CryptoLive's Attic

Saturday, May 30, 2026

AD PKI vs Cloud-based PKI

Public Key Infrastructure is one of those foundational technologies that most organizations installed once, pointed at Active Directory, and largely forgot about — until something breaks, a certificate expires at 2am on a Sunday, or an auditor starts asking uncomfortable questions about your root CA.

Now, with cloud-based PKI services maturing rapidly and Microsoft pushing hard toward cloud-native identity, the question of whether to keep running an on-premises AD-integrated PKI or migrate to a cloud-based alternative is coming up in more and more architecture conversations.

The honest answer is: it depends. But the factors it depends on are worth understanding clearly before you make the call.

In this blog I am focusing on certificates for end points for Wi-Fi authentication.

Over the years Microsoft has never made a big effort to b able to issue certificates to non-AD-integrated Windows platforms. This is something you should use a MDM solution for and that MDM solution can either use a cloud-based PKI or keep using the AD PKI. Other aspects like RADIUS authentication require a separate discussion. All cloud-based solutions are based on the number of users, while the AD PKI requires more or less only the server license.

What We Mean by "AD PKI"

When most organizations say they have a PKI, they mean Microsoft Active Directory Certificate Services (AD CS) — a Windows Server role that has been the default enterprise PKI for two decades. It integrates tightly with Active Directory, auto-enrolls certificates to domain-joined machines via Group Policy, and handles everything from user authentication certificates to machine identity, S/MIME email signing, Wi-Fi EAP-TLS, and internal TLS for servers and web applications.

It works well. It is deeply embedded. And for many organizations, it is also unmaintained, under-documented, and running on hardware that predates the current IT team.

Cloud-based PKI comes in several flavors: Microsoft Cloud PKI (part of Intune / Microsoft Entra Suite), Glueck Kanja SCEPman, SCEP and PKCS integrations with third-party services like DigiCert, Sectigo, or GlobalSign, and purpose-built cloud PKI platforms like Smallstep, Keyfactor, or Venafi. Each has a different architecture and a different value proposition, but they share a common premise: move certificate lifecycle management off your infrastructure and into a managed service.

The Case for Keeping AD PKI

It works — and you've already paid for it

AD CS is included in Windows Server. If you are running a hybrid Active Directory environment, you already have the licensing, the infrastructure, and the integration in place. For organizations with a significant on-premises footprint - domain-joined endpoints, on-premises servers, legacy applications - AD CS is the path of least resistance.

Deep Group Policy integration

AD CS integrates with Group Policy in ways that cloud PKI services cannot fully replicate for legacy workloads. Certificate auto-enrollment via GPO is mature, well-understood, and effectively zero-touch for end users and devices once configured correctly. For Windows environments with a large base of domain-joined endpoints, this integration eliminates a significant category of operational overhead. GPO deployment is not working anymore of all endpoints are becoming cloud-only.

Air-gapped and high-security environments

For organizations with genuine air-gap requirements — classified government environments, operational technology networks, critical infrastructure — an on-premises PKI is not optional, it is a compliance requirement. A cloud-based PKI that requires internet connectivity for certificate issuance is architecturally incompatible with these environments regardless of how mature the service is.

Control and auditability

With AD CS you own every component: the root CA (ideally offline), the issuing CA, the certificate database, the CRL distribution points. For organizations with strict compliance requirements around cryptographic key custody — financial services, healthcare, federal contractors — that level of control has real value. You know exactly where your private keys are. You can demonstrate it to an auditor. This also means on a lot of cases that Hardware Security Modules are required and adding complexity and costs.

The Case for Moving to Cloud PKI

AD CS has an operational debt problem

The average enterprise AD CS deployment was designed and implemented years ago by someone who may no longer work there. Certificate templates have accumulated. The root CA may be running on aging hardware with no documented recovery procedure. CRL distribution points may reference internal hostnames that no longer exist. The private keys for the root CA may be stored on the CA server itself rather than in an HSM.

None of this is unusual. It is, in fact, typical. And it means the organization is carrying significant operational and security risk in infrastructure that nobody owns, nobody reviews, and nobody has tested recovering from a failure.

Cloud PKI eliminates most of that operational burden. The provider manages the underlying infrastructure, handles availability, and maintains the service. You configure certificate profiles and policies; they handle the rest.

Modern device management requires cloud PKI

If your endpoint management strategy has shifted to Microsoft Intune — managing Entra-joined devices, BYOD, or remote workers who are never on the corporate network — AD CS creates a fundamental problem. Domain-joined auto-enrollment via GPO only works for devices that are on the domain. Intune-managed devices that are Entra-joined (not hybrid-joined) cannot reach an on-premises CA for SCEP or PKCS certificate issuance without a Network Device Enrollment Service (NDES) proxy or equivalent.

That proxy adds complexity, becomes a single point of failure, and requires ongoing maintenance. Microsoft Cloud PKI, by contrast, is natively integrated with Intune — no proxy, no on-premises dependency, no VPN requirement. For organizations moving toward a cloud-first or zero-trust endpoint posture, this is a significant architectural simplification.

