In this module

0.4 Lab Setup: M365 E5 Developer Tenant

45 minutes · Module 0 · Free

Operational Objective

This subsection covers lab setup: m365 e5 developer tenant — a core operational skill for security teams working in Microsoft 365 environments. Every concept is demonstrated through practical scenarios from the Northgate Engineering environment.

Deliverable: Working proficiency with the techniques and operational patterns covered in this subsection.

Estimated completion: 25 minutes

Figure 0.4 — Operational workflow from input through documented output.

Figure — Lab Setup: M365 E5 Developer Tenant. Applied to security operations at Northgate Engineering.

Lab Setup: M365 E5 Developer Tenant

You need a Microsoft 365 E5 environment to complete the hands-on exercises in this course. This subsection walks you through obtaining and configuring one. Do not skip this — every module from Module 1 onward assumes you have a working tenant.

Your three options

Option	Cost	Best for	Limitations
M365 Developer Program (Instant Sandbox)	Free	Learners with Visual Studio Professional/Enterprise subscription or qualifying partner membership	Requires qualifying membership; restricted since late 2024; 90-day renewable
M365 E5 Trial	Free for 30 days	Learners who need immediate access without qualification requirements	30-day limit; credit card required; must cancel before billing
M365 Business Premium or E5 single-license	~$57/month (E5) or ~$22/month (Business Premium)	Learners who want a stable, long-term environment without renewal concerns	Monthly cost; Business Premium lacks some E5 features

The M365 Developer Program has restricted free access

As of 2025, Microsoft requires an active Visual Studio Professional or Enterprise subscription, or membership in the Microsoft AI Cloud Partner Program, to qualify for the free E5 developer sandbox. If you do not qualify, use Option 2 (E5 trial) or Option 3 (paid license). This restriction may change — check developer.microsoft.com for current eligibility.

Option 1: M365 Developer Program (if you qualify)

Step 1: Check eligibility. Navigate to developer.microsoft.com/en-us/microsoft-365/dev-program. Sign in with a work, school, or personal Microsoft account. If you see the "Set up E5 subscription" button on your dashboard, you qualify. If you see "You don't currently qualify," move to Option 2 or 3.

Step 2: Choose Instant Sandbox. When prompted, select "Instant sandbox" (not "Configurable sandbox"). The instant sandbox comes pre-provisioned with 24 test users, Microsoft Teams, SharePoint, Outlook, sample data, and all M365 E5 licenses. This saves hours of manual configuration.

Step 3: Note your credentials. The setup process creates an admin account (e.g., admin@yourdomain.onmicrosoft.com) with a password you set. Write these down — you will use them to access the M365 admin center, Defender portal, and Entra ID portal.

Expand for Deeper Context

Step 4: Verify your tenant. Navigate to admin.microsoft.com and sign in with your admin credentials. Confirm you see: - 25 user licenses (24 test users + 1 admin) - Microsoft 365 E5 subscription active - Exchange Online mailboxes for test users

Step 5: Verify Defender access. Navigate to security.microsoft.com. You should see the Microsoft Defender XDR portal with the Incidents queue, Advanced Hunting, and Settings accessible. If the portal shows "You don't have permission," wait 30 minutes — E5 license propagation can take time.

Option 2: M365 E5 Trial (30 days, no qualification needed)

Step 1: Navigate to microsoft.com/en-us/microsoft-365/enterprise/e5 and click "Try for free."

Step 2: Follow the sign-up process. You will need a phone number for verification and a credit card (you will not be charged during the trial). Create your admin account and tenant domain.

Step 3: Verify your tenant using the same steps as Option 1 (Steps 4-5).

Set a calendar reminder to cancel or convert before day 30

The trial converts to a paid subscription automatically on day 31. If you want to continue studying beyond 30 days without paying, you will need to set up a new trial with a different email address, or move to Option 3. If you want to keep your environment long-term, the automatic conversion is convenient — just be aware of the billing.

Option 3: M365 Business Premium or E5 single license

If you want a stable environment that does not expire or require renewal, purchase a single M365 E5 license ($57/month) or M365 Business Premium license ($22/month) through the M365 admin center.

Business Premium vs E5 for this course:

Feature	Business Premium	E5	Impact on course
Defender for Endpoint	P1	P2 (full EDR)	Module 4 exercises require P2 for device timeline and live response
Defender for Office 365	P1	P2 (full)	Module 1 exercises on Threat Explorer require P2
Defender for Identity	Not included	Included	Module 1.5 requires this
Defender for Cloud Apps	Not included	Included	Module 1.6 requires this
Microsoft Sentinel	Separate Azure subscription	Separate Azure subscription	Both require Azure — see subsection 0.5
Entra ID	P1	P2	Risk-based conditional access in Modules 11, 13 requires P2

E5 is recommended. Business Premium works for Modules 0-3 and 6-8, but you will hit limitations in Modules that require P2 features. If budget is a concern, start with Business Premium and upgrade to E5 when you reach Module 4.

