset shock.
267
00:13:34,220 --> 00:13:38,980
Users hit a new login page, their old password, fails to work, the reset email goes missing
268
00:13:38,980 --> 00:13:43,100
in a spam folder, and the brand takes the blame when support calls spike.
269
00:13:43,100 --> 00:13:47,220
Other external ID uses just-in-time password migration to change that pattern by validating
270
00:13:47,220 --> 00:13:51,340
legacy credentials at the first sign-in and moving the user forward without a forced
271
00:13:51,340 --> 00:13:52,900
mass reset.
272
00:13:52,900 --> 00:13:56,460
This matters less as a technical feature and more as a way to control churn.
273
00:13:56,460 --> 00:14:00,140
It eliminates that ugly moment where a platform upgrade accidentally teaches your customers
274
00:14:00,140 --> 00:14:01,140
how to leave.
275
00:14:01,140 --> 00:14:03,940
Cost conversations also need a bit more honesty than they usually get.
276
00:14:03,940 --> 00:14:07,740
If a leader only compares monthly active user pricing between two platforms, they might
277
00:14:07,740 --> 00:14:10,060
miss the much larger bill entirely.
278
00:14:10,060 --> 00:14:14,340
Credit identity means you are paying for duplicate directories, custom maintenance and inconsistent
279
00:14:14,340 --> 00:14:16,180
policies that lead to slower launches.
280
00:14:16,180 --> 00:14:19,900
A cheaper line item on a contract can still produce a much more expensive operating model
281
00:14:19,900 --> 00:14:20,900
for the business.
282
00:14:20,900 --> 00:14:25,220
The question is not just what the platform costs, but what your current fragmentation is
283
00:14:25,220 --> 00:14:28,300
costing the company every single month you keep it.
284
00:14:28,300 --> 00:14:30,860
Trust is what finally compounds the return on this investment.
285
00:14:30,860 --> 00:14:34,940
When users move through proofing and sign-in without any confusion, they see that as a sign
286
00:14:34,940 --> 00:14:36,620
of competence from your brand.
287
00:14:36,620 --> 00:14:40,700
When partners get access to the tools they need faster, they start engaging with your business
288
00:14:40,700 --> 00:14:41,700
sooner.
289
00:14:41,700 --> 00:14:45,500
When a regulated onboarding process asks only for the proof required, people see discipline
290
00:14:45,500 --> 00:14:46,980
instead of overreach.
291
00:14:46,980 --> 00:14:49,460
Trust is not a soft outcome in this environment.
292
00:14:49,460 --> 00:14:53,900
It directly affects retention, adoption and whether those external users ever come back
293
00:14:53,900 --> 00:14:55,580
for a second interaction.
294
00:14:55,580 --> 00:14:57,540
That is the ultimate executive takeaway.
295
00:14:57,540 --> 00:15:01,620
Identity choices now shape your conversion rates, your margins, your support load and your
296
00:15:01,620 --> 00:15:03,700
ability to scale and ecosystem.
297
00:15:03,700 --> 00:15:07,420
The numbers can make that case on paper, but rolling it out without creating new chaos is
298
00:15:07,420 --> 00:15:10,220
where most programs actually slow down.
299
00:15:10,220 --> 00:15:12,620
Governance, risk and the sovereignty tension.
300
00:15:12,620 --> 00:15:16,020
This is where the conversation gets difficult because the hard part isn't actually issuing
301
00:15:16,020 --> 00:15:18,700
a credential or adding a new sign-in method.
302
00:15:18,700 --> 00:15:22,740
The real challenge is deciding who gets to trust what, which rules apply and what happens
303
00:15:22,740 --> 00:15:25,700
when that trust needs to be revoked or repaired after something goes wrong.
304
00:15:25,700 --> 00:15:30,060
A lot of the hype around decentralized identity tends to skip that part.
305
00:15:30,060 --> 00:15:34,060
You can talk about user control and portability as if they are magic, but if your governance
306
00:15:34,060 --> 00:15:38,500
stays weak, you don't actually get sovereignty, you get confusion or worse, you get a cleaner
307
00:15:38,500 --> 00:15:43,380
looking version of the same old control model just pushed into a new set of tools.
308
00:15:43,380 --> 00:15:47,260
Research on portable identity governance warns us that without due process and transparent
309
00:15:47,260 --> 00:15:51,780
rules, digital identity can still exclude people and centralize power in ways that are harder
310
00:15:51,780 --> 00:15:53,260
to see.
311
00:15:53,260 --> 00:15:56,340
Executives have to hold two competing ideas in their heads at the same time.
312
00:15:56,340 --> 00:15:59,420
First, portable identity can definitely reduce your central exposure.
313
00:15:59,420 --> 00:16:04,020
You no longer need one massive system, storing every single attribute and proof exchange forever,
314
00:16:04,020 --> 00:16:07,380
which improves privacy and limits your concentration risk.
315
00:16:07,380 --> 00:16:11,820
Second, none of those technical shifts remove your fundamental duty to govern that trust.
316
00:16:11,820 --> 00:16:16,300
Someone still has to define the issuance rules and someone has to set the trust registries.
317
00:16:16,300 --> 00:16:20,420
Someone still owns the consent handling, the retention rules and the cross-border data decisions.
318
00:16:20,420 --> 00:16:22,900
The technology changes, but the accountability does not.
319
00:16:22,900 --> 00:16:25,500
This is the tension that actually matters for the business.
320
00:16:25,500 --> 00:16:27,140
User control matters.
321
00:16:27,140 --> 00:16:28,620
Enterprises assurance matters.
322
00:16:28,620 --> 00:16:30,620
Local accountability matters.
323
00:16:30,620 --> 00:16:32,620
Operational recovery matters.
324
00:16:32,620 --> 00:16:36,580
If any one of those priorities wins completely, the whole model breaks down.
325
00:16:36,580 --> 00:16:40,900
If a user cannot recover their access, the system ends up excluding them entirely.
326
00:16:40,900 --> 00:16:45,860
If the enterprise cannot verify enough information, the system becomes unsafe for everyone.
327
00:16:45,860 --> 00:16:49,660
If legal accountability is vague, regulators will not care how elegant your architecture
328
00:16:49,660 --> 00:16:50,900
looked on paper.
329
00:16:50,900 --> 00:16:54,700
If recovery parts are missing, your support teams will just rebuild manual workarounds
330
00:16:54,700 --> 00:16:56,460
that bypass your entire design.
331
00:16:56,460 --> 00:17:00,660
That is why governance has to be more specific than just saying we trust verified credentials.
332
00:17:00,660 --> 00:17:04,740
You need a clear policy around who can issue a credential and what standards that issuer
333
00:17:04,740 --> 00:17:07,460
must meet before you accept their data.
334
00:17:07,460 --> 00:17:11,140
You have to define how trust gets established and how often that proof must be renewed or
335
00:17:11,140 --> 00:17:12,420
checked in real time.
336
00:17:12,420 --> 00:17:16,580
You also need to decide what happens when a credential is technically valid, but no longer
337
00:17:16,580 --> 00:17:18,860
appropriate for the specific context.
338
00:17:18,860 --> 00:17:22,780
A person might hold a legitimate credential, but the transaction might still need step-up
339
00:17:22,780 --> 00:17:26,020
verification because of their location or the sensitivity of the data.
340
00:17:26,020 --> 00:17:29,460
This is where Microsoft provides help in a very grounded, practical way.
341
00:17:29,460 --> 00:17:33,460
The strength of Entra is not that it magically removes the hard work of governance.
342
00:17:33,460 --> 00:17:37,380
Its real value is that it gives you the places to enforce your policy once you actually
343
00:17:37,380 --> 00:17:39,540
know what that policy should be.