Certificate lifecycle visibility

One of the most common failure patterns in enterprise environments is the unexpected certificate expiration — a server goes down, a Wi-Fi authentication policy stops working, an internal application throws TLS errors. AD CS does not provide enterprise-wide certificate visibility out of the box. You need additional tooling (or manual PowerShell scripting) to build a picture of what certificates have been issued, to what, and when they expire.

Modern cloud PKI platforms are built around visibility as a core feature. Certificate inventory, expiry alerting, and revocation management are first-class capabilities rather than afterthoughts.

Talent and knowledge transfer

AD CS expertise is narrowing. The pool of engineers who deeply understand certificate templates, OID structures, CDP and AIA extensions, and HSM integration is smaller than it was ten years ago and getting smaller. Cloud PKI services abstract away most of that complexity, which means more engineers on your team can own and operate the infrastructure without specialized PKI training.

The Middle Path: Hybrid PKI

For most organizations, the answer is not a binary choice. A practical approach that is gaining traction:

Keep the root CA on-premises, offline, and air-gapped. The root CA is the trust anchor for your entire PKI. It should be rarely used (only to sign issuing CA certificates), stored offline, and protected with the highest level of physical and cryptographic control your organization can provide. This part of the infrastructure rarely changes and benefits from the control that on-premises ownership provides.

Move issuing CA functions to the cloud. Microsoft Cloud PKI supports Bring Your Own CA (BYOCA) — you can subordinate a cloud issuing CA to your existing on-premises root, preserving your trust chain while offloading the operational complexity of certificate issuance and lifecycle management to a managed service.

Use cloud PKI for Intune-managed endpoints, AD CS for domain-joined legacy workloads. Run both in parallel during transition, with a defined roadmap for retiring the on-premises issuing CA as domain-joined workloads migrate to Entra join.

A Framework for the Decision

Factor	Favor AD CS	Favor Cloud PKI
Endpoint management	Primarily domain-joined via GPO	Intune-managed, Entra-joined, or BYOD
Network model	On-premises or hybrid	Cloud-first, zero-trust, remote-heavy
Compliance / key custody	Strict HSM and key control requirements	Standard enterprise compliance posture, AKV HSM backed
Air-gap requirements	Present (OT, classified, critical infra)	Not applicable
PKI operational maturity	Well-documented, actively maintained	Undocumented, aging, no clear owner
Team expertise	AD CS skills in-house	Generalist team, cloud-native preference
Legacy app dependencies	Significant (Kerberos PKINIT, S/MIME), Data at rest encryption, contract signing	Minimal or already migrated, Authentication only

AD PKI is not legacy technology that needs to be replaced on principle but we would like to reduce the dependency on it as we like to minimize or remove AD. In the right environment — hybrid, well-maintained, with genuine on-premises requirements — it is still the right answer. The problem is not the technology; it is the organizational reality that most AD CS deployments are not well-maintained, and the expertise to maintain them correctly is becoming harder to find and retain.

A Cloud-based PKI (SCEPman, Intune Cloud PKI, ...) is not a silver bullet. It introduces its own dependencies, its own vendor relationships, and its own constraints. But for organizations moving toward cloud-first endpoint management, a zero-trust network model, or simply trying to reduce the operational debt carried by aging infrastructure, it removes a category of complexity that has historically been a source of quiet, chronic risk.

The question worth asking is not "which is better?" It is: what does our PKI actually look like today, who owns it, and what would happen if we had to rebuild it from scratch tomorrow?

If you can answer all three confidently — keep what you have and invest in improving it. If you cannot — that is the case for change.

The Hidden Cost of a Username Change

There's a change request that looks routine on the surface. An employee gets married. A legal name change comes through HR. A company completes a domain consolidation after an acquisition. Someone just wants their email to finally match their preferred name.

The ticket says: Update UPN from jsmith@frontoso.com to john.smith@frontoso.com.

To the helpdesk, it looks like a two-minute task. To the identity engineer who understands what that UPN touches, it looks like a change management project.

I've been cataloguing the UPN change behavior of over 65 SaaS applications — everything from Microsoft 365 workloads to physical access control systems — and the pattern I keep seeing is the same: the identity change is easy. The downstream consequences are not.

Why a UPN Change Is Never Just a UPN Change

In a modern enterprise, the User Principal Name is not just a login credential. It is the primary key that dozens of systems use to identify, provision, and authorize a user. Change it in one place, and you have not changed it everywhere — you have created a mismatch that each system will resolve in its own way.

Some systems handle it gracefully. They anchor user identity to an immutable internal object ID, accept the UPN change via SCIM, and update their records without any service disruption. These are the well-architected ones.

Others use the UPN or email address as the primary key in their user store. Change the UPN upstream, and the next time that user tries to log in, the application does not recognize them. It creates a new account. The old account — with its permissions, its content, its history — sits orphaned.

And then there is a third category that is in some ways the most dangerous: applications where the UPN change succeeds silently, but a downstream business process quietly stops working. Approval workflows that route to the old email. Certificates that still carry the old UPN in the Subject Alternative Name. SIP addresses that were set at provisioning time and never updated.

