The Identity Threat Landscape

What this course is

This is a practical identity security engineering course for Microsoft Entra ID environments. Nineteen modules take you from understanding the identity threat landscape through designing, deploying, and validating a complete identity security architecture — Conditional Access, Identity Protection, PIM, token security, application governance, detection engineering, and operational monitoring.

Every significant cloud breach in the past three years started with identity. Not a firewall misconfiguration. Not an unpatched server. Identity. An attacker who compromises a single identity in your Microsoft 365 environment doesn't need to breach your network perimeter — there is no perimeter to breach. They authenticate through the front door using stolen credentials or a hijacked session token. Conditional Access evaluates the sign-in and — if the policies are not designed to catch this specific attack pattern — grants access. The attacker reads email, downloads files, creates forwarding rules, registers OAuth applications, and escalates privileges. Every action is logged. Most of it is never reviewed.

This course teaches you to prevent that outcome. Not by investigating the breach after it happens — that is the IR course's job. This course teaches you to design, deploy, and verify the identity security controls that stop the attack before it reaches the mailbox, before it reaches the files, before it reaches the admin console.

Every defense in this course follows the same six-step pattern — the Defense Design Method:

What attack does this stop? The threat, named and mapped to MITRE ATT&CK. Not a vague risk category — the specific technique an attacker would use against your environment.

Where is the control configured? The exact location — portal path, PowerShell command, Graph API endpoint. No ambiguity.

How should it be designed? The policy logic. Who it applies to, what conditions trigger it, what exceptions are needed, and why each design decision exists.

How do you verify it works? The KQL query against sign-in logs or audit logs that proves the control is active and enforcing. Trust but verify.

What does it look like when it fails? The log entry, the alert, the audit event that tells you something got through. This bridges to detection.

What do you do next? The remediation action, the escalation path, and the connection to the IR course for full investigation when prevention fails.

This method is the course's intellectual backbone. A learner who internalizes it can design identity security controls for any environment — because the method is platform-independent even though the implementation details are Microsoft-specific.

What this course teaches

Nineteen modules across four phases. EI0 and EI1 are free — no account required.

Phase 1 — Foundations (EI0, EI1). You are here now. EI0 establishes why identity is the primary attack surface, walks the real-world attack patterns this course defends against (AiTM, token theft, consent phishing, password spray, MFA fatigue, service principal abuse), maps the Entra ID security stack, and introduces the Defense Design Method. EI1 teaches you to read sign-in logs — the identity telemetry that every subsequent module depends on. You'll learn every security-relevant field, how Conditional Access evaluation appears in logs, how risk signals work, and how to build a sign-in baseline with KQL.

Phase 2 — Conditional Access and Identity Protection (EI2–EI8). Seven modules that build the preventive and detective identity controls. Authentication methods and phishing-resistant MFA deployment (EI2). Conditional Access architecture — how evaluation works, the Zero Trust policy framework, named locations, device conditions, session controls (EI3). Conditional Access attack-stopping — the specific policy combinations that defeat AiTM, password spray, MFA fatigue, token replay, and consent phishing, each with verification queries (EI4). Identity Protection risk-based defense — risk detection, risk policies, investigation, and tuning (EI5). Privileged Identity Management — just-in-time access, access reviews, the complete privileged access strategy (EI6). Token security — token types, how tokens are stolen, token protection, continuous access evaluation, PRT protection (EI7). Conditional Access validation — report-only testing, What-If simulation, troubleshooting, change management (EI8).

Phase 3 — Application and Workload Identity Security (EI9–EI12). Four modules covering non-human identity security — the attack surface most organizations ignore until it's exploited. Application registration security — credential management, permission governance, admin consent workflow, detecting malicious applications (EI9). Managed identities and workload identity security — federation, Conditional Access for workloads, monitoring (EI10). External identities and B2B security — cross-tenant access, Conditional Access for external users (EI11). Identity governance and lifecycle management — entitlement management, access reviews, joiner/mover/leaver workflows (EI12).

Phase 4 — Detection, Operations, and Architecture (EI13–EI18). Six modules that complete the identity security program. Identity detection engineering — KQL rules for password spray, AiTM session theft, consent grant abuse, privilege escalation, impossible travel (EI13). Monitoring and operational security — log routing, posture assessment, CA health monitoring, reporting to leadership (EI14). Backup, recovery, and resilience — disaster recovery, compromised tenant response (EI15). Defender XDR integration — identity signals in Defender, automatic attack disruption, the unified SOC workflow (EI16). The complete architecture design — blueprint, deployment roadmap, compliance mapping, operations calendar (EI17). Capstone — design complete identity architectures for three fictional organizations of increasing complexity (EI18).

