Sign In
Security Architecture

For Security Architects, Engineers, and Administrators Who Design, Justify, Implement, and Defend M365 Security Posture

M365 Security Architecture

Design the architecture. Document every decision. Validate it stops real attacks.

Fifteen modules take you from Entra ID identity architecture through authentication strategy, Conditional Access design, privileged access, data protection, endpoint security, email defense, Sentinel workspace design, detection architecture, incident response, Defender XDR operations, identity governance, compliance mapping, and a capstone that assembles everything into a portfolio-grade architecture package with 30+ Architecture Decision Records.

Start Free — No Account Needed See Full Curriculum + Pricing
Content last updated: May 2026

Text-based · M365 E5 developer tenant + Azure labs · 2 free modules available now · 40 CPE credits · Content last updated: May 2026

What you'll deploy immediately after this course
30+ Architecture Decision Records covering every M365 security layer
Complete Conditional Access policy framework with persona model
Phishing-resistant authentication architecture with rollout plan
Privileged access model with PIM, break-glass, and Copilot governance
Detection architecture with Sentinel workspace design and rule framework
Executive summary and risk register suitable for board presentation
M365 SECURITY ARCHITECTURE — FOUR LAYERS LAYER 1 — IDENTITY FOUNDATION Entra ID · Authentication · Conditional Access · Privileged Access MSA0–MSA4 · Every decision documented as an ADR LAYER 2 — PROTECTION STACK Data Protection · Endpoint Security · Email Defense · Collaboration MSA5–MSA7 · E3 vs E5 trade-off in every module LAYER 3 — DETECTION AND RESPONSE Sentinel · Detection Rules · Incident Response · Defender XDR MSA8–MSA11 · Every detection validated with attack simulation LAYER 4 — GOVERNANCE AND CAPSTONE Identity Governance · Compliance Mapping · Executive Presentation MSA12–MSA14 · The complete architecture package 15 modules · 30+ ADRs · Built on your own M365 tenant
View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Design a complete M365 identity, authentication, and Conditional Access architecture with ADRs
Build a phishing-resistant authentication strategy with passwordless rollout roadmap
Architect a 15-policy Conditional Access framework with persona model and break-glass
Eliminate standing privilege with PIM, role architecture, and Copilot governance
Design data protection architecture with sensitivity labels, DLP, and insider risk
Produce a portfolio-grade architecture package with 30+ ADRs and executive summary

The Design-Justify-Implement-Validate Cycle

Every module in this course follows the same four-stage cycle that separates architecture from configuration:

1. Design. Analyse the architectural problem with real-world constraints — E3 vs E5 licensing, legacy applications, hybrid AD, political resistance, service accounts vendors refuse to update. Design a solution that works within those constraints.

2. Justify. Document the decision as an Architecture Decision Record — context, decision, alternatives rejected, consequences, residual risk, and the 30-second version for your CISO. The documentation is what makes it architecture, not configuration.

3. Implement. Build the solution in your M365 E5 developer tenant. Portal configurations first, then PowerShell for automation and verification. Every implementation includes a verification step — query the API, confirm the setting is active.

4. Validate. Test whether the implementation achieves what the design intended. Attack simulations, CA What If evaluations, sign-in log analysis. If the control doesn't stop what it's supposed to stop, you find out in your lab — not during an incident.

Who this course is for

Security architects designing M365 security posture — you need a methodology for making connected decisions across identity, access, data, endpoints, and detection, and documenting those decisions for auditors and leadership.

Security engineers moving from reactive to proactive — you handle alerts and incidents, and you've noticed the same architectural gaps cause repeated incidents. You want to design the controls that prevent incidents instead of investigating them after they happen.

M365 administrators given security responsibility — you can configure MFA, CA, and Defender policies, but you can't explain why one configuration is better than another or present that case to your CISO.

GRC analysts who need architecture evidence — you map controls to ISO 27001, SOC 2, and Cyber Essentials but struggle to get documented evidence from the security team. This course produces the ADRs and risk register entries that satisfy audit requirements.

Anyone with a genuine interest in M365 security architecture. Whatever your background — early career, transitioning from another domain, or expanding your skill set — if the subject interests you and you're willing to do the work, this course is for you. Backgrounds vary. Motivation is what matters.