The user can log in. Everything appears fine. And then three weeks later someone asks why their Oracle approval workflow notifications stopped arriving, or why their Wi-Fi drops every time their device certificate is checked.

The Failure Modes, Categorized

After testing and documenting 65 applications, the failure modes cluster into a few distinct patterns.

1. The Duplicate Account Problem

This is the most common failure mode for applications that use JIT (Just-In-Time) provisioning. JIT creates a user account on first login by matching the incoming SAML assertion to an existing record — or creating a new one if no match is found. If the UPN changes, the assertion no longer matches, and a new account is created.

The old account is not deleted. It just sits there, with all of its permissions and content, attached to an identity the user can no longer access. Examples: Zendesk, ArcGIS Online, Cisco Webex (if SCIM attribute mapping is misconfigured), SendGrid.

ArcGIS Online is a particularly painful case. The internal username is derived from the SAML NameID at first login and is immutable after that. A UPN change means a new ArcGIS account. All content, group memberships, and licenses on the old account must be manually migrated — there is no automated path.

2. The Silent Business Process Failure

These applications can survive a UPN change without breaking authentication — but something downstream stops working in a way that is not immediately obvious.

Oracle Fusion ERP is the clearest example in my research. Oracle approval workflows send notification emails using the email address stored in the Oracle user record. If that email address does not match the user's actual primary email after a UPN change, approval notifications route to a dead address. Approvals time out. Business processes stall. Nobody gets an error message — the workflow just stops producing results.

Microsoft Teams has a similar pattern. The Teams identity survives the UPN change because it is anchored to the Entra ID objectId. But the SIP address — which was provisioned from the UPN at the time the Teams account was created — does not automatically update. Federated calls still route to the old SIP address. The user's outbound SIP identity mismatches. External meeting invites show the old address. This requires a manual PowerShell operation to correct: Set-CsUser -Identity <newUPN> -SipAddress sip:<newUPN>.

Microsoft Intune surfaces the most technically subtle failure. Device enrollment and policy sync survive the UPN change cleanly — Intune uses objectId as the anchor. But SCEP and PKCS certificates issued to enrolled devices contain the old UPN in the Subject Alternative Name field. Those certificates remain valid until expiry. Applications that validate the SAN against the current Entra UPN — Wi-Fi using EAP-TLS, VPN with certificate authentication — will fail after the UPN change because the certificate no longer matches the identity. New certificates are issued on the next policy sync cycle, but the window between UPN change and certificate renewal is a silent authentication failure waiting to happen.

3. The MFA Device Orphan Problem

Duo Security deserves its own category. Duo identifies users by username — not by an immutable object ID. If the UPN is used as the Duo username (which is the default configuration with Entra ID directory sync), a UPN change causes Duo to create a new user record and mark the old one for deletion. Enrolled MFA devices — phones, hardware tokens — do not transfer automatically. The user must re-enroll every device on the new username.

For most applications this is inconvenient. For healthcare organizations using Duo with Epic for EPCS (electronic prescribing of controlled substances), it is a compliance-critical workflow failure. Duo sends the UPN as the identity claim to Epic by default. A UPN change without a coordinated Duo update breaks e-prescribing until the Duo record is corrected.

The mitigation requires specific sequencing: add the new UPN as a username alias on the existing Duo record before the UPN change syncs. This preserves the device enrollment through the transition. Then update the primary username after sync completes. Most organizations discover this only after the first failure.

4. The Consent and Access Grant Problem

Quest OnDemand Migration is an example of a category that is easy to overlook: tooling platforms where the impacted accounts are administrators and operators, not end users.

Quest OnDemand identifies administrators by UPN via Microsoft OAuth. A UPN change for the subscription owner breaks portal access entirely — Quest support must be involved to correct backend records. All per-workload OAuth consents (Exchange, Teams, SharePoint) are tied to the consenting admin's UPN and become orphaned on change. The mitigation is strict: add the new UPN to the OnDemand org RBAC and re-grant all consents before deactivating the old identity.

A Reference Table: How Common SaaS Applications Handle It

The following table summarizes the UPN change behavior of a selection of applications from our full 65-app research set. The full dataset — including SCIM availability, stable ID anchor, JIT risk rating, admin steps, and test cases — is available as a companion spreadsheet.

