Sign In
Identity Security

For M365 administrators with security responsibility, SOC analysts defending identity, and security engineers designing identity controls

Microsoft Entra ID Security

Every cloud attack starts with identity. This course teaches you to stop it there.

There are courses that teach Entra ID administration and courses that teach cloud incident response. Nothing teaches the security-focused middle ground — how to harden Entra ID to prevent attacks, how to design conditional access policies that actually stop AiTM, how to deploy phishing-resistant authentication, how to protect tokens from theft, and how to detect identity-based attacks in real time. This course fills that gap. Every defense follows the same systematic method: what attack does this stop, where is the control configured, how should it be designed, how do you verify it works, what does failure look like, and what do you do next.

Start Free — No Account Needed View Pricing
IDENTITY SECURITY — DEFENSE DESIGNATTACKAiTM phishing — attacker captures session token via proxyMITRE ATT&CK: T1557 Adversary-in-the-Middle → T1539 Steal Web Session CookieDEFENSEPhishing-resistant MFA + compliant device + token protectionConditional Access: require FIDO2/passkey + device compliance + bound tokenVERIFYKQL: sign-in logs confirm policy enforcement and token bindingSigninLogs | where ConditionalAccessStatus == "success" and TokenProtectionStatus == "bound"DETECTIdentity Protection flags anomalous token — risk elevatedSentinel analytics rule: token replay from unregistered device → auto-containRESPONDAutomatic attack disruption revokes session → IR course investigatesDefender XDR: auto-contain user → Practical IR: full investigation workflow4 phasesPrevention first30-40 hours

The Defense Design Method

Every identity security control in this course — from a conditional access policy to a detection rule — follows the same systematic six-step pattern:

1. What attack does this stop? — The specific threat technique, named and mapped to MITRE ATT&CK. Not a vague risk category.

2. Where is the control configured? — The exact portal path, PowerShell command, or Graph API endpoint. No ambiguity about location.

3. How should it be designed? — The policy logic: who it applies to, what conditions trigger it, what exceptions are needed, and why.

4. How do you verify it works? — The KQL query against sign-in logs or audit logs that proves the control is active and enforcing.

5. What does it look like when it fails? — The log entry, the alert, the audit event that tells you something got through a gap.

6. What do you do next? — The remediation action, the escalation path, and the bridge to the IR course for full investigation.

This method is the course's intellectual backbone. A learner who internalizes it can design identity security controls for any environment — because the method is systematic, not tool-dependent.

Who this course is for

M365 administrators who own security. You manage the tenant. Someone decided you are also responsible for securing it. You know how to configure Entra ID — you need to learn how to defend it. This course bridges that gap without burying you in generic cybersecurity theory.

SOC analysts defending identity. You triage identity alerts in Defender XDR. You see risky sign-ins and conditional access failures. This course teaches you what those controls should look like when they are designed correctly — so you know the difference between a misconfiguration and an attack.

Security engineers designing identity controls. You need to build a conditional access architecture, deploy phishing-resistant authentication, govern application registrations, and detect identity-based attacks. This course provides the complete design, the deployment methodology, and the verification queries.

IR practitioners who want to prevent the incidents they investigate. You have completed the IR course. You know how to investigate AiTM, token theft, and consent phishing. This course teaches you to deploy the controls that stop those attacks from succeeding in the first place.

The course that does not exist elsewhere

There are SC-300 courses that teach Entra ID administration — how to create users, configure MFA, and set up conditional access policies. There are SC-200 courses that teach investigation — how to query sign-in logs and investigate incidents in Defender XDR. There are vendor whitepapers that describe identity security best practices in generic terms.

Nothing teaches the operational middle ground: how to design a conditional access architecture that actually stops AiTM credential phishing. How to deploy token protection so stolen session tokens are useless. How to govern application registrations so consent phishing cannot grant an attacker Mail.ReadWrite. How to build KQL detection rules that catch privilege escalation in real time. How to verify — with evidence — that every control you deployed is actually working.

This course fills that gap. It is the "how to prevent the incident" companion to the IR course's "how to investigate the incident."

Course syllabus

Four phases from identity foundations through complete architecture design. Free modules let you start immediately.

Phase 1 — Foundations (EI0-EI2, FREE): The identity threat landscape, sign-in log fluency, and authentication methods from passwords to phishing-resistant credentials.

Phase 2 — Conditional Access and Identity Protection (EI3-EI8): Conditional access architecture and design, stopping real attacks with specific policy combinations, Identity Protection risk-based defense, privileged identity management, token security, and CA validation.

Phase 3 — Application and Workload Identity Security (EI9-EI12): Application registration governance, managed identities and workload identity security, external identities and B2B security, and identity governance and lifecycle management.

Phase 4 — Detection, Monitoring, and Operations (EI13-EI17): Identity detection engineering with KQL, operational monitoring, backup and recovery, Defender XDR integration, and the complete identity security architecture design.

