Introducing I.D.E.A. (and I.D.E.A #001)

Introducing I.D.E.A. — Identity Engineering Artifacts

🥳Happy New Year everyone!🥳

With 2026 here, I’m excited to introduce something new:

I.D.E.A. (Identity Engineering Artifacts)

I spend quite some time with PowerShell and try to create small scripts when I need a small tool or some reporting, and I hope that by sharing some of these simple tools then I will contribute to securing more tenants around the world.

I created I.D.E.A. to bridge the gap between “doing it manually” and “building a platform.” These simple, PowerShell-based tools for Microsoft Entra make it easier to explore concepts, troubleshoot issues, and generate reports in seconds. If you’ve ever needed a quick PowerShell script for Entra reporting or troubleshooting without building from scratch or importing a bulky framework, then these are for you.

They are designed to be:

1. Fast to run.
2. Easy to understand.
3. Meaningful in impact.

What I.D.E.A. is

• A collection of small, focused Identity Engineering Artifacts
• Lightweight scripts that solve one problem clearly and transparently
• Easy to run, easy to modify, and easy to learn from
• Helpful starting points for troubleshooting or exploration
• Tools that do some heavy lifting without requiring complex setups
• Practical examples of identity engineering patterns and best practices
• Fully open for you to download, adapt, and extend

What I.D.E.A. is not

• Not a complete or comprehensive identity solution
• Not a replacement for proper design, governance, or security processes
• Not guaranteed to fit every scenario or environment
• Not a framework, module, or long‑term automation platform
• Not a supported product, no warranty, no guarantees
• Not a “one size fits all” answer to identity challenges
• Not intended to remove your responsibility for testing and validation

I.D.E.A.s will be gathered in a dedicated repository which will grow over time as I develop and publish new artifacts. Some will be inspired by challenges I encounter through my consulting work, others will explore new features, and some will aim to eliminate outdated configurations and security issues. Only time will tell what ends up here, so stay tuned!

👉 I.D.E.A. repo: https://github.com/Per-Torben/I.D.E.A.

Introducing I.D.E.A. #001

So for my first I.D.E.A: I.D.E.A. #001 is a lightweight, practical tool designed to help administrators create and configure break‑glass emergency access accounts in Microsoft Entra.

In my experience reviewing Microsoft Entra environments, break-glass accounts are one of the most critical safeguards, yet they are frequently overlooked. Even in well-managed tenants, these accounts often simply don’t exist. So the first I.D.E.A will be a follow up from the post Break the glass – Not your organization! – Agder in the cloud.

Many IT teams, especially in smaller organizations, view break-glass accounts as “overkill” or find the implementation guidance (even on Microsoft Learn) intimidating to start. This is a dangerous oversight! Setting these up takes only a couple of minutes but can in return prevent a total administrative lockout when (not if) the unexpected happens.

This is a lightweight, practical tool designed to help administrators create and maintain reliable emergency access accounts. Rather than a complex automation framework, this artifact provides a clear, guided path to configuring these accounts according to Microsoft’s best practices.

What the script does

• Creates new break‑glass emergency access accounts or detects and selects existing ones
• Configures secure passwords and validates password complexity
• Registers one or more FIDO2 security keys for each account
• Excludes the accounts from all Conditional Access policies
• Assigns the Global Administrator role when required
• Adds the accounts to a Restricted Management Administrative Unit (RMAU) for protection
  • Entra Admin Units are a hidden gem! – Agder in the cloud
• Applies recommended naming conventions and configuration defaults
• Provides an interactive, menu‑driven workflow to guide each step
• Generates logs for visibility and auditing

All the details are located in the readme.md file, and as always I recommend testing it before running in a production environment.

The script does not (of course) help you with establishing testing routines, monitoring the break-glass accounts or purchasing physical FIDO2 keys.😉 Again, this is a tool to help you get started, not a complete, fully automated solution.

Quick guide

1. Initial menu: After signing in with a Global Admin account, set the number of break‑glass accounts, number of FIDO2 keys per account, and the naming prefix.

2. Account detection: The script searches for accounts based on the prefix. If none are found, you can create new ones or manually select existing accounts.

3. Main menu options:

• Configure FIDO2 keys
• Exclude accounts from Conditional Access
• Assign Global Administrator (recommended after securing with FIDO2)
• Add accounts to a Restricted Management AU

When this is all done, you should still set up monitoring and a procedure to test and verify these accounts regularly. Microsoft has some good guidance here.

Wrapping up

Identity security can feel complicated, but it doesn’t have to be. I.D.E.A. exists to make identity security more accessible and practical. Its purpose is to take on the heavy lifting and cut through complexity, so you can focus on what matters: Stronger identity security.

These artifacts won’t solve every challenge or every scenario, but they are here to get you out of the starting blocks and help you solve challenges. I.D.E.A. #001 is just the beginning. More scenarios and solutions to common pain points are on the way.

If this sounds useful, keep an eye on the repository and feel free to adapt, improve, and share your own ideas.

As mentioned earlier, you can find I.D.E.A. here: https://github.com/Per-Torben/I.D.E.A.