Application	Support Level	Key Risk
Microsoft 365 / Entra ID	✅ Full	Downstream app friction; verify SCIM matching uses objectId
Salesforce	✅ Full	SCIM 2.0; internal SF User ID is stable anchor
Slack	✅ Full	Member ID is stable; email propagates via SCIM
AWS IAM Identity Center	✅ Full	Map objectId to SCIM externalId for stable anchor
Asana	✅ Full	Business+ plan required for SCIM
SharePoint / OneDrive	⚠️ Partial	OneDrive URL changes; all shared links break; user must re-share
Microsoft Teams	⚠️ Partial	SIP address does not auto-update; manual PowerShell required
Exchange Online	⚠️ Partial	Primary SMTP may not update; old address retained as alias
Microsoft Intune	⚠️ Partial	SCEP/PKCS cert SAN contains old UPN; Wi-Fi/VPN auth fails until renewed
Atlassian (Jira/Confluence)	⚠️ Partial	Default SCIM matching uses UPN not objectId — must reconfigure
GitHub Enterprise	⚠️ Partial	Admin-only change; SAML re-link required; CODEOWNERS breaks
Cisco Webex	⚠️ Partial	UPN mismatch creates new account; old user goes Inactive (30-day soft delete)
SAP Concur	⚠️ Partial	Entra gallery connector deprecated/broken; route via SAP Cloud Identity Services
Duo Security	⚠️ Partial	New Duo user created; enrolled devices orphaned; add alias BEFORE change
Oracle Fusion ERP	⚠️ Partial	Email mismatch breaks approval workflow routing
Figma	⚠️ Partial	UPN/SCIM mismatch = stuck 'Pending SCIM' state
KnowBe4	⚠️ Partial	SCIM source attribute must match SSO NameID — update both consistently
8x8	⚠️ Partial	Federation ID update on CREATE only — manual admin update required after change
ArcGIS Online	❌ None	Internal username is immutable; UPN change = new account; old content orphaned
Zendesk	❌ None	Email-keyed; UPN change via JIT creates new account
SentinelOne	❌ None	Email cannot be changed via API; deactivate and recreate required
Epic (Hyperspace)	❌ None	No SCIM; Hyperspace analyst must update; Duo EPCS breaks separately
Lenel OnGuard	❌ None	On-premises PACS; manual operator record update; no SCIM
SendGrid	❌ None	No native SCIM; JIT creates new account on mismatch

What Good Looks Like

The applications that handle UPN changes well share a common design principle: they separate identity from addressing. The user is identified internally by an immutable object ID — Slack's Member ID, Salesforce's User ID, Entra's objectId. The UPN or email address is just an attribute on that object, and attributes can be updated without disrupting the identity relationship.

Applications that fail at this use the UPN or email as the primary key. The address is the identity. Change the address and you have created a new identity — which means a new account, orphaned content, and lost history.

SCIM 2.0 is the mechanism that makes clean UPN changes possible — but only when it is configured correctly. The most common misconfiguration is using UPN as the SCIM matching attribute instead of objectId. Atlassian's default configuration still does this. It is the first thing I check in any environment before approving a bulk UPN change.

Before You Touch That UPN

If there is one operational takeaway from this research, it is this: a UPN change requires an application audit before it can be treated as routine.

The questions I ask before any UPN change in a client environment:

Which applications does this user access?
Of those, which use JIT provisioning with email as the primary key?
Which have business process workflows that route notifications by email?
Which issue certificates or tokens that embed the UPN?
Which have MFA enrollments tied to the current username?
Which have admin or operator access where the UPN is used for consent grants?

The answers to those questions determine whether a UPN change is a two-minute ticket or a coordinated multi-system change management event.

The two-minute assumption is how things break quietly.

Saturday, April 18, 2026

The Identity Scoping Conversation Your Client Hasn't Had Yet

There's a pattern I've seen repeat itself across identity engagements of every size — from a single-domain Active Directory cleanup to a full Entra ID migration for a global enterprise. The project starts with energy and optimism. The stakeholders are aligned. The technology is well understood. And then, somewhere around week three, everything starts to slow down.

Not because the engineers can't execute. Because nobody agreed on what "done" actually meant.

After many years of delivering identity and security solutions to enterprises and government clients, I've come to believe that the most valuable thing an identity architect can do isn't configure a system or write a provisioning script. It's have the conversation that nobody else in the room is having — before a single line of configuration is written.

This is that conversation.

Why Identity Is Uniquely Hard to Scope

Most technical projects have clear edges. You're building a thing. You either built it or you didn't.

Identity doesn't work that way. Identity touches HR (who gets an account), IT (how it's provisioned), Security (what they can access), Compliance (what gets logged), and every application team that has ever bolted on a login screen. It's not a project — it's infrastructure that sits underneath every other project.

That cross-cutting nature creates two scoping problems that don't exist in most engagements:

First, clients often don't know what they have. I've walked into environments where the authoritative source of user data was a spreadsheet someone maintained manually. I've seen organizations where three different teams believed they owned identity — and none of them were fully right. Discovery isn't a pre-project phase you can skip. It is part of scope, and it needs to be treated that way.

Second, the people who approve scope aren't always the people who understand the technical implications. A CISO who signs off on "migrate our users to Entra ID" may not realize that the phrase "our users" includes seventeen application service accounts, six external partner directories, and a legacy HR system that only speaks LDAP over port 389. The gap between what leadership thinks they're buying and what engineering knows they're building is where projects go sideways.

Good scoping closes that gap before it opens.

Five Questions Before Anything Else

When I take on an identity engagement, there are five questions I ask before I open a design document or touch a single configuration setting. The answers don't just inform the scope — they often reveal whether the client is ready to begin at all.

1. What problem are you actually trying to solve?

This sounds basic. It isn't. Clients come to identity engagements with stated goals — "we need to modernize our directory," "we need SSO," "we need to be zero-trust ready" — that often obscure the real driver. Press on it. Is this driven by a compliance audit? A recent incident? An M&A event that's forcing a forest merger? A departing employee who still has access? The underlying driver shapes everything: timeline, risk tolerance, what success looks like, and what failure costs.

2. Who owns identity today — and who thinks they do?

In most organizations, identity ownership is assumed rather than assigned. IT manages Active Directory. Security owns the access control policies. HR controls the data that feeds provisioning. Nobody owns the intersection. Find the actual decision-makers — the people who can approve a change, absorb a risk, or block a rollout — before you build anything that depends on their cooperation.

3. What's your authoritative source of truth for users?

This is where I spend more time than clients expect. Is it the HR system? Active Directory itself? A home-grown identity store? Does it cover contractors, service accounts, external partners, and shared mailboxes — or just full-time employees? The answer determines almost everything downstream: what gets automated, what gets migrated, and what gets cleaned up manually.

4. What does "done" look like to your stakeholders versus your technical team?

These two answers are almost never identical. Leadership defines done as "users can log in and we passed the audit." Engineering defines done as "all legacy authentication protocols are disabled, conditional access is enforced, and privileged access is reviewed quarterly." Both definitions are valid. Neither is complete without the other. Write them both down, and make sure both groups see each other's version.

5. What's your tolerance for disruption?

Some clients can absorb a weekend of downtime. Others will escalate over a two-minute MFA prompt they didn't expect. Knowing this early isn't just about managing expectations — it dictates the migration strategy, the rollback plan, and how aggressively you can move.

The Three Scope Traps

Even with good answers to those five questions, experienced practitioners know there are failure modes that show up in nearly every engagement. I think of them as scope traps — situations that look reasonable on the surface but reliably cause projects to expand, slow down, or stall.

The "just migrate us" trap. This is the most common one. The client wants to move from Point A to Point B, but they've never defined what Point B looks like. What's the target architecture? What's the target access model? What stays on-premises and what moves to the cloud? Without answers to those questions, every design decision becomes a negotiation, and timelines stretch indefinitely. The fix is a High-Level Design phase that forces target-state decisions before implementation begins — and holds stakeholders accountable for approving it.

The "clean it up" trap. A client asks you to "clean up" their directory as part of a migration or assessment engagement. This sounds simple. It isn't. Does "clean up" mean disable stale accounts? Delete them? Remediate group membership? Fix naming conventions? Remove legacy GPOs? Reconcile service accounts with no documented owners? Each of these is a real project of its own, and without an explicit definition of scope, the work expands to fill whatever time is available. Establish clear criteria for what "clean" means — and document what's explicitly out of scope — before you start.

The "while you're in there" trap. This one is the most dangerous because it usually comes from well-intentioned clients who are genuinely trying to be efficient. You're already touching the provisioning pipeline — can you also handle the contractor lifecycle? You're rebuilding the group structure — can you also set up Privileged Identity Management while you're at it? Each individual request is reasonable. Collectively, they add weeks to the engagement and dilute focus. The answer isn't always no, but it always needs to be a documented change order that resets timeline and resource expectations.

What a Good Scope Document Actually Contains

A scope document isn't a statement of work. It's a shared understanding of what the engagement is and isn't — written in language that both the client's leadership and the technical team can hold each other accountable to.

At minimum, it should contain:

Explicit boundaries: What is in scope, and — just as importantly — what is explicitly out of scope. Both need to be named.
Assumptions and dependencies: What has to be true for this engagement to succeed? What systems, teams, or decisions does the work depend on that are outside your control?
Discovery deliverables vs. implementation deliverables: Discovery produces findings and recommendations. Implementation produces configurations and migrations. Treat them as separate phases with separate sign-offs.
Escalation triggers: What circumstances would cause a change to scope, timeline, or cost? Define them proactively so that when they occur, the response is a process rather than a crisis.
Keep goals reasonable: Create a roadmap, or better an identity program, for ongoing extension of services and continous improvement.

The best scope documents I've produced started as design decision logs — living documents that capture every significant architectural choice, the options considered, and the rationale for what was selected. When a client later asks "why did we do it this way," the answer is already written down.

Scope Is a Trust Document

Here's the thing that took me years to fully internalize: a well-scoped engagement protects the client as much as it protects you.

When scope is vague, clients absorb the downside. They end up with an engagement that runs long, costs more than expected, and delivers something that doesn't match what they imagined. They don't always know why — they just know the project didn't go the way they hoped.

When scope is clear, clients can make informed decisions. They can prioritize what matters most, defer what can wait, and hold both sides accountable for delivering what was agreed. That's not a vendor protection mechanism. That's professional practice.

The practitioners who build long-term client relationships aren't the ones who say yes to everything. They're the ones who arrive with questions, listen carefully, and help the client understand what they're actually signing up for — before anyone starts configuring anything.

That conversation is where real advisory value lives.

Friday, April 10, 2026

Which AI Systems Are Actually Using a Local NPU?

