Module Summary

What you learned in this module

EI0 established the complete foundation for identity security. Here is what you now understand:

Identity is the primary attack surface (Section 0.1). The network perimeter is gone. In cloud environments, every access decision happens at the identity layer. Microsoft processes over 100 trillion identity-related signals daily, with 38 million identity risk detections — and 97% of identity attacks are password spray or brute force. The shift from network to identity is not gradual. It already happened.

Authentication is a multi-step flow with specific attack points (Section 0.2). OAuth 2.0 and OIDC govern authentication to Microsoft 365. The flow produces access tokens (60-90 minute lifetime), refresh tokens (90 days sliding window), and Primary Refresh Tokens (device-bound SSO). Each token type has different storage locations, different theft methods, and different risk profiles. The FOCI mechanism means a single Microsoft refresh token grants access to all applications in the Microsoft family.

Entra ID is a stack of interconnected security components (Section 0.3). Conditional Access is the policy engine at the center. The seven components form a signal-and-enforcement chain where each feeds data to the others. The deployment priority mirrors the course module order: authentication methods → Conditional Access → Identity Protection → PIM → governance → detection.

Seven attack techniques define the threat model (Section 0.4). AiTM credential phishing, password spray, MFA fatigue, token theft and replay, consent phishing, privilege escalation, and workload identity abuse. Each has specific indicators, specific defenses, and a specific module that teaches the countermeasure.

The identity kill chain completes in 30 minutes (Section 0.5). Six stages from reconnaissance through data exfiltration. Every stage produces log evidence in Entra ID — SigninLogs, AuditLogs, OfficeActivity, CloudAppEvents. Every stage has a defensive control that intercepts it. You don't need to stop the attacker at every stage. You need to stop them at one — and the earlier, the better.

Zero Trust is the design philosophy, not a product (Section 0.6). Three principles — verify explicitly, use least privilege, assume breach — map to specific Entra ID controls. Conditional Access enforces verify explicitly. PIM and access reviews enforce least privilege. Detection rules and CAE enforce assume breach. Your Zero Trust coverage percentage measures what portion of sign-ins are evaluated by these controls.

Real breaches exploit implicit trust (Section 0.7). Midnight Blizzard succeeded because one test account lacked MFA and one dormant OAuth application had unchecked production permissions. AiTM→BEC succeeded because MFA method was phishable and no one monitored inbox rule creation. Consent phishing succeeded because users could consent to any permission without admin approval. Every breach maps to controls this course teaches.

The Defense Design Method structures every control deployment (Section 0.8). Six steps: identify the attack, map the log evidence, design the control, specify the policy, deploy in report-only, verify with KQL. Every module from EI2 onward follows this method.

Four metrics measure your identity security posture (Section 0.9). Phishing-resistant MFA coverage, Conditional Access evaluation rate, privileged access standing exposure, and application permission sprawl. You ran baseline queries. You'll run them again after completing the course and see the numbers change.

The lab environment is ready (Section 0.10). M365 E5 developer tenant with sample users, Azure subscription with Sentinel, diagnostic settings routing all Entra ID logs, and the verification checklist confirmed.

What's next

EI1 starts with sign-in logs — the telemetry foundation that every detection, investigation, and posture measurement in this course depends on. You'll learn the SigninLogs schema, build baseline queries for your environment, and understand what each field tells you about an authentication event. The sign-in log is where every identity investigation begins, and EI1 teaches you to read it like a practitioner.