SSWConsulting · RobJT-wq · Mar 6, 2025 · Dec 30, 2024 · Dec 30, 2024 · Dec 30, 2024
diff --git a/categories/infrastructure-and-networking/rules-to-better-cloud-security.md b/categories/infrastructure-and-networking/rules-to-better-cloud-security.md
@@ -4,6 +4,7 @@ title: Rules to Better Cloud Security
 guid: 9cc8a6ee-d801-463a-9d79-bff3167f1596
 uri: rules-to-better-whatsup-gold
 index:
+- do-you-follow-best-practices-for-managing-microsoft-entra-id
 - the-best-way-to-manage-your-azure-security-posture
 - alert-for-azure-security-center
 - regularly-review-your-security-posture

diff --git a/rules/do-you-know-how-to-manage-objections/rule.md b/rules/do-you-know-how-to-manage-objections/rule.md
@@ -8,31 +8,74 @@ authors:
     url: https://ssw.com.au/people/adam-cogan
   - title: Ulysses Maclaren
     url: https://ssw.com.au/people/ulysses-maclaren
+  - title: Rob Thomlinson
+    url: https://www.ssw.com.au/people/RobThomlinson
 related: []
 redirects: []
 created: 2012-08-30T13:03:32.000Z
 archivedreason: null
 guid: d15ae8df-e369-44f9-a307-b48952431d7d
 ---
 
-When attempting to sell a solution to a potential client, you will invariably come up against some objections. It is essential that you are prepared to handle these objections so the client is confident in your skills and has no reservations about choosing you over someone else. The main reason clients raise objections is because they have concerns about your experience "fit" with their needs.
+Hearing “No” from a customer or manager can feel like a dead end, but it can be an opportunity to refine your approach. A rejection doesn’t mean they don’t want your solution. It might just mean they don’t yet see the value, have concerns, or need a different perspective.
 
 <!--endintro-->
 
 We recommend you use this objection handling model.
 
-1. Ask the question - "What concerns do you have about working with us?"
-2. Acknowledge the objection - say, "Thanks for raising that", or, "Thanks for letting
-   us know about that"
-3. Probe - ask, "Can I ask you a few questions about the concerns that you have?"
-   "If I could resolve this issue for you, could we move forward?
-   "You can't always solve objections on the spot - it's ok to say, "Is it alright if I speak to one of my developers about it and let you know about that later today?"
-4. Answer - Pick the best response to their objection (see below)
-5. Confirm that they are happy with your answer - "Do you now feel comfortable with
-   our approach towards your project?"
+## Step 1: Understand the real reason behind the "No"
 
-A typical objection we get is - "Why do you put 2 developers on the project? This is going to be more expensive isn't it?". This is basically how we handle this question:
+Before pushing back, we need to make sure that we understand why the person declined. Common reasons include:
+- **Cost concerns** – The client sees your solution as too expensive
+- **Timing issues** – A business isn't ready to implement the suggested solution
+- **Misalignment with needs** – A client doesn’t see how the solution fits into their business
+- **Unclear value proposition** – The client doesn’t understand the return on investment
+- **Preexisting solution** - The client has an existing solution that currently meets their needs
 
+Instead of immediately trying to resolve their issues with the solution, **ask questions** to understand their real hesitation:
+::: greybox
+"We can use a cheaper LLM to ensure the solution is within you're budget"
+:::
+::: Bad  
+Figure: Bad example – Trying to resolve the issue by assuming the customers concerns
+:::
+
+::: greybox
+"Can you help me understand what concerns you have with the current approach?"
+:::
+::: good  
+Figure: Good example – Asking the right questions helps you refine your response
+:::
+
+## Step 2: Return with a better argument
+
+Once you understand their objections, adjust your approach. Here’s how:
+
+### 1. **If cost is an issue: show the ROI**
+   - Highlight long-term savings or increased revenue
+   - Compare the cost of inaction
+   - Offer a phased approach or a smaller-scale implementation
+
+### 2. **If timing is an issue: keep them engaged**
+   - Ask, “When would be a better time to revisit this?”
+
+### 3. **If they don’t see the fit: Provide better examples**
+   - Use case studies relevant to their industry
+   - Show how similar clients have benefited
+   - Incorporate the clients feedback and offer a more tailored solution
+
+### 4. **If they don’t see the value: Clarify your messaging**
+   - Simplify your explanation
+   - Use visuals, data, or examples to reinforce your point
+   - Focus on their issues rather than just listing features and benefits
+
+## Step 3: Present with confidence
+
+When you go back, don’t just repeat your pitch **reframe it** based on what you’ve learned. Emphasise the value from their perspective, and make it clear you’re there to solve the problem.
+
+A typical objection we get is - "Why do you put 2 developers on the project? This is going to be more expensive isn't it?". This is how we regularly manage this question:
+
+::: greybox
 - Explain the benefits:
 
   - "We can complete the project sooner. Is that important to you?"
@@ -44,3 +87,26 @@ A typical objection we get is - "Why do you put 2 developers on the project? Thi
 