What you will be able to do

1. Design a complete M365 identity architecture — tenant design, identity types and their attack surfaces, hybrid identity decisions, administrative unit scoping, lifecycle automation, and naming governance. Every design decision documented as an ADR with evidence from your own tenant.

2. Build a phishing-resistant authentication strategy — every authentication method ranked by its actual security properties (not Microsoft's marketing), passwordless rollout roadmap, legacy authentication elimination, service account authentication, token theft prevention.

3. Architect a Conditional Access framework — persona-based policy design methodology with a 15-policy framework covering baseline, tiered, and application-specific controls. Break-glass accounts, exception management, hybrid CA reality, and compliance evidence generation.

4. Eliminate standing privilege — Entra ID role architecture redesigned for least privilege, PIM with meaningful activation policies (not 8-hour theatre), PAW strategy, service principal governance, cross-tenant privilege controls, and Copilot/AI workload security.

5. Design data protection architecture — sensitivity label taxonomy that users actually follow (not 47 labels and decision fatigue), DLP as a control framework with graduated enforcement, information barriers for regulatory requirements, retention governance, and insider risk detection connected to Adaptive Protection.

6. Build detection and response architecture — Sentinel workspace design with real cost modeling, detection rule framework prioritized by threat model, incident response playbook architecture, and Defender XDR cross-domain correlation as the operations fabric.

7. Produce a portfolio-grade architecture package — 30+ ADRs, 7 decision matrices, 25 risk register entries, 14 architecture diagrams, and an executive summary. Built on your own tenant. Every ADR documents your decisions for your environment.

Course at a glance

Modules: 15 (MSA0–MSA14)

Phases: 4 (Identity Foundation → Protection Stack → Detection and Response → Governance and Capstone)

Estimated study time: 36–40 hours

Content subs: 175+ across all modules

ADRs produced: 30+

Decision matrices: 7

Risk register entries: 25+

Architecture diagrams: 14 (one per module minimum)

CPE credits: 40

Free modules: MSA0 + MSA1 (no account required)

Lab: M365 E5 developer tenant + Azure subscription (yours to keep)

Typical pace: ~5-10 weeks at 5 hrs/week

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across M365 security stacks, manages Sentinel and Defender XDR environments, and designs security architecture for production tenants.

This course isn't based on vendor documentation repackaged as training. It's based on the architecture decisions we make in production — the same trade-offs, constraints, and documentation requirements you face. Every anti-pattern box ("what we see in 90% of tenants") comes from real assessment findings. Every decision matrix comes from real architecture projects. Every ADR template comes from the documentation we produce for our own clients.

The course is text-based. No videos, no live sessions, no cohorts. You work at your own pace, on your own schedule, with content you can search, reference, and return to. The format is deliberate — security architecture is a reading and doing discipline, not a watching discipline.

Lab environment

M365 E5 Developer Tenant — free tenant with 25 E5 user licenses. Provides Entra ID, Exchange Online, SharePoint, Teams, Defender XDR, Purview, Intune — every service the course uses. Setup in MSA0.6 takes about 30 minutes.

Azure Subscription — pay-as-you-go for the Sentinel workspace and Log Analytics. Azure offers $200 free credit on new accounts. Realistic cost: $19–32/month during active progression. MSA0.6 includes budget alert configuration.

Test accounts — 10+ personas covering different roles, risk levels, and device types. Created during the course and used throughout for CA testing, PIM configuration, and attack simulation.

No hosted lab images. You build the environment yourself, module by module. By course end, you have a fully configured M365 security architecture in a tenant you own and can continue to use.

