Sign In
Identity & Access Management

For Security Engineers, M365 Administrators, Identity Engineers, and IT Leads Who Design, Operate, and Defend Identity Programs

Identity and Access Management

Stop managing identities. Start governing them.

Right now, access accumulates in your tenant without review. Service principals outnumber your users and nobody governs them. Developers leave and their applications keep authenticating. Auditors ask for evidence and you scramble. This course takes you from that reality to a governed identity program — where every identity has an owner, every permission has a justification, every lifecycle event is automated, and compliance evidence is a byproduct of how you operate, not a project you start the week before an audit.

Start Free — No Account Needed See Pricing
What you'll deploy immediately after this course
A governed identity program where every identity — human and machine — has an accountable owner
Automated lifecycle that provisions on day one and revokes completely on the last day
Non-human identity governance that treats service principals and AI agents with the same rigor as users
Access that is justified, time-bound, and automatically revoked when the business need ends
Compliance evidence on demand — not a scramble before the assessment
20+ Architecture Decision Records your successor can follow and your auditor can verify
IAM PROGRAM — SIX CAPABILITY DOMAINS PHASE 1 — FOUNDATIONS + ENTRA ID PRIMER IAM thinking · Identity ecosystem · Data quality · Governance assessment PHASE 2 — USER IDENTITIES User objects · Bulk operations · Groups · Role-based access · Licensing PHASE 3 — AUTHENTICATION + ACCESS Auth methods · Passwordless · Conditional Access · Token protection PHASE 4 — APPS + WORKLOAD IDENTITIES OAuth consent · Service principals · Managed identities · AI agents PHASE 5 — PRIVILEGED ACCESS + DELEGATION PIM · Role governance · Emergency access · Administrative units PHASE 6 — GOVERNANCE + LIFECYCLE Lifecycle workflows · Entitlement mgmt · Access reviews · Compliance 17 modules · 20+ ADRs · Built on your own M365 tenant
View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Design and operate a complete IAM program covering human and non-human identities
Govern service principals, workload identities, and AI agents with operational cadences
Build authentication architecture with passwordless roadmap and Conditional Access governance
Automate the identity lifecycle with joiner, mover, and leaver workflows
Implement entitlement management and access reviews that actually find problems
Produce compliance evidence mapped to ISO 27001, SOC 2, NIST CSF, and Cyber Essentials
Specialist tier | 17 modules across 6 phases | 36–40 hours at your own pace | 40 CPE credits | 2 free modules — no account needed | 20+ ADRs | Updated May 2026
Course Agenda View all 17 modules

Free Phase 1 — Course Foundations (Free)

IAM0
What Identity and Access Management Is
 IAM1
The Entra ID Identity Ecosystem

Phase 2 — User Identities

IAM2
Implementing and Managing User Identities
 IAM3
Group Architecture and Role-Based Access

Phase 3 — Authentication & Access

IAM4
Authentication Methods and Passwordless
 IAM5
Conditional Access Architecture

Phase 4 — Apps & Workload Identities

IAM6
Module 6 — Application Access and OAuth Consent Governance
 IAM7
Module 7 — Service Principal and App Registration Governance
 IAM8
Module 8 — Workload Identity and AI Agent Governance

Phase 5 — Privileged Access & Delegation

IAM9
Privileged Access and Delegation Architecture

Phase 6 — Identity Governance & Lifecycle

IAM10
Identity Lifecycle Operations
 IAM11
Entitlement Management
 IAM12
Access Reviews and Certification
 IAM13
IAM Monitoring, Detection, and Compliance

Capstone

IAM14
The Complete IAM Program

Reference

Operational Reference
References & Further Reading

Who this course is for

“Access accumulates and nobody reviews it.” Users change roles and keep their old permissions. Service accounts outlive the projects that created them. This course builds the lifecycle automation, access reviews, and governance framework that prevents accumulation by design.

“Service principals outnumber our users and nobody governs them.” Non-human identity governance: every service principal, managed identity, and AI agent gets an owner, a lifecycle, and the same rigor as a human account. Module 9 is entirely about workload identities.

