Microsoft 365 Identity Security Engineering
Master Microsoft 365 Identity Security Engineering
Build and engineer resilient identity systems that stop real attacks at the source. Design, implement, and operationalise secure identity controls using Microsoft Entra ID; including Conditional Access, Privileged Identity Management, Identity Protection, and Zero Trust strategies; to block account takeover, MFA fatigue, token theft, and advanced identity threats.
What you'll be able to do
“Spent a ton of time digging into Entra sign-in logs and looking at how token theft actually works in the real world; the Entra ID Security training was very helpful for this. Thankfully, not another 'turn on MFA' lecture. The course was very helpful in learning how to properly audit your environment.”
Course overview
The Microsoft 365 Identity Security Engineering course is built specifically for Security Engineers, Identity Architects, and Microsoft 365 Administrators who design identity controls that stop real attacks. You'll gain hands-on engineering expertise to:
By the end, you'll have the advanced engineering skills and mindset to own and harden your organisation's entire identity infrastructure; dramatically reducing identity-based risk and preventing breaches before they happen.
Who this course is for
You're a Security Engineer, Identity Architect, or Microsoft 365 Administrator responsible for designing identity controls that stop real attacks. This course is built for you if you want to:
In short: if you're ready to engineer identity systems that attackers cannot easily bypass, this course is for you.
What you'll learn
By the end of this Microsoft 365 Identity Security Engineering course you will be able to:
Key course takeaways
Lab Pack, Microsoft 365 Identity Security Engineering Toolkit
Downloadable lab pack with realistic identity evidence, deployable Conditional Access policies, detection rules, PIM configurations, and the complete governance framework for a production identity security program. Two PowerShell generators produce ~130 individual files covering every module in the course.
Identity evidence (~2,000+ entries across 6 tables): SigninLogs (14 days + AiTM, password spray, MFA fatigue, impossible travel), AuditLogs (admin activity + inbox rules, OAuth consent, GA role assignment, CA policy disable), NonInteractiveSignInLogs (token refresh + AiTM replay), ServicePrincipalSignInLogs (5 SPs + external auth), IdentityInfo (15 user records), RiskDetections (5 identity risk events).
Conditional Access (12 policies + validation): CA001–CA012 as individual JSON exports. 7 KQL validation queries. 6 What-If scenarios with expected outcomes.
Detection rules (30 files): 15 KQL rules + 15 Sigma equivalents covering AiTM token replay, password spray, MFA fatigue, impossible travel, inbox forwarding, GA assignment outside PIM, CA policy modification, OAuth consent to unverified publisher, and more.
Operational artifacts (~70 files): PIM role configs, Identity Protection risk policies, application security inventory, workload identity inventory, governance templates, monitoring runbooks, backup/recovery checklists, architecture templates, compliance mappings (ISO 27001, NIST CSF), and 3 capstone design challenges.
Things you need to know
What are the prerequisites for this course?
There are no prerequisites. The course teaches identity security engineering from first principles. Familiarity with Entra ID and the Microsoft 365 admin center will help you move faster through the early modules, but neither is required. Every concept is explained at first use.
What are the device requirements?
A device with a modern browser. Access to a Microsoft 365 E5 developer tenant (free from Microsoft) for hands-on Conditional Access, PIM, and Identity Protection configuration. The course walks you through tenant setup in Module 0.
How will the course benefit your career?
Identity is the primary attack surface in modern environments. Organisations need engineers who can design Conditional Access architectures against real attack patterns, not just enable MFA and pass a compliance check. This course gives you the skills to engineer identity controls, build detection rules, and operationalise privileged access governance.
The demand for identity security engineers continues to grow as organisations face increasingly sophisticated identity-based attacks including AiTM phishing, token theft, and MFA fatigue.
Usage rights and disclaimer
Course materials: Licensed for individual professional development. You may deploy scripts, queries, detection rules, and policies in your production environment. You may not redistribute course content or share account credentials.
Identity configurations: All Conditional Access policies, PIM configurations, and detection rules are provided as-is. Test every configuration in report-only mode before enforcement. Ridgeline Cyber Defence is not responsible for operational impact from deployed configurations.
Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.
Version and changelog
Current version: 2.1 | Last updated: June 2026
June 2026, v2.1: Course renamed to Microsoft 365 Identity Security Engineering.
June 2026, v2.0: Course renamed to Microsoft 365 Identity Security Engineering. Course page restructured. Lab pack with ~130 identity security artifacts.
2026, v1.0: Course launch. 19 modules across 4 phases. Defense Design Method across all modules.
This course is actively maintained. Content is updated as the Entra ID platform and identity threat landscape evolve.
End of Course Exam
Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.
Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.