Phase 1 — Foundations (EI0-EI2) — FREE
EI0
The Identity Threat Landscape — Why identity is the primary attack surface. Real-world attack patterns: AiTM, token theft, consent phishing, password spray, MFA fatigue, service principal abuse. The Entra ID security stack. Authentication flows explained. The Defense Design Method.
EI1
Sign-In Logs — Your Identity Telemetry — Every security-relevant field in the sign-in log. Authentication details and processing. Conditional access evaluation in logs. Risk signals. KQL foundations for identity security. Building a sign-in baseline.
EI2
Authentication Methods — Your First Line of Defense — The authentication method hierarchy. Password protection. Microsoft Authenticator configuration and security. FIDO2 security keys and passkeys. Certificate-based authentication. Planning phishing-resistant authentication deployment.
EI3
Conditional Access — Architecture and Design Principles — How CA evaluation works. Zero Trust policy framework. Named locations and network context. Device conditions and compliance. Application targeting. Session controls. Emergency access and break-glass accounts.
EI4
Conditional Access — Stopping Real Attacks — The policy combinations that stop AiTM credential phishing, password spray, MFA fatigue, token theft and replay, consent phishing, legacy authentication, and workload identity attacks. Each with verification queries.
EI5
Identity Protection — Risk-Based Defense — How risk detection works. Configuring risk policies. Risk remediation and self-service. Risky users and risky sign-ins investigation. Tuning Identity Protection. Integration with conditional access.
EI6
Privileged Identity Management — Why standing privileges are dangerous. PIM for Entra ID roles and Azure resources. Access reviews. PIM monitoring and alerting. Designing a complete privileged access strategy.
EI7
Token Security and Session Management — Token types and lifecycle. How tokens are stolen. Token protection deployment. Continuous access evaluation. Session lifetime and sign-in frequency. Protecting the Primary Refresh Token.
EI8
Conditional Access Validation and Troubleshooting — Report-only mode testing. What-If tool and policy simulation. Sign-in log policy validation. Troubleshooting access failures. Conditional access change management.
EI9
Application Registration Security — App registrations vs service principals. Credential management for applications. Permission governance. Admin consent workflow. Application lifecycle security. Detecting malicious application activity.
EI10
Managed Identities and Workload Identity Security — Managed identities explained. Workload identity federation. Conditional access for workload identities. Workload identity monitoring. Workload identity governance.
EI11
External Identities and B2B Security — B2B collaboration security model. Cross-tenant access settings. Conditional access for external users. External identity governance. Monitoring external access.
EI12
Identity Governance and Lifecycle Management — Entitlement management. Access reviews. Lifecycle workflows for joiner, mover, and leaver scenarios. Identity governance reporting. Governance and compliance mapping.
EI13
Identity Detection Engineering — Identity log sources. Detecting password spray, AiTM session theft, suspicious consent grants, privilege escalation, and impossible travel. Building a complete identity detection rule library with KQL.
EI14
Entra ID Monitoring and Operational Security — Log routing architecture. Identity security posture assessment. Conditional access health monitoring. Credential hygiene. Alert triage and response workflow. Reporting to leadership.
EI15
Entra ID Backup, Recovery, and Resilience — Resilience architecture. Backup and recovery. Conditional access disaster recovery. Compromised tenant response. Building identity resilience.
EI16
Entra ID and the Defender XDR Ecosystem — Identity signals in Defender XDR. Defender for Identity integration. Automatic attack disruption. Security Copilot for identity. The unified SOC workflow for identity.
EI17
Identity Security Architecture — The Complete Design — The complete architecture blueprint. Architecture by organization size. The 90-day deployment roadmap. Compliance mapping. The ongoing operations calendar.

Cross-course connections

This course is designed to work alongside the rest of the Ridgeline curriculum:

Practical Incident Response — This course teaches prevention; the IR course teaches investigation. Conditional access design connects to CA bypass investigation. Token protection connects to token theft forensics. Identity Protection connects to risk-based investigation.

M365 Security Operations — Sign-in log analysis for hardening connects to sign-in log analysis for investigation. Detection rules connect to Sentinel analytics. Identity Protection connects to risk-based alerting.

SOC Operations — Identity detection rules feed the SOC detection library. Application governance connects to application-based detection. Monitoring workflows connect to SOC operational procedures.

Practical GRC — Identity governance maps directly to compliance frameworks. PIM access reviews generate audit evidence. The compliance mapping in EI17 connects to GRC framework implementation.

What you need

Prerequisites: Basic M365 administration familiarity. You should know how to navigate the Entra admin center and understand what users, groups, and applications are. No prior Entra ID security experience required.

Lab environment: A free M365 E5 developer tenant from developer.microsoft.com with a free Azure subscription. Total cost: $0. The free modules do not require a lab. Paid modules include hands-on exercises in your developer tenant.

Recommended: A FIDO2 security key for the phishing-resistant authentication modules. Not required but valuable for hands-on practice with the authentication methods you will be deploying.

Start with the identity threat landscape

Free modules. No account required. Understand why identity is the attack surface that matters most — then build the defenses that stop it.

Start EI0 — Free View Pricing