There's a lot of marketing noise around NPUs right now — every new laptop seems to boast one and I was wondering how much attention should I pay to it. Reading everything below generate by Claude.ai the answer is: not much at this point, and if you are a Mac user, as I am, you get NPUs with every M-processor anyway.

When it comes to the AI assistants most of us actually use daily, like Claude, ChatGPT, or Gemini, none of them run on your local NPU. They're entirely cloud-based, sending your prompts to remote data centers for inference regardless of what hardware you're sitting in front of. So who is actually making use of the NPU? Let's break it down.

Apple Intelligence — The Most Mature Consumer Example

Apple Intelligence on M-series Macs and A17+ iPhones is currently the most polished mainstream example of a ChatGPT-like feature set genuinely leveraging a local NPU. Tasks like text summarization, smart replies, writing tools, and photo editing run entirely on-device using Apple's Neural Engine. Only more complex requests are escalated to Apple's Private Cloud Compute infrastructure. This hybrid approach gives users meaningful privacy guarantees for everyday AI tasks — a meaningful differentiator.

Microsoft Copilot on Windows 11 — Partial NPU Usage

Microsoft Copilot on Copilot+ PCs offloads specific tasks — image generation in Paint (Cocreator), live captions, and background AI features — to the Intel or Qualcomm NPU built into the device. However, the conversational AI portion (the LLM chat) still hits Microsoft's cloud. So it's a hybrid: some features are genuinely local, but the assistant experience you think of as "Copilot" is not running on your NPU.

Microsoft Foundry Local — Explicit NPU Inference

For those who want to go deeper, Microsoft's Foundry Local tool allows you to explicitly route model inference to the NPU on Copilot+ PCs — including Qualcomm Snapdragon X Elite devices. Models like Phi-3.5-mini can be run directly on the NPU, achieving around 16 tokens per second on supported hardware. This is a developer/power user tool rather than a consumer product, but it's the most concrete implementation of true NPU-targeted LLM inference on a Windows PC today.

Local LLM Tools — Ollama, LM Studio, and Friends

Tools like Ollama, LM Studio, and Nexa AI can be configured to target the NPU for inference on supported hardware. These are self-hosted solutions where you download and run open-weight models (LLaMA, Mistral, Phi, etc.) yourself. The NPU acceleration is hardware and driver dependent — it works well on Qualcomm Snapdragon X Elite and increasingly on Intel Core Ultra platforms. For anyone wanting full control, privacy, and genuinely local inference, this is currently the best path.

Samsung Galaxy AI — Mobile NPU in Action

Samsung's Galaxy AI features on the S24 and S25 series use the Qualcomm Hexagon NPU for on-device tasks including live translation, generative photo editing, and call transcription. Like Apple, Samsung routes more demanding tasks to the cloud while keeping latency-sensitive and privacy-relevant workloads on the device.

The Bottom Line

Claude, ChatGPT, and Gemini are cloud-only. They don't touch your NPU — full stop. Apple Intelligence is the most mature and user-friendly example of NPU-backed AI features in a mainstream product. Microsoft Foundry Local and the open-source local LLM ecosystem are where you go if you want explicit, controllable on-device inference. The NPU story is real, but it's mostly at the OS feature layer and developer tooling level — not in the headline AI assistant products yet. That will change, but we're not there.

Wednesday, April 8, 2026

The Second Connector Pattern — Writing otherMails to Hybrid Users in Entra ID

Cloud Sync cannot write otherMails — but a second provisioning connector scoped to existing accounts can. Here is the architecture, the attribute mapping configuration, and the scoping guard that makes it safe.

When you provision hybrid users into Active Directory from Workday and synchronize them to Entra ID via Cloud Sync, you quickly hit a wall: Cloud Sync cannot write otherMails. The attribute exists only on the Entra ID user object — there is no AD equivalent — and Cloud Sync has no mechanism to write cloud-only properties on the accounts it syncs.

For many organizations this matters because otherMails is the personal email address that powers day-one SSPR. Without it populated at account creation, new employees cannot reset their own password until they complete a self-registration flow — which typically requires them to already be logged in.

WHY OTHERMAILS?

otherMails is the Entra ID attribute that SSPR uses as the "Alternate email" reset method. When populated before the user's first login, it enables password reset without prior registration. The personal email originates in Workday's personalEmail field and needs to reach this attribute on the cloud user object.

The Problem in Detail

Here is the flow for a typical hybrid provisioning setup, and where it breaks down:

1

Workday → AD (Connector 1)

The Workday inbound provisioning connector creates the user in on-premises Active Directory. It maps PreferredFirstName, LastName, Department, EmployeeID, and other standard attributes. Personal email can be written to an AD extension attribute (e.g. extensionAttribute1) but AD has no otherMails property.

2

AD → Entra ID (Cloud Sync)

Cloud Sync syncs the AD user to Entra ID. It creates the cloud representation of the user with all standard attributes. However, otherMails is a multi-value string array that Entra ID computes and manages — Cloud Sync does not write it. Even if personal email is in extensionAttribute1, there is no supported mapping from that attribute to otherMails in Cloud Sync.