344
00:17:39,540 --> 00:17:43,180
Conditional access can apply context at the exact moment of access and entitlement management
345
00:17:43,180 --> 00:17:46,300
can package or expire that access in a controlled way.
346
00:17:46,300 --> 00:17:50,500
Access reviews allow you to challenge stale permissions, while external MFA gives organizations
347
00:17:50,500 --> 00:17:53,940
room to use their preferred providers while keeping Entra in the policy loop.
348
00:17:53,940 --> 00:17:58,260
That matters because sovereignty without life cycle control eventually turns into a mess.
349
00:17:58,260 --> 00:18:02,540
A clean issuance moment will not save your organization if access stays active after a contract
350
00:18:02,540 --> 00:18:06,540
ends or if trust relationships linger after a partner loses their status.
351
00:18:06,540 --> 00:18:09,540
The new model is not about storing nothing and hoping for the best.
352
00:18:09,540 --> 00:18:13,700
It is about verifying only what is needed at the exact time it is needed under a strict
353
00:18:13,700 --> 00:18:16,740
policy with a clear ability to review and revoke.
354
00:18:16,740 --> 00:18:22,780
Research on digital identity governance also raises a point that makes many leaders uncomfortable.
355
00:18:22,780 --> 00:18:26,900
Quality design systems can actually deepen exclusion, especially when digital access becomes
356
00:18:26,900 --> 00:18:30,580
mandatory but the paths to appeal a decision stay weak.
357
00:18:30,580 --> 00:18:35,060
If you are an executive governance is not just a security issue it is an operating model
358
00:18:35,060 --> 00:18:36,060
issue.
359
00:18:36,060 --> 00:18:39,540
You have to know who gets included, who gets blocked and who is responsible for auditing
360
00:18:39,540 --> 00:18:40,540
the issuer.
361
00:18:40,540 --> 00:18:44,420
If those answers stay fuzzy your architecture will eventually drift back towards central
362
00:18:44,420 --> 00:18:45,420
control.
363
00:18:45,420 --> 00:18:49,700
Operations teams will always choose the model they can actually defend when a crisis hits.
364
00:18:49,700 --> 00:18:53,780
This leads us directly to the rollout phase because governance only works when the operating
365
00:18:53,780 --> 00:18:56,300
model changes along with it.
366
00:18:56,300 --> 00:18:58,300
The operating blueprint for a phase move.
367
00:18:58,300 --> 00:19:01,780
Don't start with ideologies, start with one journey where identity friction or trust
368
00:19:01,780 --> 00:19:05,020
failure is already costing you money, time or control.
369
00:19:05,020 --> 00:19:08,740
Partner onboarding is a great candidate but customer registration drop off or the contractor
370
00:19:08,740 --> 00:19:10,420
lifecycle work just as well.
371
00:19:10,420 --> 00:19:14,220
You need to pick one path where the current model produces visible drag because that gives
372
00:19:14,220 --> 00:19:17,420
your program a business anchor instead of just a technology slogan.
373
00:19:17,420 --> 00:19:19,660
From there the first phase is consolidation.
374
00:19:19,660 --> 00:19:24,460
You need to bring external identity orchestration into one managed layer which means reducing
375
00:19:24,460 --> 00:19:29,180
duplicate directories and standardizing your federation patterns and policy evaluations.
376
00:19:29,180 --> 00:19:33,940
The goal is to create one single place where external access decisions can be seen, governed
377
00:19:33,940 --> 00:19:35,180
and improved.
378
00:19:35,180 --> 00:19:39,420
This phase isn't flashy but it matters because portable trust cannot sit on top of total
379
00:19:39,420 --> 00:19:40,860
directory chaos.
380
00:19:40,860 --> 00:19:44,620
After that focus on reducing friction in the journeys that matter most.
381
00:19:44,620 --> 00:19:49,140
This phase passes and stronger pass wordless options where they fit and use just in time migration
382
00:19:49,140 --> 00:19:53,220
for legacy credentials when you need to avoid a hard reset event.