Creating test users

Regardless of which option you chose, you need test users to simulate a realistic organization. If you used the Instant Sandbox (Option 1), you already have 24 test users. For Options 2 and 3, create at least 6 test users:

User	Display name	Role	Purpose
admin@yourdomain.onmicrosoft.com	Admin	Global Administrator	Your admin account
j.morrison@yourdomain.onmicrosoft.com	Jordan Morrison	Finance Manager	BEC/phishing target
s.patel@yourdomain.onmicrosoft.com	Sarah Patel	IT Administrator	Privileged account for CA testing
m.chen@yourdomain.onmicrosoft.com	Michael Chen	Standard User	Normal user baseline
r.williams@yourdomain.onmicrosoft.com	Rebecca Williams	Executive (CEO)	Impersonation target
d.kumar@yourdomain.onmicrosoft.com	David Kumar	Standard User	Second normal user for comparison

Navigate to admin.microsoft.com → Users → Active users → Add a user. Assign each user an M365 E5 license. These fictional users appear throughout the course as the people in our investigation scenarios.

Use the Northgate Engineering naming convention

Throughout this course, investigation scenarios reference a fictional company called Northgate Engineering (northgateeng.com). Your tenant domain will be different (*.onmicrosoft.com), but the user names and investigation narratives use the Northgate Engineering context. When the course says "j.morrison@northgateeng.com received the phishing email," substitute your tenant's version of that user.

Verification checklist

Before moving to subsection 0.5, confirm all of the following:

[ ] You can sign into admin.microsoft.com with your admin account
[ ] You can see active M365 E5 (or Business Premium) licenses
[ ] You have at least 6 test users with licenses assigned
[ ] You can access security.microsoft.com (Microsoft Defender XDR portal)
[ ] You can access entra.microsoft.com (Microsoft Entra admin center)
[ ] The Defender portal shows the Incidents queue (even if empty)

If any of these fail, wait 30-60 minutes for provisioning to complete. New tenants can take up to 4 hours for all services to activate. If still failing after 4 hours, check the M365 Service Health dashboard at admin.microsoft.com → Health → Service health.

Detection depth: NE-specific implementation

This detection rule addresses a technique that directly threatens NE's operational environment. The implementation accounts for NE's specific infrastructure characteristics:

Telemetry source: The primary data table for this detection ingests approximately 0.5-3.2 GB/day depending on the activity volume. At NE's scale (810 users, 865 devices, 42 servers), the event volume generates a stable baseline that statistical detection methods (percentile analysis from DE9.4) can reliably characterize. Deviations from this baseline represent either environmental changes (new applications, infrastructure modifications) or attacker activity.

Threshold calibration: The threshold was selected using the percentile method: P99 of 30-day historical data establishes the upper bound of normal activity. The production threshold is set at 1.5x P99 to provide margin above normal fluctuation while maintaining detection sensitivity for attack patterns that typically generate 5-50x normal volume.

Expand for Deeper Context

False positive profile: The primary FP sources for this detection include: IT administrative activity (legitimate but anomalous-looking operations), automated tools and scripts (scheduled tasks, monitoring agents), and business events (quarterly reporting, annual audits, project deadlines). Each FP source is addressed through the watchlist architecture (DE9.6) — Corporate IPs (WL1), Service Accounts (WL2), IT Admin Accounts (WL3), and Known Applications (WL4) provide systematic exclusion without reducing the rule's detection scope below acceptable levels.

Attack chain integration: This detection maps to one or more of the 6 NE attack chains (CHAIN-HARVEST, CHAIN-MESH, CHAIN-ENDPOINT, CHAIN-FACTORY, CHAIN-PRIVILEGE, CHAIN-DRIFT). When this rule fires, the SOC analyst correlates with adjacent-phase alerts to determine whether the activity is isolated or part of a multi-phase attack. The correlation query from this module's cross-technique subsection provides the KQL pattern for this analysis.

Response procedure: On alert, the analyst: (1) checks the entity against the watchlists — is this a known benign source? (2) checks for correlated alerts from adjacent kill chain phases within 60 minutes, (3) classifies as TP/FP/BTP using the DE9.5 decision tree, and (4) escalates to Rachel if the alert correlates with other phases (potential active attack chain).