You can study the course linearly (EI0 → EI18) or in a modified order once Phase 1 is complete. Linear order through Phase 2 is strongly recommended because Conditional Access policies build on each other — EI4 (attack-stopping policies) depends on the architecture from EI3, and EI8 (validation) depends on having policies to validate. Within Phases 3 and 4, modules are more independent.

Who this course is for

Anyone who designs, configures, or maintains identity security in a Microsoft environment. The course is built for self-directed learners, and how much of it applies depends on where you sit now and where you want to go.

M365 administrator who owns Conditional Access. You manage the tenant. You've configured some CA policies — maybe the Microsoft-recommended defaults, maybe a few custom ones. You don't know if they actually stop the attacks they're supposed to stop. You've never tested a policy against a real AiTM phishing attempt or verified that your token lifetime settings survive token replay. This course gives you the design discipline, the verification queries, and the validation methodology that turns CA policies from "probably working" to "proven working."

Identity security engineer or architect. You design identity security for your organization or for clients. You need a systematic approach — not a collection of portal screenshots, but a design methodology that starts with the attack, maps the control, verifies the enforcement, and monitors for failure. The Defense Design Method in this course is that methodology. EI17 (architecture design) and EI18 (capstone) produce portfolio-grade architecture documents.

SOC analyst investigating identity alerts. You triage Entra ID alerts — risky sign-ins, impossible travel, suspicious consent grants. You want to understand why the controls behind those alerts are configured the way they are, what the policies actually enforce, and how to tune Identity Protection to reduce the false positives that consume your shift. This course gives you the engineering context behind the alerts.

IT administrator moving into security. You manage Entra ID — users, groups, licenses, app registrations. You've been told to "lock down" the tenant but nobody explained what that means beyond enabling MFA. This course teaches you the specific controls, in the specific order, with the specific verification that turns a functional tenant into a secure tenant.

GRC professional mapping identity controls to frameworks. You need to demonstrate that identity security controls satisfy ISO 27001, SOC 2, NIST CSF 2.0, or NIS2 requirements. EI17 includes compliance mapping for every control the course builds. The capstone (EI18) produces an architecture document that maps directly to audit evidence.

If none of those profiles match yours, the course is still open to you. Read the prerequisites below and decide how much preparation you want to do before starting.

Prerequisites

Three specific prerequisites. Read each and self-assess honestly.

Entra ID administration. You should be able to navigate the Entra admin center (entra.microsoft.com), create users and groups, and understand what a Conditional Access policy does at a conceptual level — even if you've never built one from scratch. If you've managed an Entra ID tenant for six months, you have what you need. If Entra ID is entirely new, complete Microsoft Learn's "Implement initial configuration of Microsoft Entra ID" module first — about two hours.

KQL basics. You should be able to write a basic KQL query — a where filter, a project to select columns, a summarize to aggregate. The course contains hundreds of KQL queries against sign-in logs and audit logs, each annotated line by line. You'll learn advanced patterns in context. If KQL is entirely new, Microsoft Learn's free "Write your first query with KQL" primer covers the basics in two to three hours. Alternatively, the Mastering KQL for Cybersecurity course on this platform covers KQL from foundations through advanced patterns.

Microsoft 365 familiarity. You should understand what Microsoft 365 services are (Exchange Online, SharePoint, Teams, Defender) and how users interact with them — because the identity security controls you'll build protect access to these services. You don't need administrative depth in each service. You do need to know what they are and why an attacker would target them.

Nothing else is required. You do not need a background in network security, penetration testing, or Windows internals. The course is entirely cloud-focused — the only prerequisite infrastructure is the M365 tenant described below.

Lab setup

You can follow along with the course using your own Microsoft environment or a dedicated lab. The policies you build are production-ready — many learners deploy them directly into their own tenants.

Microsoft 365 tenant. An M365 E5 tenant with Entra ID P2 (included with E5). Options: your production tenant (the policies are designed for production — the course teaches report-only mode and staged deployment), an M365 Developer Tenant (free, 25 E5 licenses — sign up at developer.microsoft.com/microsoft-365/dev-program), or an E5 trial. The developer tenant is recommended for learners who want to test aggressively without affecting production users.