383
00:19:53,220 --> 00:19:57,220
You want to clean up the first run experience and tighten success paths by removing steps
384
00:19:57,220 --> 00:20:00,540
that only exist because your old systems couldn't trust each other.
385
00:20:00,540 --> 00:20:03,140
This phase proves something to the business very quickly.
386
00:20:03,140 --> 00:20:05,340
Identity can get simpler without getting weaker.
387
00:20:05,340 --> 00:20:07,900
Then add portable proof where the value is obvious.
388
00:20:07,900 --> 00:20:12,100
Don't try to decentralize every interaction right away but instead start where a reusable
389
00:20:12,100 --> 00:20:14,060
proof removes repeat work.
390
00:20:14,060 --> 00:20:18,780
Your certification is a strong case as is vendor access in regulated environments or onboarding
391
00:20:18,780 --> 00:20:21,140
flows that require repeated document checks.
392
00:20:21,140 --> 00:20:25,180
In these specific cases, verifiable credentials stop being a strategy slide and start becoming
393
00:20:25,180 --> 00:20:26,940
a practical operating tool.
394
00:20:26,940 --> 00:20:30,540
The user carries the proof, the verifier checks it and the organization no longer needs
395
00:20:30,540 --> 00:20:33,500
to rebuild the same verification every single time.
396
00:20:33,500 --> 00:20:36,140
Once that works you can widen the governance model.
397
00:20:36,140 --> 00:20:40,540
Expand your access reviews, add expiration rules and define how you handle revocations.
398
00:20:40,540 --> 00:20:45,180
Hold your trust policies by scenario rather than just by user type and carefully review what
399
00:20:45,180 --> 00:20:49,020
proof must travel with the user versus what policy must remain central.
400
00:20:49,020 --> 00:20:50,420
Those are not the same thing.
401
00:20:50,420 --> 00:20:54,420
Proof can move but accountability usually shouldn't and that is the design split leaders
402
00:20:54,420 --> 00:20:55,700
need to protect.
403
00:20:55,700 --> 00:20:59,860
Keep one decision lens through the whole rollout, what proof needs to travel, what policy needs
404
00:20:59,860 --> 00:21:05,060
to stay central, what risk event should trigger a step up, what can be automated safely and
405
00:21:05,060 --> 00:21:07,180
what still needs a human decision.
406
00:21:07,180 --> 00:21:10,940
If your teams can't answer those questions they are not ready to scale the model yet.
407
00:21:10,940 --> 00:21:15,780
The practical move is simple, pick one external journey and map every identity step, count
408
00:21:15,780 --> 00:21:20,220
every duplicate proof request, every manual approval and every place trust gets rebuilt
409
00:21:20,220 --> 00:21:21,220
from zero.
410
00:21:21,220 --> 00:21:23,180
That is where the redesign starts.
411
00:21:23,180 --> 00:21:25,300
Identity doesn't begin where your app begins anymore.
412
00:21:25,300 --> 00:21:29,580
It begins where trust can be verified, carried forward and enforced under policy without
413
00:21:29,580 --> 00:21:31,700
rebuilding the whole journey each time.
414
00:21:31,700 --> 00:21:34,900
So pick one external flow this week, not ten, just one.
415
00:21:34,900 --> 00:21:38,620
But every hand off, count every duplicate proof request and look at every manual approval
416
00:21:38,620 --> 00:21:42,580
where a user is asked to prove the same thing twice because your systems can't carry trust
417
00:21:42,580 --> 00:21:43,660
forward.
418
00:21:43,660 --> 00:21:45,420
That is the true cost of the old model.
419
00:21:45,420 --> 00:21:50,140
If this changed how you think about identity, subscribe to the M365FM podcast, connect
420
00:21:50,140 --> 00:21:54,620
with me, Mirko Peters on LinkedIn and leave a review, it helps more leaders find this before
421
00:21:54,620 --> 00:21:55,860
they build another silo.