3

otherMails remains empty

The hybrid user lands in Entra ID with no otherMails value. SSPR works only if the user has previously registered, which requires an active account. Day-one password reset fails.

ARCHITECTURE DIAGRAM — SECOND CONNECTOR PATTERN

The key insight is that Entra ID provisioning connectors are not exclusively for creating accounts. They can be configured to update existing accounts only — matching on a stable identifier, skipping creation entirely, and writing a targeted set of attributes via the Microsoft Graph API.

This is the second connector pattern. You deploy a second enterprise application of type "API-driven provisioning to Microsoft Entra ID" (or the Workday → Entra ID cloud connector if you are using the native Workday integration), configured with one critical difference from the primary connector:

THE KEY CONFIGURATION

Create action: OFF. Update action: ON. The connector will only ever match existing accounts and write to them. It will never attempt to create a new user object, regardless of what Workday sends.

Connector Roles Side by Side

CONNECTOR 1 — PRIMARY

Workday → Active Directory

Creates hybrid AD accounts
Writes all standard AD attributes
Manages OU placement
Enables / disables accounts
Manages manager attribute
Handles UPN generation

CONNECTOR 2 — ATTRIBUTE WRITER

Workday → Entra ID (update only)

Create: OFF
Matches on employeeId
Writes otherMails from Workday personalEmail
Can also write usageLocation, custom extension attributes
Writes any cloud-only property invisible to Cloud Sync

Attribute Mapping Configuration

In the Entra admin center, navigate to the second provisioning app's attribute mappings and configure the following. Keep mappings minimal — only include what this connector is responsible for.

SOURCE (WORKDAY)	TARGET (ENTRA ID)	APPLY MAPPING	NOTES
`WorkerID`	`employeeId`	MATCH ATTRIBUTE	Used for account matching only — stable Workday identifier
`personalEmail`	`otherMails`	ALWAYS	Core purpose of this connector
`CountryISO`	`usageLocation`	ALWAYS	Optional — also not writable via Cloud Sync
(remove all others)	—	—	Strip default mappings — this connector should be narrow in scope

IMPORTANT — REMOVE DEFAULT MAPPINGS

When you create the provisioning app, it comes with a full set of default attribute mappings. Delete all of them except the match attribute and otherMails. If you leave displayName, userPrincipalName, or other attributes mapped, this connector will overwrite values that the primary connector and Cloud Sync are responsible for — potentially causing conflicts and provisioning loops.

Scoping Filter — The Critical Safety Guard

Without a scoping filter, this connector will attempt to process every worker in Workday — including cloud-only users who are already fully managed by a separate cloud-only connector. That creates a race condition where two connectors both write to the same user object.

The scoping filter must match only the hybrid population. Use the same attribute you use to differentiate hybrid from cloud-only workers in Workday — typically Worker_Type, Legal_Entity, or a custom boolean field.

// Scoping filter in the provisioning app — Workday attribute filter
// Only process workers that are in scope for hybrid AD provisioning

Attribute: Worker_Type
Operator:  EQUALS
Value:     "Employee"

// AND

Attribute: Legal_Entity
Operator:  MEMBER_OF
Value:     "Contoso Corp", "Contoso LLC"

// This must mirror the scoping filter on Connector 1 exactly.
// If a worker is in scope for Connector 1 (AD creation),
// they must also be in scope for Connector 2 (attribute enrichment).

SCOPING MUST BE MUTUALLY EXCLUSIVE

The scoping filter on Connector 2 (hybrid attribute writer) and your cloud-only connector must be mutually exclusive. A worker should appear in exactly one connector's scope for update operations. Use the same attribute and values you defined when splitting the two provisioning agents — the same logic that prevents UPN collision applies here.

Provisioning App Settings

In the provisioning app settings, set the following:

// Provisioning app settings (Provisioning > Settings blade)

Provisioning Mode:         Automatic

// Under Mappings > Provision Workday Users
// In the attribute mapping header, set:

Create new objects:        OFF   ← critical
Update matching objects:   ON
Delete matching objects:   OFF   ← never let this connector deprovision

// Matching attribute
Source object attribute:   WorkerID       // Workday
Target object attribute:   employeeId     // Entra ID
Match precedence:          1

What Happens at Runtime

When the provisioning cycle runs for Connector 2:

1

Worker record read from Workday

The connector reads the worker's WorkerID and personalEmail from the Workday data view.

2

Match against Entra ID by employeeId

The provisioning service queries GET /users?$filter=employeeId eq 'WD-12345'. If no match is found — because the AD account has not synced yet — the record is escrowed and retried on the next cycle. No account is created.

3

PATCH otherMails via Graph

The provisioning service issues PATCH /users/{id} with { "otherMails": ["personal@gmail.com"] }. This is a direct Graph write — not through AD, not through Cloud Sync.

4

SSPR is now available on day one

With otherMails populated, the user can reset their password using the alternate email method before their first login — no prior registration required.