 - If they are still unsure, you can offer a small discount off the hourly rate, or
   offer some free support - it's all about managing risk.
+:::
+::: good  
+Figure: Good example – Addressing concerns with data and real-world examples
+:::
+
+## Step 4: Accept a final "No" with grace
+
+If the client still says "No", accept it professionally. Leave the door open for future discussions:
+::: greybox
+"I appreciate your time and insights. If anything changes in the future, I’d love to revisit this conversation."
+:::
+::: good  
+Figure: Good example – Keeping the relationship positive for future opportunities
+:::
+
+### Final thoughts
+
+A "No" isn’t always the end it’s often just the beginning of a better conversation. Listen, refine, and come back stronger like [Steve Bucknor](https://en.wikipedia.org/wiki/Steve_Bucknor). 
+
+youtube: https://www.youtube.com/embed/xLrH9vA1kpY
+**Video:  Umpire Bucknor's Mistake That Changed Cricket Forever (2 min)**
+
+
diff --git a/rules/managing-microsoft-entra-id/rule.md b/rules/managing-microsoft-entra-id/rule.md
@@ -0,0 +1,80 @@
+---
+seoDescription: Learn best practices for managing Microsoft Entra ID to enhance security and efficiency in your organization.
+type: rule
+title: Do you follow best practices for managing Microsoft Entra ID?
+uri: managing-microsoft-entra-id
+authors:
+  - title: Rob Thomlinson
+    url: https://www.ssw.com.au/people/rob-thomlinson/
+created: 2025-01-03T10:58:08.000Z
+guid: 123e4567-e89b-12d3-a456-426614174000
+related: How-to-name-documents
+---
+
+Effective management of Microsoft Entra ID (formerly Azure Active Directory) is crucial for maintaining the security and efficiency of your organisation's IT infrastructure. Neglecting best practices can lead to unauthorised access, data breaches, and operational disruptions. <!--endintro-->
+
+## 1. Enforce Strong Authentication
+
+- **Implement Multi-Factor Authentication (MFA):** Require MFA for all users, especially administrators, to add an extra layer of security.
+
+- **Adopt Passwordless Authentication:** Utilise methods like Windows Hello for Business or FIDO2 security keys to enhance security and user experience.
+
+## 2. Apply the Principle of Least Privilege
+
+- **Use Role-Based Access Control (RBAC):** Assign users the minimum permissions necessary for their roles to reduce the risk of unauthorised access.
+
+- **Implement Just-In-Time Access:** Utilise Privileged Identity Management (PIM) to grant temporary access to resources only when needed.
+
+## 3. Regularly Review and Audit Access
+
+- **Conduct Access Reviews:** Periodically review user access to ensure that only authorised individuals have access to resources.
+
+- **Monitor Sign-In Activity:** Keep track of user sign-ins to detect unusual or suspicious activities promptly.
+
+## 4. Secure Application Registrations
+
+- **Use Certificates Over Secrets:** Always use certificate credentials for app authentication instead of client secrets, as certificates are more secure.
+
+- **Limit API Permissions:** Assign the least privileged permissions necessary for applications to function.
+
+## 5. Enable Security Features
+
+- **Activate Security Defaults:** Enable security defaults in Microsoft Entra ID to enforce a basic level of security across your organisation.
+
+- **Implement Conditional Access Policies:** Define policies that grant or block access based on conditions like user location, device state, or risk level.
+
+## 6. Plan for Emergency Access
+
+- **Create Break Glass Accounts:** Establish at least two emergency access accounts that are not protected by MFA to ensure access during critical situations.
+
+- **Monitor and Secure Emergency Accounts:** Regularly audit these accounts to ensure they are not misused and are only accessed during emergencies.
+
+## 7. Use Clear Access Group Naming Conventions
+
+Clear and consistent naming conventions for access groups make management simpler and ensure clarity across the organisation.
+
+### **why are naming conventions important?**
+Without clear naming conventions, it becomes difficult to understand the purpose or scope of access groups, leading to confusion and potential security risks.
+
+#### **best practices**
+1. **Follow a Standard Structure:** Include key details in the group name, such as department, function, and access level.
+   - Example: `[Department]-[Resource]-[Level]`
+   - `HR-Payroll-ReadOnly` or `IT-SharePoint-Admin`
+2. **Use Prefixes for Type Indication:** Add a prefix to indicate the type of group.
+   - `DL-` for Distribution List, `SG-` for Security Group, `O365-` for Office 365 Group.
+3. **Avoid Ambiguity:** Ensure names are descriptive but concise. Avoid generic terms like "Admin" or "Users" that lack specific context.
+4. **Adopt Case Conventions:** Use consistent casing, such as PascalCase or lowercase, for easy readability. SSW uses kebab case :)
+
+#### **Common Naming Conventions Example**
+| **Name**                | **Purpose**                               |
+|--------------------------|-------------------------------------------|
+| IT-VPN-Access           | Provides VPN access for IT personnel.    |
+| Marketing-WebAnalytics  | Grants access to web analytics tools.    |
+| Finance-ERP-ReadOnly    | Read-only access to the ERP system.       |
+| All-Company-Broadcast   | Organization-wide communication group.   |
+
+Figure: Good examples of access group naming conventions that improve clarity and reduce errors in assignment.
+
+---
+
+By adhering to these best practices, including clear naming conventions for access groups, you can strengthen your organization's security posture and streamline the management of Microsoft Entra ID.