Azure subscription (recommended from EI13 onward). For Sentinel workspace and identity detection rules. Free tier (5 GB/day ingestion) is sufficient for the learning exercises. Required for EI13 (detection engineering) and EI14 (monitoring). Not required for Phases 1–2.

Test accounts. Create 3–5 test users in your tenant for policy testing. The course uses the Northgate Engineering fictional environment — t.ashworth, p.sharma, m.webb — but any test accounts work. The key is having accounts you can test CA policies against without affecting real users.

Browser with InPrivate/Incognito. Multiple browser profiles or InPrivate windows for simulating different sign-in contexts (different users, different devices, different locations). Most exercises need two browser sessions open simultaneously.

What you can skip: you don't need to set anything up before starting EI0. The foundation modules are content you read and sign-in log queries you run. Set up your tenant and test accounts when you reach EI2 (Authentication Methods).

How the course is structured

Every module from EI2 onward follows the Defense Design Method. You will encounter these elements in every content subsection.

Objective header. The operational problem and the deliverable. Read this first — it tells you what you'll have built by the end of the subsection.

Diagram. Every subsection has an SVG diagram — the authentication flow, the policy evaluation tree, the token lifecycle, the attack chain. Diagrams are the concise statement of what the subsection teaches.

Defense Design Method walkthrough. Every control follows the six-step pattern: what attack does this stop, where is it configured, how should it be designed, how do you verify it works, what does failure look like, what do you do next. This is the method you internalize and reuse for any identity control in any environment.

Worked KQL queries. Every verification step includes the exact KQL query against SigninLogs, AADNonInteractiveUserSignInLogs, or AuditLogs that proves the control is working. Queries are annotated line by line.

Decision Point. Operational scenarios — MFA enforcement exceptions, Conditional Access policy scope decisions, PIM activation approvals. The trade-offs you'll face in production.

Compliance Myth. Identity security is full of myths that sound reasonable and fail in production. "MFA stops all phishing." "Blocking legacy authentication is a weekend project." "Conditional Access replaces a firewall." Each myth is stated and corrected with the production reality.

Try-it. Exercises you run in your tenant — configure the policy, verify the enforcement, check the sign-in log.

Artifact footer. An operational artifact — a policy template, a KQL query, a deployment checklist, an architecture decision record.

Module completion pattern. Each module has content subsections (typically ten to fourteen), an interactive lab, a module summary, and a Check My Knowledge subsection with scenario-based questions.

Time per phase

The course is self-paced. No cohorts, no deadlines, no streaks.

Phase 1 (EI0, EI1): Two to three evenings. EI0 is the threat landscape. EI1 is sign-in log analysis — hands-on with KQL from the first sub.

Phase 2 (EI2–EI8): Four to five weeks at six to eight hours per week. Seven modules covering the full Conditional Access and Identity Protection stack. EI4 (attack-stopping policies) and EI7 (token security) are the most intensive modules in this phase.

Phase 3 (EI9–EI12): Two to three weeks at the same pace. Four modules covering application and workload identity — often the least understood and most exploited part of the identity stack.

Phase 4 (EI13–EI18): Three to four weeks. Six modules including detection engineering, operations, and the capstone. EI18 (capstone) is the longest module — plan a full weekend or multiple evenings for the three architecture designs.

Full course at six to eight hours per week: twelve to sixteen weeks. The EI course is the largest on the platform — it covers the entire identity security surface, not just Conditional Access.

Start here

Go to EI0.1 — Why Identity Is the New Perimeter next. It walks the shift from network perimeter to identity perimeter — why the attacks that matter most in 2026 don't touch your firewall, and why the identity controls you're about to build are the ones that determine whether an attacker succeeds or fails.

After EI0.1, the remaining EI0 subsections cover how authentication actually works in Entra ID (EI0.2), the complete Entra ID security stack (EI0.3), the Entra admin center navigation (EI0.4), the attack patterns you'll defend against (EI0.5), the identity kill chain from initial access to persistence (EI0.6), Zero Trust and identity (EI0.7), real-world identity breaches with lessons (EI0.8), the lab environment (EI0.9), and the course structure and learning path (EI0.10).

Work through EI0 in order. The Defense Design Method introduced in this module is the framework every subsequent module applies.