Sign In
In this section

Module Summary

8 hours · Module 1 · Free

Module Summary

Module MSA1 designed the identity architecture that every security control in the course operates on.

Tenant architecture (Section 1.1). Single-tenant vs multi-tenant decision. Scope implications for every downstream control — CA, PIM, Sentinel, governance.

Identity types (Section 1.2). Cloud-only users, synced users, guest identities, application registrations, service principals, managed identities. Each type inventoried and categorized for governance.

Identity attack surface (Section 1.3). Type-specific attack vectors: password spray and AiTM for cloud users, hash extraction for synced users, cross-tenant exploitation for guests, secret exposure for workload identities.

Hybrid identity (Section 1.4). Cloud Sync with password hash sync — the recommended architecture for NE. Decision documented: sync method, write-back scope, attack surface trade-offs.

Hybrid legacy (Section 1.5). ADFS, pass-through authentication agents, and legacy sync components. Documented as risks with compensating controls and migration timelines, not ignored as technical debt.

Administrative Units (Section 1.6). Site-based delegation model scoping admin roles to HQ, manufacturing, and research lab. Least-privilege administration without tenant-wide scope.

Identity lifecycle (Section 1.7). Three-stage governance: joiner provisioning, mover access reviews, leaver deprovisioning. Automated where possible, governed where manual.

Stale identities (Section 1.8). Audit queries for accounts without sign-in activity. Remediation process for disabled-but-not-deleted accounts, orphaned guests, and unmonitored service principals.

Naming conventions (Section 1.9). Standardized naming across users, groups, applications, and administrative units. The mechanism that makes policies targetable and the directory auditable.

Group architecture (Section 1.10). Dynamic membership, role-assignable groups, nested groups. The targeting mechanism for Conditional Access, PIM, DLP, and every policy in the course.

NE identity assessment (Section 1.11). Baseline audit against the architecture standards. Gaps documented as risk register entries.

Lab (Section 1.12). Implementation of the identity architecture in your developer tenant.

Guided walkthrough (Section 1.13). End-to-end trace of how each identity decision constrains the next — tenant scope to identity types to hybrid sync to attack surface to AUs to lifecycle to naming to groups.

Architecture package status

Your architecture package now contains:

  • 3-4 ADRs covering tenant architecture, identity governance, hybrid sync, and AU structure
  • Identity topology diagram showing all identity types and sync flows
  • Risk register entries for every identity gap identified in the assessment
  • Baseline metrics: identity count by type, stale identity count, governance coverage

This is the foundation. MSA2 designs the authentication layer on top of it.

What happens next

Authentication architecture — MSA2

Every authentication method ranked by phishing resistance. Not by Microsoft's marketing tiers — by actual security properties. Passwords, phone-based MFA, FIDO2, Windows Hello, certificate-based authentication, passkeys. Which ones stop AiTM. Which ones don't. Which ones your organization can actually deploy given the identity types you defined in MSA1.

Passwordless strategy. The roadmap from passwords to phishing-resistant authentication. Migration stages, user communication, fallback handling, the service account problem, and the legacy application exceptions that delay full passwordless.

Token protection and theft prevention. Session tokens are the new credential. AiTM steals the token after MFA succeeds. Token binding, continuous access evaluation, and sign-in frequency policies — the controls that protect the session after authentication completes. This is where MSA1's identity architecture meets its first real defensive test.

Specialist subscription. Cancel anytime. Every tool in the course is free.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →