Sign In
Identity Security

For Security Engineers and M365 Administrators Designing Identity Architecture, Conditional Access Policies, and Identity Detection Controls

Aligned to NIST SP 800-63ISO/IEC 27001:2022MITRE ATT&CKFIDO2 / WebAuthn

Microsoft Entra ID Security

Secure the identity layer that every M365 attack targets first.

Design and deploy Conditional Access policies that stop real attack patterns — not just pass a compliance check. Configure phishing-resistant authentication, implement token protection, build Identity Protection risk policies, govern privileged access with PIM, secure application and workload identities, and engineer identity-based detections. You finish with a complete deployable identity security architecture — not a checklist of settings, but a threat-modeled design with detection rules, incident playbooks, and the operational knowledge to defend it.

Start Free — No Account Needed See Full Curriculum + Pricing
Content last updated: May 2026

Text-based · Persistent labs on your own hardware · 2 free modules available now · Content last updated: May 2026

What you'll deploy in production
Production-ready Conditional Access policy framework (phishing-resistant, compliant-device, token-binding)
Workload and application identity protection controls
Identity Protection risk policies + automated response playbooks
Custom identity-based KQL detection rules with Sentinel + Defender XDR correlation
PIM governance with just-in-time access and approval workflows
Complete deployable identity security architecture document
IDENTITY SECURITY — DEFENSE DESIGN ATTACK AiTM phishing — attacker captures session token via proxy MITRE ATT&CK: T1557 Adversary-in-the-Middle → T1539 Steal Web Session Cookie DEFENSE Phishing-resistant MFA + compliant device + token protection Conditional Access: require FIDO2/passkey + device compliance + bound token VERIFY KQL: sign-in logs confirm policy enforcement and token binding SigninLogs | where ConditionalAccessStatus == "success" and TokenProtectionStatus == "bound" DETECT Identity Protection flags anomalous token — risk elevated Sentinel analytics rule: token replay from unregistered device → auto-contain RESPOND Automatic attack disruption revokes session → IR course investigates Defender XDR: auto-contain user → Practical IR: full investigation workflow Full program Prevention first 30-40 hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Design Conditional Access policy sets that block real attack patterns
Deploy phishing-resistant authentication and token protection
Configure PIM for just-in-time privileged access with approval workflows
Secure application and workload identities against OAuth abuse
Build identity-based detection rules and investigation playbooks

The Defense Design Method

Every module applies the same structured 6-step method: understand the threat, assess the current state, design the control, implement with rollback, verify with KQL, and document for operations. Identity security designed for production — not just configured for compliance.

Who this course is for

Identity and access administrators. You manage Entra ID and conditional access. This course teaches you to design identity security controls that stop real attacks while maintaining user productivity.

Security engineers hardening M365 identity. You need to close the identity attack surface — phishing-resistant MFA, token protection, PIM, workload identity security. This course provides the methodology.

SOC analysts investigating identity-based attacks. You see the sign-in anomalies and need to trace them through authentication events, token operations, and administrative changes.

Anyone with a genuine interest in Entra ID security. Whatever your background — whether you're transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you're willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

The course that does not exist elsewhere

Most Entra ID training teaches configuration. This course teaches DEFENSE DESIGN — how to architect identity controls that stop specific attack techniques. Every conditional access policy is mapped to the attack it prevents. Every detection rule is mapped to the technique it catches. Every verification query proves the control is working.

What this produces

A deployable identity security architecture — Conditional Access policies, phishing-resistant auth, token protection, PIM configuration, workload identity governance, and identity-based detection rules. Threat-modeled, documented, and validated against real attack patterns — the identity-specialist capability that most SOCs lack.

What you will be able to do

1. Apply the Defense Design Method — a structured 6-step approach to designing identity security controls that balance protection with operational usability.

2. Configure conditional access policies that prevent credential-based attacks while maintaining user productivity — including phishing-resistant MFA, device compliance, and risk-based access.

3. Investigate identity-based attacks in Entra ID sign-in and audit logs — tracing attacker activity through authentication events, token operations, and administrative changes.

4. Deploy identity detection rules in Sentinel using KQL queries that identify anomalous sign-ins, privilege escalation, and identity-based persistence.

5. Harden Entra ID against common attack techniques — from password spray to consent phishing to token replay — using configuration controls mapped to MITRE ATT&CK.

6. Build identity governance with access reviews, PIM configuration, and administrative unit delegation that reduce the blast radius of compromised accounts.

Course at a glance

Modules: 19 (EI0–EI18) across 4 phases

Estimated duration: 36–40 hours (self-paced)

Format: Written content — annotated KQL queries, SVG diagrams, worked artifacts, knowledge checks

Free content: EI0–EI2 (3 modules) — no account required

Paid content: EI3–EI18 (16 modules) — Premium or Team subscription

Core methodology: Defense Design Method (6 steps) applied across all modules

Typical pace: ~5-10 weeks at 5 hrs/week

MITRE ATT&CK coverage: 35 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements, deploying security controls and managing Governance, Risk and Compliance operations.