Developer tenant capabilities and limitations

The E5 developer tenant provides the full Microsoft 365 security stack: Defender for Endpoint (P2), Defender for Office 365 (P2), Defender for Identity, Defender for Cloud Apps, Entra ID P2, and Purview compliance. This matches what a production enterprise tenant includes. The limitation: synthetic sample data does not behave like production data. Automated attacks, user behavior patterns, and alert generation are simulated rather than organic. Detection rules tuned against sample data will require re-tuning when deployed to production because baseline volumes, user counts, and activity patterns differ significantly. Use the developer tenant for learning the portal, writing queries, and testing configurations. Use your production environment (or the NE lab data) for tuning thresholds and validating detection accuracy.

The lab environment configuration decisions you make here directly affect the quality of your learning experience in every subsequent module. Invest the setup time now — a properly configured lab with validated data pipelines means every exercise in the course returns real results. A misconfigured lab means debugging infrastructure instead of learning security operations. Verify each connector before moving to the next module.

The developer tenant renews every 90 days as long as you use it for development activity. If the tenant expires, you lose the configuration but can create a new one. Keep your Sentinel analytics rules, KQL queries, and configuration notes in a separate Git repository so they survive tenant renewal. The course's downloadable KQL packs provide a starting point — import them into each new tenant to restore your detection coverage in minutes rather than rebuilding from scratch.

Compliance Myth: "Default security settings are sufficient"

Expand for Deeper Context

The myth: Default security settings are sufficient

The reality: Microsoft's security defaults provide a baseline — MFA for admins, blocking legacy authentication. But defaults do not configure: conditional access policies tailored to your risk profile, Defender for Office 365 anti-phishing policies for your specific impersonation targets, custom detection rules for your environment, or data loss prevention policies for your sensitive data. Defaults prevent the easiest attacks. Custom configuration prevents the attacks targeting YOUR organization.

You set up your M365 E5 developer tenant and added 25 sample users. The tenant has been active for 3 days but SigninLogs in Sentinel shows zero events. What is the most likely cause?

The sample users have not signed in yet — log in as each user to generate events.

The Entra ID diagnostic settings are not configured to send SigninLogs to the Sentinel Log Analytics workspace. Creating the Sentinel workspace and enabling the Entra ID data connector are separate steps. Check: Azure Portal → Entra ID → Diagnostic settings → verify that SigninLogs, AuditLogs, and NonInteractiveUserSignInLogs are configured to send to your Log Analytics workspace. This is the most common lab setup issue — the connector appears enabled in Sentinel but the diagnostic settings on the Entra ID side are not configured.

SigninLogs has a 24-hour ingestion delay — wait another day.

The E5 developer tenant does not include SigninLogs — you need a production tenant.

Decision point

You manage NE's M365 security stack. Microsoft releases a new Defender feature in preview. The feature promises to reduce AiTM risk by 80%. Do you enable it immediately?

Not in production. Enable in a test tenant or for a pilot group first. Preview features may: change behavior before GA, have undocumented interactions with existing CA policies, or produce unexpected results in specific tenant configurations. The deployment sequence: (1) enable in a test tenant and validate against NE's CA policy set, (2) enable for a pilot group of 10 users for 2 weeks, (3) monitor for FPs and operational impact, (4) roll out to all users after successful pilot. Microsoft's '80% reduction' claim is based on their telemetry across all tenants — NE's specific configuration may produce different results.

Try it: Validate your lab environment

Complete the lab setup steps described in this sub. Verify: (1) you can sign in to your M365 tenant, (2) the Sentinel workspace is accessible, (3) at least one data connector shows 'Connected' status, and (4) a test KQL query returns results. Screenshot the successful query result — this confirms your lab is ready for the course exercises.

You've set up your M365 tenant and learned the Defender XDR unified portal.

Module 0 got your M365 developer tenant configured with sample data. Module 1 took you through the Defender XDR unified incident queue across endpoint, email, identity, and cloud apps. Now you investigate every major M365 attack type and deploy the detections that catch them next time.

15 investigation and configuration modules — Defender for Endpoint, Purview, Defender for Cloud, Security Copilot, Sentinel workspace design, log ingestion, analytics rules, and threat hunting
5 named attack investigations — AiTM credential phishing, BEC and financial fraud, consent phishing and OAuth grant abuse, token replay and session hijacking, insider threat
KQL from fundamentals through advanced hunting — dedicated modules on query language, cross-table joins, statistical analysis, and threat hunting queries
SC-200 exam objectives fully covered — every module maps to the January 2026 SC-200 update. The certification is the side effect of operational competence, not the goal
Production artefacts per module — detection rules, investigation playbooks, and hardening checklists you deploy to your own tenant

Unlock the full course with Premium See Full Syllabus

← Previous Next →