Phase 1 — Identity Foundation

MSA0
Course Orientation and Architecture Thinking — What security architecture is (vs configuration), the M365 security stack as four connected layers, Architecture Decision Records, threat-informed design with real sign-in log telemetry, your tenant baseline assessment, lab setup and cost management, and the architecture package structure.
 MSA1
Entra ID Identity Architecture — Tenant architecture, identity types and their attack surfaces, hybrid identity (Entra Connect vs Cloud Sync, PHS vs PTA vs federation), Administrative Units, identity lifecycle, stale identity detection, naming governance, group architecture, and identity assessment with ADRs.
 MSA2
Authentication Architecture — Every authentication method ranked by phishing resistance. Passkeys, FIDO2, CBA, WHfB. AiTM attack mechanics and why only phishing-resistant methods stop them. Passwordless strategy and roadmap. Legacy authentication. Service account authentication. Token protection and CAE. ADRs documenting your authentication decisions.
 MSA3
Conditional Access Architecture — CA as the Zero Trust policy engine. Persona-based policy design methodology. Baseline, tiered, and application-specific policies. Device-based and location-based controls. Break-glass accounts. Policy lifecycle and change management. Exception handling. Hybrid CA reality. Complete CA framework with ADRs.

Phase 2 — Protection Stack

MSA4
Privileged Access Architecture — Standing privilege elimination. Entra ID role architecture. PIM design. Privileged Access Workstations. Service principal and managed identity governance. Cross-tenant privilege. Emergency access. Microsoft Copilot and AI workload security. ADRs documenting your privilege architecture.
 MSA5
Data Protection Architecture — Sensitivity label taxonomy design. Auto-labelling architecture (E3 vs E5). DLP as a control framework with graduated enforcement. Information barriers. Retention and records management. Insider Risk Management and Adaptive Protection. ADRs documenting your data protection decisions.
 MSA6
Endpoint Security Architecture — Device trust as an architectural pillar. Windows compliance with DHA and custom scripts. iOS, macOS, and Android compliance. Three-tier compliance model with graduated noncompliance actions. Configuration baselines and drift detection. App protection for BYOD. MDE as a real-time risk signal. ASR audit-to-block methodology. Automated response boundaries and Endpoint Privilege Management. Autopilot provisioning. ADRs documenting your endpoint architecture.
 MSA7
Email and Collaboration Security Architecture — Email threat surface audit with baseline metrics. EOP quarantine architecture. Safe Links click-time URL evaluation across email, Teams, and Office. Safe Attachments sandbox detonation with two-tier mode architecture. Anti-phishing impersonation detection for BEC defense. Attack simulation and user resilience measurement. SPF, DKIM, DMARC progressive deployment to reject. Teams external access restriction and guest governance. SharePoint and OneDrive authenticated sharing with sensitivity label integration. Post-delivery response with ZAP, AIR, and Threat Explorer. ADRs documenting your email and collaboration decisions.

Phase 3 — Detection and Response

MSA8
Sentinel Workspace Architecture — Single vs multi-workspace design. Data connector architecture. Log retention and tiering (analytics, basic, archive). RBAC and access design. Content Hub and solution architecture. ADRs documenting your Sentinel design.
 MSA9
Detection Architecture — Detection philosophy. Analytics rule architecture. Identity-based detection patterns. Privileged activity monitoring. Data exfiltration detection. Alert tuning and false positive management. ADRs documenting your detection architecture.
 MSA10
Incident Response Architecture — IR architecture vs IR execution. Automated response design. Containment architecture. Evidence preservation. ADRs documenting your response architecture.
 MSA11
Defender XDR as the Security Operations Fabric — Cross-domain correlation architecture. Automated investigation and response design. Custom detection rules in Defender XDR. Incident orchestration. Defender XDR and Sentinel coexistence. ADRs documenting your XDR operations.

Phase 4 — Governance and Capstone

MSA12
Identity Governance Architecture — Access reviews that actually find problems. Entitlement management. Lifecycle workflows. Workload identity governance. ADRs documenting your governance decisions.
 MSA13
Security Posture and Compliance Architecture — Secure Score as architecture feedback. Compliance framework mapping (ISO 27001, SOC 2, NIST CSF, Cyber Essentials). Compliance Manager. Maturity roadmaps. Communicating architecture to leadership. Posture assessment and compliance mapping.
 MSA14
Capstone — The Complete Architecture — Architecture package assembly. Architecture review simulation. End-to-end threat model walkthrough. Executive presentation. What changes next quarter.

Reference

Ref
Operational Reference — Every PowerShell command, Graph API query, KQL detection rule, and operational procedure from the course in one searchable page. Organized by architecture domain with operational cadence checklists.
 Ref
References & Further Reading — Microsoft documentation, security frameworks, compliance standards, threat intelligence sources, and architecture methodology references used throughout the course.