The investigation scenarios in this course are grounded in that operational work. The techniques, decision points, and mistakes are drawn from real investigations, sanitized and adapted for training.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Technical requirements

M365 tenant with Entra ID: Production or developer tenant. An M365 Developer Tenant (free from developer.microsoft.com) with P2 licensing is sufficient for practice.

Sentinel workspace: For detection engineering modules. Included in the developer tenant setup.

No commercial tools required. Everything runs in the Entra admin center, M365 Defender portal, and Sentinel.

How to get the most from this course

Recommended pace: 1–2 modules per week, 36–40 hours total over 8–12 weeks.

EI0–EI2 are sequential. They establish the threat landscape and methodology. EI3 onward can be prioritized based on your most urgent identity security gaps.

Apply the Defense Design Method to your own tenant. Run the same analysis against your production Entra ID tenant to produce real security improvements.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Course Syllabus

Four phases. EI0–EI2 are free — no account required.

Free Phase 1 — Foundations

EI0
The Identity Threat Landscape — Why identity is the primary attack surface. Real-world attack patterns: AiTM, token theft, consent phishing, password spray, MFA fatigue, service principal abuse. The Entra ID security stack. Authentication flows explained. The Defense Design Method.
 EI1
Sign-In Logs — Your Identity Telemetry — Every security-relevant field in the sign-in log. Authentication details and processing. Conditional access evaluation in logs. Risk signals. KQL foundations for identity security. Building a sign-in baseline.

Phase 2 — Conditional Access and Identity Protection

EI2
Authentication Methods — Your First Line of Defense — The authentication method hierarchy. Password protection. Microsoft Authenticator configuration and security. FIDO2 security keys and passkeys. Certificate-based authentication. Planning phishing-resistant authentication deployment.
 EI3
Conditional Access — Architecture and Design Principles — How CA evaluation works. Zero Trust policy framework. Named locations and network context. Device conditions and compliance. Application targeting. Session controls. Emergency access and break-glass accounts.
 EI4
Conditional Access — Stopping Real Attacks — The policy combinations that stop AiTM credential phishing, password spray, MFA fatigue, token theft and replay, consent phishing, legacy authentication, and workload identity attacks. Each with verification queries.
 EI5
Identity Protection — Risk-Based Defense — How risk detection works. Configuring risk policies. Risk remediation and self-service. Risky users and risky sign-ins investigation. Tuning Identity Protection. Integration with conditional access.
 EI6
Privileged Identity Management — Why standing privileges are dangerous. PIM for Entra ID roles and Azure resources. Access reviews. PIM monitoring and alerting. Designing a complete privileged access strategy.
 EI7
Token Security and Session Management — Token types and lifecycle. How tokens are stolen. Token protection deployment. Continuous access evaluation. Session lifetime and sign-in frequency. Protecting the Primary Refresh Token.
 EI8
Conditional Access Validation and Troubleshooting — Report-only mode testing. What-If tool and policy simulation. Sign-in log policy validation. Troubleshooting access failures. Conditional access change management.

Phase 3 — Application and Workload Identity Security

EI9
Application Registration Security — App registrations vs service principals. Credential management for applications. Permission governance. Admin consent workflow. Application lifecycle security. Detecting malicious application activity.
 EI10
Managed Identities and Workload Identity Security — Managed identities explained. Workload identity federation. Conditional access for workload identities. Workload identity monitoring. Workload identity governance.
 EI11
External Identities and B2B Security — B2B collaboration security model. Cross-tenant access settings. Conditional access for external users. External identity governance. Monitoring external access.
 EI12
Identity Governance and Lifecycle Management — Entitlement management. Access reviews. Lifecycle workflows for joiner, mover, and leaver scenarios. Identity governance reporting. Governance and compliance mapping.

Phase 4 — Detection, Operations, and Architecture

EI13
Identity Detection Engineering — Identity log sources. Detecting password spray, AiTM session theft, suspicious consent grants, privilege escalation, and impossible travel. Building a complete identity detection rule library with KQL.
 EI14
Entra ID Monitoring and Operational Security — Log routing architecture. Identity security posture assessment. Conditional access health monitoring. Credential hygiene. Alert triage and response workflow. Reporting to leadership.
 EI15
Entra ID Backup, Recovery, and Resilience — Resilience architecture. Backup and recovery. Conditional access disaster recovery. Compromised tenant response. Building identity resilience.
 EI16
Entra ID and the Defender XDR Ecosystem — Identity signals in Defender XDR. Defender for Identity integration. Automatic attack disruption. Security Copilot for identity. The unified SOC workflow for identity.
 EI17
Identity Security Architecture — The Complete Design — The complete architecture blueprint. Architecture by organization size. The 90-day deployment roadmap. Compliance mapping. The ongoing operations calendar. Identity risk register. Deployment verification queries.
 EI18
Capstone: Identity Security Architecture Design — Three fictional organizations with increasing complexity. Design the complete Entra ID security architecture for a 120-person law firm, a 2,200-person hybrid manufacturer, and an 8,500-person regulated financial services firm. Peer review framework.