“The auditor asks for access evidence and we scramble for two weeks.” Compliance evidence should be a byproduct of how you operate, not a project. Graph API queries that produce ISO 27001, SOC 2, and NIST CSF evidence on demand — because the governance controls generate it continuously.

“Our access reviews have 100% approval rates.” That means nobody is actually reviewing. You build scoped reviews with targeted reviewers, context that makes decisions meaningful, and automated remediation that acts on the results. The outcome is a certification that proves access is justified.

“I manage Entra ID but I've never used PIM, lifecycle workflows, or entitlement management.” M365 administrators ready to move from user administration to identity governance. Phases 5 and 6 cover PIM, emergency access, lifecycle workflows, entitlement management, and access reviews — the governance layer built on top of the administration you already know.

“I need to document why we made each governance decision.” 20+ Architecture Decision Records throughout the course. Each ADR documents the decision, the alternatives considered, the trade-offs, and the rationale. Your successor can follow them. Your auditor can verify them.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

A developer leaves and their 3 service principals keep authenticating for 8 months until the next security review notices. Nobody owns them.

New hires wait 3 days for access because provisioning is manual. Leavers keep access for weeks because revocation requires 4 separate tickets.

The access review campaign runs quarterly. Every reviewer clicks “Approve All” in under 60 seconds. The compliance team files it as evidence anyway.

The auditor asks for evidence of least-privilege enforcement and you spend two weeks building spreadsheets from portal screenshots.

After

Every service principal has an owner, a documented purpose, and a lifecycle. When the owner leaves, their applications are flagged for review within 24 hours.

Lifecycle workflows provision on day one with role-appropriate access. On the last day, revocation is complete — accounts disabled, tokens revoked, group memberships removed. No tickets, no delays.

Access reviews are scoped to the decisions that matter, assigned to reviewers who have context, and configured to revoke on non-response. The 100% approval rate is replaced by evidence of actual governance.

One Graph API query produces the compliance evidence package. ISO 27001 A.9, SOC 2 CC6, NIST CSF PR.AC — the controls generate the evidence as a byproduct of operation.

How the course works

Six phases build the complete IAM program. Each phase produces deployable governance artifacts documented with Architecture Decision Records:

Phases 1–2
Foundations & Users

IAM thinking, identity ecosystem mapping, data quality audit, user objects, groups, role-based access, licensing governance.

Phases 3–4
Auth, Apps & Workloads

Passwordless authentication, Conditional Access, token protection, OAuth consent, service principals, managed identities, AI agent governance.

Phases 5–6
Privileged Access & Governance

PIM, emergency access, lifecycle workflows, entitlement management, access reviews, compliance evidence automation, capstone assembly.

What the content looks like

This is a real Graph API query from the governance modules. When the auditor asks for evidence of service principal governance, you run this — not spend two weeks building spreadsheets.

PowerShell — From Module 9: Non-Human Identity Governance
# Find service principals with no owner assigned
$orphanedSPs = Get-MgServicePrincipal -All |
    ForEach-Object {
        $owners = Get-MgServicePrincipalOwner -ServicePrincipalId $_.Id
        if (-not $owners) {
            [PSCustomObject]@{
                DisplayName  = $_.DisplayName
                AppId        = $_.AppId
                Created      = $_.AdditionalProperties.createdDateTime
                LastSignIn   = $_.AdditionalProperties.lastSignInDateTime
            }
        }
    }
$orphanedSPs | Sort-Object Created |
    Export-Csv "orphaned-service-principals.csv"

Every orphaned service principal is an unmanaged attack surface. The module teaches you to identify them, assign owners, establish lifecycle policies, and automate the detection of new orphans — so this query eventually returns zero results.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy configurations, governance frameworks, scripts, and policies in your production environment. You may not redistribute course content or share account credentials.

Governance configurations: Test every configuration in a non-production tenant before production. Ridgeline Cyber Defence is not responsible for operational impact from deployed configurations.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: May 2026

2026 — v1.0: Course launch. 17 modules across 6 phases. Complete IAM program from identity fundamentals through non-human identity governance, lifecycle automation, entitlement management, access reviews, and compliance evidence.

This course is actively maintained. Governance features updated as Entra ID capabilities evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.