Timing Consideration

Connector 2 depends on the account already existing in Entra ID before it runs. The account creation sequence is:

Connector 1 creates the user in AD
Cloud Sync syncs the AD user to Entra ID (~20–40 minutes)
Connector 2 runs its next cycle (~40 minute interval) and finds the account
otherMails is written

In the worst case, otherMails is populated about 80 minutes after account creation. For pre-hire provisioning (account created 1–3 days before start date), this is not an issue. If same-day provisioning is required, a Lifecycle Workflow Logic App custom extension triggered at joiner time is a faster alternative — it fires immediately after the account appears in Entra ID and makes the same Graph PATCH call.

ALTERNATIVE — LIFECYCLE WORKFLOW

If you need otherMails populated within minutes of account creation rather than on the next 40-minute provisioning cycle, deploy a Lifecycle Workflow with a custom task extension (Logic App) that fires on the joiner trigger and calls PATCH /users/{id} with the personal email sourced from a Workday attribute written to an extension attribute at provisioning time.

When to Use This Pattern vs. Alternatives

APPROACH	TIMING	COMPLEXITY	BEST FOR
Second connector (this post)	~80 min after account creation	Low — one additional provisioning app	Pre-hire provisioning, no Governance license
Lifecycle Workflow + Logic App	Minutes after account appears	Medium — requires Entra ID Governance license	Same-day onboarding, real-time enrichment
Workday → Entra ID cloud connector (direct)	Same cycle as account creation	Low — native mapping on cloud-only connector	Cloud-only users only — does not help hybrid
Graph API via PowerShell / Azure Function	On-demand / scheduled	Medium — requires code and scheduled trigger	Bulk backfill of existing accounts

Summary

Cloud Sync's inability to write otherMails is not a blocker — it is an architectural boundary that the second connector pattern cleanly crosses. The pattern works because Entra ID provisioning connectors are general-purpose Graph API clients: they can update any writable user attribute, and they are not limited to account creation.

The three things that make this pattern safe are:

Create: OFF — the connector cannot create orphan accounts
Narrow attribute mapping — only otherMails and the match key, nothing else
Mutually exclusive scoping — hybrid workers only, mirroring Connector 1's scope exactly

Add this connector to your Workday provisioning architecture alongside the existing AD connector and Cloud Sync, and hybrid users will have their personal email populated in otherMails automatically on every provisioning cycle — no Logic Apps, no custom code, no Governance license required.

Soft-delete for Entra ID groups: what changed and when

Microsoft Entra ID · Identity & Access Management

If you've ever accidentally deleted a security group in Microsoft Entra ID and then spent the next hour scrambling to recreate it from memory, you'll know exactly why this update matters. Microsoft has finally extended soft-delete support to cloud security groups — closing a recovery gap that has frustrated admins for years.

A bit of history

Soft-delete isn't new to Entra ID. Microsoft introduced it for Microsoft 365 Groups back in early 2017, giving admins a 30-day window to restore accidentally deleted groups — complete with their connected resources like SharePoint sites and Planner boards. Applications and users followed, also gaining soft-delete status.

But cloud security groups? Until late 2025, deleting one meant it was gone. Permanently. No recycle bin, no restore button. You had to rebuild the group from scratch, re-add all members, and then hope you hadn't missed anyone with access to something critical.

What's new

Announced via Message Center notification MC1183299 on 6 November 2025, Entra ID now places deleted cloud security groups into a soft-deleted state for 30 days — giving admins time to restore them with all settings, membership, and ownership intact.

Here's the rollout timeline:

Late October 2025

Public preview begins. Feature available via Entra admin center, Microsoft Graph v1.0 API, and Graph PowerShell SDK.

November 2025

Public preview rollout completes.

Late February – Early March 2026

General Availability worldwide.

After 30 days

Soft-deleted groups are permanently (hard) deleted and cannot be recovered.

How to restore a soft-deleted group

Head to the Microsoft Entra admin center, navigate to Identity > Groups > All groups, and select Deleted groups. Pick the group and hit Restore group. You can also use PowerShell with Restore-MgDirectoryDeletedItem or the deletedItems Microsoft Graph API.

Keep in mind: while a group sits in the soft-deleted state, its members immediately lose access to any resources protected by that group — SharePoint sites, app assignments, Conditional Access policies, and so on. Restoring the group reapplies all of that access based on the original configuration.

Important caveats

This feature covers cloud-only security groups — both assigned and dynamic membership types.

Groups that are synced from on-premises Active Directory via Entra Connect Sync or Cloud Sync are not eligible for soft-delete and will still be hard-deleted immediately.

The 30-day retention window is also not customizable. Distribution lists and mail-enabled security groups remain outside the scope of this feature for now.

What you should do now

If you run automation or scripts that manage group lifecycle — say, a cleanup job that deletes stale groups — review them. Deleted groups will now land in a soft-deleted state rather than disappearing instantly, which could affect your automation logic if it expects immediate hard deletion. Also worth tagging your critical security groups and documenting who's responsible for recovery, so that if something goes wrong, there's a clear escalation path before the 30-day window closes.

It's a small change in Microsoft's changelog — but for any admin who's been burned by an accidental group deletion, it's a very welcome safety net.