Sign In
Identity Security

For Security Engineers, Identity Architects, and M365 Administrators Designing Identity Controls That Stop Real Attacks

Aligned to NIST SP 800-63ISO/IEC 27001:2022MITRE ATT&CKFIDO2 / WebAuthn

Entra ID Security

Secure the identity layer that every M365 attack targets first.

Design and deploy Conditional Access policies that stop real attack patterns — not just pass a compliance check. Configure phishing-resistant authentication, implement token protection, build Identity Protection risk policies, govern privileged access with PIM, secure application and workload identities, and engineer identity-based detections. You finish with a complete deployable identity security architecture backed by detection rules, incident playbooks, and operational monitoring.

Start Free — No Account Needed See Pricing
What you'll deploy
Conditional Access policy framework with threat-modeled rationale for every setting
Identity threat detection rules for Sentinel and Defender XDR
PIM governance with just-in-time access and approval workflows
Application and workload identity security controls with consent governance
IDENTITY SECURITY — DEFENSE DESIGN ATTACK AiTM phishing — attacker captures session token via proxy MITRE ATT&CK: T1557 Adversary-in-the-Middle → T1539 Steal Web Session Cookie DEFENSE Phishing-resistant MFA + compliant device + token protection Conditional Access: require FIDO2/passkey + device compliance + bound token VERIFY KQL: sign-in logs confirm policy enforcement and token binding SigninLogs | where ConditionalAccessStatus == "success" and TokenProtectionStatus == "bound" DETECT Identity Protection flags anomalous token — risk elevated Sentinel analytics rule: token replay from unregistered device → auto-contain RESPOND Automatic attack disruption revokes session — investigation begins Defender XDR: auto-contain user → identity incident response playbook Full program Prevention first 36–40 hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Design Conditional Access policy sets that block real attack patterns
Deploy phishing-resistant authentication and token protection
Configure PIM for just-in-time privileged access with approval workflows
Secure application and workload identities against OAuth abuse
Build identity-based detection rules and investigation playbooks
Premium tier | 19 modules across 4 phases | 36–40 hours at your own pace | 40 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 21 modules

Phase 1 — Foundations

EI0
The Identity Threat Landscape
 EI1
Sign-In Logs — Your Identity Telemetry
 EI2
Authentication Methods — Your First Line of Defense

Phase 2 — Conditional Access & Identity Protection

EI3
Conditional Access — Architecture and Design Principles
 EI4
Conditional Access — Stopping Real Attacks
 EI5
Identity Protection — Risk-Based Defense
 EI6
Privileged Identity Management
 EI7
Token Security and Session Management
 EI8
Conditional Access Validation and Troubleshooting

Phase 3 — Application & Workload Identity

EI9
Application Registration Security
 EI10
Managed Identities and Workload Identity Security
 EI11
External Identities and B2B Security
 EI12
Identity Governance and Lifecycle Management

Phase 4 — Detection, Operations & Architecture

EI13
Identity Detection Engineering
 EI14
Entra ID Monitoring and Operational Security
 EI15
Entra ID Backup, Recovery, and Resilience
 EI16
Entra ID and the Defender XDR Ecosystem
 EI17
Identity Security Architecture — The Complete Design
 EI18
Capstone: Identity Security Architecture Design

Resources

Entra ID Security — Operational Reference
References & Further Reading

Who this course is for

“I have Conditional Access policies but I don’t know if they actually stop attacks.” You deployed MFA and a few CA policies. They pass your compliance audit. But when your pen test report shows AiTM phishing bypassed MFA entirely, you realize the policies were designed for compliance, not for the attacks that target your environment. This course teaches threat-modeled CA design.

“Token replay and AiTM attacks bypass our MFA and I don’t know how to stop them.” Phishing-resistant authentication, token binding, and compliant device requirements work together to break the AiTM kill chain. This course deploys all three and builds the detection rules that catch what CA misses.

“We have 200 app registrations and no idea which ones have dangerous permissions.” OAuth consent grants accumulate silently. Some are legitimate business tools. Some were granted by users who clicked “Accept” without reading the scope. This course builds the consent governance framework and the detection rules that catch malicious grants before data exfiltration starts.

“PIM is deployed but nobody uses it because the approval process is too slow.” Just-in-time access only works if the activation workflow matches operational reality. This course designs PIM configurations that balance security controls with usability — so engineers actually use PIM instead of keeping standing assignments.

“I can configure identity controls but I can’t design an identity security program.” Configuration is step four. Before that: threat model, posture assessment, gap analysis. After: detection engineering, monitoring operations, backup and recovery. This course builds the full program — from architecture through operations.

“I need to prove our identity security posture to auditors and I don’t have the data.” Phishing-resistant MFA coverage, CA policy evaluation rates, PIM activation patterns, risky sign-in trends — the KQL queries that produce the numbers auditors ask for. This course builds the measurement layer that makes identity security auditable.

Whatever your background — if the subject interests you and you’re willing to put in the work, this course is for you.

Before and after this course

Before

Your Conditional Access policies were built for compliance. MFA is required, legacy auth is blocked, and the audit passes. But AiTM phishing bypasses MFA entirely, and your policies have no answer because they weren’t designed against that attack.