What you get that you will not find elsewhere

Not portal walkthroughs — architectural reasoning with API evidence.

Portal walkthroughs show you where to click. This course teaches you why you choose one configuration over another, what depends on that choice, what risk you accept, and how to document the decision so it survives your departure. Every design decision includes Graph API output, PowerShell commands, and sign-in log evidence — not screenshots of the admin center.

This is not certification preparation. SC-300, SC-400, and AZ-500 prep courses teach you to pass an exam. This course teaches you to design an architecture that survives contact with real attackers, real auditors, and real organizational politics. The exam asks "what is Conditional Access?" This course teaches you to design a persona-based CA framework, document every policy decision, validate every policy against attack techniques, and present the architecture to a CISO who asks hard questions.

The E3 vs E5 licensing reality. Most M365 security training assumes E5 licensing. Most real tenants run a mix of E3 and E5. Every module in this course designs for both — full architecture for E5 populations, documented residual risk with compensating controls for E3. The "Security on a Budget" callout appears in every module where licensing impacts the design.

You leave with a deployable architecture package, not just knowledge. 30+ ADRs. 7 decision matrices. 25 risk register entries. 14 architecture diagrams. An executive summary. Built on your own tenant. Every ADR documents your decisions for your environment.

The outcome

You start with a default M365 tenant where every security setting is either off or at Microsoft defaults. You finish with:

A complete identity architecture — every identity type catalogued, hybrid decisions documented, administrative units scoped, lifecycle automated, stale identities remediated.

Phishing-resistant authentication — passkeys deployed, legacy authentication blocked, service accounts governed, token theft mitigated.

A Conditional Access framework — 15 policies covering four personas, three tiers, and application-specific controls. Every policy documented with an ADR. Break-glass tested and monitored.

Privilege architecture — standing privilege reduced by 85%+. PIM with meaningful activation policies. Service principals governed. Copilot secured.

Data protection, detection, and response — sensitivity labels applied, DLP enforced, Sentinel workspace designed, detection rules prioritized, incident response playbooks documented.

An executive-ready architecture package — the document your CISO presents to the board, your GRC analyst gives to auditors, and your successor uses to understand every decision you made.

At $289/year, this is less than a single day of instructor-led training — for a complete security architecture program you work through at your own pace and reference permanently.

Where this course fits

This course designs the controls. Other Ridgeline courses operate within them:

Admin to Defender (free) covers M365 basics. MSA assumes this level or teaches inline.

Practical IR investigates when controls fail. MSA designs the controls.

Detection Engineering writes detection rules. MSA designs the detection architecture.

Endpoint Security tunes MDE. MSA designs the endpoint trust architecture that feeds CA.

Purple Teaming validates techniques. MSA uses those techniques to validate architectural controls.

Conditional Access (skill) covers 7 subs. MSA3 covers 13 subs with full architectural context.

Learner ladder: Admin to Defender (basics) → M365 Security Architecture (design layer) → Detection Engineering + Endpoint Security (operational layer) → Practical IR (investigation layer)

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy configurations, detection rules, scripts, and policies from this course in your organization's production environment. You may not redistribute course content, share account credentials, or republish course materials.

Architecture configurations: All PowerShell commands, Graph API queries, Conditional Access policies, PIM configurations, and Purview policies are provided as-is for deployment in your environment. Test every configuration in report-only or simulation mode before enforcement. Security controls have production impact — validate blast radius before deployment. Ridgeline Cyber Defence is not responsible for operational impact from deployed configurations.

Scenarios: All example data uses generic tenant references and RFC 5737 documentation IP ranges. Any resemblance to real organizations, incidents, or individuals is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: May 2026

2026 — v1.0: Course launch. 15 modules (MSA0–MSA14) across 4 phases. Complete M365 security architecture from identity foundations through detection, XDR operations, and capstone assembly. Graph API evidence, PowerShell implementation, attack validation, and ADR documentation throughout.

This course is actively maintained. Architecture patterns are updated as Microsoft capabilities evolve, new threat techniques emerge, and the M365 platform changes.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.