Where this course fits

Endpoint Security secures the device layer. This course secures the identity layer — the layer that determines who gets in and what they can do once they are in.

Practical IR investigates identity compromise after the breach. This course builds the controls and detections that prevent the breach or catch it early.

M365 Security Operations operates the M365 security stack. This course engineers the identity architecture that stack depends on.

Recommended learning path: Entra ID Security → Endpoint Security → DE → IR. A learner can start at any course.

The outcome

You start with default conditional access and hope MFA is enough. You finish with a designed identity security architecture.

Phishing-resistant authentication — deployed and validated against AiTM, device code phishing, and OAuth consent abuse.

Conditional access that blocks real attacks — not checkbox compliance, but policies mapped to specific attack techniques with verification queries.

Identity detection rules — KQL analytics for token replay, privilege escalation, persistence, and service principal abuse.

A complete identity security architecture document — deployable, auditable, and defensible.

Required: 1+ years managing or securing an M365 environment. You should know your way around the Entra admin center and understand conditional access at a conceptual level.

Recommended: Basic KQL experience for the detection engineering modules (EI13). Experience configuring conditional access policies in production.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Lab Pack - Identity Security Toolkit

This course includes a downloadable lab pack that generates realistic identity evidence, deployable conditional access policies, detection rules, PIM configurations, and the complete governance framework for a production identity security program. Two PowerShell generators produce ~130 individual files covering every module in the course.

Identity evidence (~2,000+ entries across 6 tables): SigninLogs (14 days + AiTM, password spray, MFA fatigue, impossible travel), AuditLogs (admin activity + inbox rules, OAuth consent, GA role assignment, CA policy disable), NonInteractiveSignInLogs (token refresh + AiTM replay), ServicePrincipalSignInLogs (5 SPs + external auth), IdentityInfo (15 user records), RiskDetections (5 identity risk events).

Conditional access (12 policies + validation): CA001-CA012 as individual JSON exports covering MFA, legacy auth block, device compliance, sign-in risk, user risk, admin protection, token protection, country blocking, and session controls. 7 KQL validation queries to test policy effectiveness. 6 What-If scenarios with expected outcomes.

Detection rules (30 files): 15 individual KQL rules + 15 Sigma equivalents covering AiTM token replay, password spray, MFA fatigue, impossible travel, inbox forwarding, MFA registration after risk, GA assignment outside PIM, CA policy modification, OAuth consent to unverified publisher, service principal from external IP, credential addition, legacy auth, break glass usage, PIM activation anomaly, and non-interactive token replay.

Operational artifacts (~70 files): PIM role configs (8 roles), Identity Protection risk policies (4 JSON), application security inventory (7 apps including 2 attack artifacts), workload identity inventory (5 SPs), external identity configs (4 CTA policies), governance templates (5 access reviews + lifecycle workflows), monitoring runbooks (daily/weekly/monthly + 10 operational queries), backup/recovery (break glass configs + tenant recovery checklist), auth method inventory + migration plan, architecture templates + compliance mappings (ISO 27001, NIST CSF), and 3 capstone design challenges.

29 exercises across 8 module groups: sign-in log analysis, conditional access design, Identity Protection, PIM, token security, application security, detection engineering, and architecture design.

Evidence analysis: Open CSV files in Timeline Explorer by Eric Zimmerman. Import CA policies to a dev tenant with New-MgIdentityConditionalAccessPolicy.

Entra ID Security Lab Pack
~130 files · 6 identity tables · 12 CA policies · 30 detection rules · PIM + governance + monitoring
Download Lab Pack (.zip)

Version and changelog

Current version: 2.0  |  Last updated: April 2026

April 2026 — v2.0: Lab pack built with ~130 identity security artifacts across detection rules, CA policies, PIM configs, app security inventory, workload identity, governance templates, monitoring runbooks, backup/recovery checklists, and architecture templates. 29 structured exercises. Prerequisites updated for advanced positioning. Meta descriptions rewritten. Figcaptions added to all SVGs.

2026 — v1.0: Course launch. 20 modules (EI0-EI18 + references). 655,000 words. Defense Design Method across all modules.

This course is actively maintained. Content is updated as the Entra ID platform and identity threat landscape evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
2scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.