An attacker replays a stolen session token from a new device and your environment treats it as a legitimate sign-in. No detection fires. No CA policy blocks it. You find out weeks later from the incident response team.

Service principals authenticate with client secrets that haven’t been rotated in two years. You don’t know which applications have Mail.ReadWrite or Directory.ReadWrite.All. Nobody reviews consent grants.

Global Administrators have standing assignments. PIM is licensed but not configured. When the auditor asks for your privileged access review cadence, you don’t have one.

After

Every CA policy maps to a specific attack pattern. Phishing-resistant MFA, compliant device requirements, and token binding work together to break the AiTM kill chain. You can explain every policy setting against the threat model.

Token replay from an unregistered device triggers a Sentinel analytics rule. The detection fires, the playbook revokes the session, and the incident lands in your queue with enrichment already attached. The attacker’s window closes in minutes, not weeks.

Every application registration is inventoried. Consent grants are reviewed quarterly. Workload identity credentials rotate on schedule. Detection rules fire on consent to unverified publishers and credential additions to service principals.

All privileged roles use PIM with just-in-time activation, approval workflows, and time-bound access. The access review runs monthly. The audit response is a KQL query, not a spreadsheet.

How the course works

Every identity security control follows the six-step Defense Design Method. Four phases build from foundations through architecture:

Phase 1
Foundations

Identity threat landscape, sign-in log analysis, authentication methods, and the Defense Design Method. You understand how identity attacks work before you design controls against them.

Phase 2
Prevention

Conditional Access architecture, CA attack patterns, Identity Protection risk policies, PIM governance, and token security. Each control designed against the threat model, deployed in report-only, validated with KQL.

Phase 3
Governance

Application security, workload identity, external identities, identity governance, and lifecycle management. The controls that prevent identity sprawl and consent abuse across your tenant.

Phase 4
Operations

Detection engineering, monitoring operations, backup and recovery, Defender integration, and the complete identity security architecture. You finish with the full program — not a set of configurations.

What the content looks like

This is a real policy specification from the Conditional Access architecture module. Before you touch the portal, you design the policy on paper — every setting justified against the threat model, with rollback criteria and the KQL that proves it works:

Policy Specification — From Module 3: Conditional Access Architecture

Policy name: CA003 — Require phishing-resistant MFA for all users

Threat addressed: AiTM phishing (T1557), MFA fatigue (T1621), SIM swap (T1111)

Scope: All users. Excludes: break-glass accounts (CA-BG-01, CA-BG-02), service accounts in SG-CA-Exclude-ServiceAccounts

Grant controls: Require authentication strength — Phishing-resistant MFA (FIDO2, Windows Hello, certificate-based)

Rollback criteria: >5% sign-in failure rate in report-only, or helpdesk ticket volume exceeds 20/day for MFA issues

Verification: SigninLogs | where ConditionalAccessPolicies contains "CA003" | summarize by ConditionalAccessStatus

Deploy sequence: Report-only (14d) → validate with KQL → enforce for pilot group (7d) → enforce all users

Every Conditional Access policy in this course starts as a specification before it becomes a configuration. The threat mapping tells you why the policy exists. The rollback criteria tell you when to pull it. The verification query tells you whether it works. Every module teaches at this level — design first, then deploy, then verify.

Lab Pack — Identity Security Toolkit

Downloadable lab pack with realistic identity evidence, deployable Conditional Access policies, detection rules, PIM configurations, and the complete governance framework for a production identity security program. Two PowerShell generators produce ~130 individual files covering every module in the course.

Identity evidence (~2,000+ entries across 6 tables): SigninLogs (14 days + AiTM, password spray, MFA fatigue, impossible travel), AuditLogs (admin activity + inbox rules, OAuth consent, GA role assignment, CA policy disable), NonInteractiveSignInLogs (token refresh + AiTM replay), ServicePrincipalSignInLogs (5 SPs + external auth), IdentityInfo (15 user records), RiskDetections (5 identity risk events).

Conditional Access (12 policies + validation): CA001–CA012 as individual JSON exports. 7 KQL validation queries. 6 What-If scenarios with expected outcomes.

Detection rules (30 files): 15 KQL rules + 15 Sigma equivalents covering AiTM token replay, password spray, MFA fatigue, impossible travel, inbox forwarding, GA assignment outside PIM, CA policy modification, OAuth consent to unverified publisher, and more.

Operational artifacts (~70 files): PIM role configs, Identity Protection risk policies, application security inventory, workload identity inventory, governance templates, monitoring runbooks, backup/recovery checklists, architecture templates, compliance mappings (ISO 27001, NIST CSF), and 3 capstone design challenges.

Entra ID Security Lab Pack
~130 files · 6 identity tables · 12 CA policies · 30 detection rules · PIM + governance + monitoring
Download Lab Pack (.zip)

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Version and changelog

Current version: 2.0  |  Last updated: May 2026

May 2026 — v2.0: Course page restructured. Lab pack with ~130 identity security artifacts (detection rules, CA policies, PIM configs, governance templates, monitoring runbooks). 29 structured exercises.

2026 — v1.0: Course launch. 19 modules (EI0–EI18 + references). Defense Design Method across all modules.

This course is actively maintained. Content is updated as the Entra ID platform and identity threat landscape evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
2scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.