Sign In
In this module

EI0.10 Course Structure and Learning Path

50-70 minutes · Module 0 · Free
Operational Objective
This course contains 18 modules across 4 phases. You need to understand the structure, the dependencies between modules, and the recommended path based on your role — so you can plan your learning efficiently and know where to go when you need a specific defense.
Deliverable: A clear map of the complete course structure, module dependencies, time estimates, and recommended learning paths for different roles.
⏱ Estimated completion: 10 minutes

Course architecture

The course follows a deliberate progression that mirrors how you would deploy identity security controls in a production environment. The phases build on each other: foundations give you the telemetry skills and authentication knowledge, then you build the policy architecture, then you govern the non-human identities, and finally you engineer the detection and monitoring layer that verifies everything works.

COURSE STRUCTURE — 4 PHASES PHASE 1 — FOUNDATIONS (EI0-EI2) — FREE EI0 Identity Threat Landscape → EI1 Sign-In Logs → EI2 Authentication Methods Understand the threat, read the telemetry, know the authentication landscape PHASE 2 — CONDITIONAL ACCESS + IDENTITY PROTECTION (EI3-EI8) EI3 CA Architecture → EI4 Stopping Attacks → EI5 Identity Protection EI6 PIM → EI7 Token Security → EI8 CA Validation Build the policy engine, stop real attacks, protect privileged access, secure tokens PHASE 3 — APPLICATION + WORKLOAD IDENTITY (EI9-EI12) EI9 App Security → EI10 Workload Identity → EI11 External Identities → EI12 Governance Govern the non-human identities, external access, and identity lifecycle PHASE 4 — DETECTION, MONITORING + OPERATIONS (EI13-EI17) EI13 Detection Engineering → EI14 Monitoring → EI15 Backup/Recovery EI16 Defender XDR Integration → EI17 The Complete Architecture Detect what gets through, monitor continuously, build the complete design Est. 30-40 hours total · Free modules require no account
Figure EI0.10 - Course Structure and Learning Path

Module dependencies

Most modules build on their predecessors, but the course is not strictly linear. Here are the critical dependencies:

EI1 (Sign-In Logs) is a prerequisite for everything. Every module from EI3 onward uses sign-in log queries for verification. If you skip EI1, you will not be able to complete the "how do you verify it works" step of the Defense Design Method in any subsequent module.

Expand for Deeper Context

EI2 (Authentication Methods) is required before EI4. You need to understand the authentication method hierarchy before you can design conditional access policies that enforce specific methods.

EI3 (CA Architecture) is required before EI4 and EI8. You need to understand how conditional access evaluation works before you build attack-specific policies or validate their enforcement.

EI5 (Identity Protection) is required before EI13. The detection engineering module builds on the risk signals that Identity Protection produces.

EI9-EI12 are relatively independent. Phase 3 modules can be taken in any order, though EI9 (Application Security) provides context that enriches EI10 (Workload Identity).

EI13-EI16 can be taken in any order but all assume completion of Phases 1-2.

EI17 (Complete Architecture) requires completion of all prior modules. It synthesizes everything into the final design.

M365 administrator with new security responsibility (estimated 35-40 hours): Follow the full course in order: EI0EI1EI2EI3EI4EI5EI6EI7EI8EI9EI10EI11EI12EI13EI14EI15EI16EI17. You need every module because you are building the complete identity security capability from the ground up.

Expand for Deeper Context

SOC analyst defending identity (estimated 20-25 hours, focused path): Start with EI0 → EI1 (sign-in log fluency is your primary skill). Then EI5 (Identity Protection — you triage risk alerts daily). Then EI3 and EI4 (understand the CA policies you are monitoring). Then EI13 (detection engineering — build the rules you want in your SOC). Then EI16 (Defender XDR integration). Add EI7 (token security) and EI9 (application security) as time permits — these are the attack surfaces you will investigate most frequently.

Security engineer designing identity controls (estimated 30-35 hours): Follow the full course but prioritize Phase 2 (EI3-EI8) — this is your core work. Then Phase 3 (EI9-EI12) for governance. Then EI17 (the complete architecture) which gives you the deployable design document. Add Phase 4 detection modules as time permits.

IR practitioner adding prevention skills (estimated 15-20 hours, targeted): Start with EI0EI1 (sign-in log skills complement your investigation skills). Then EI4 (understand what should have stopped the attacks you investigate). Then EI7 (token security — connects directly to your token theft investigation work). Then EI9 (application security — the persistence mechanisms you find in investigations). Then EI13 (detection engineering — close the loop from investigation findings to prevention).

Time estimates per module

Phase 1 modules (EI0-EI2) are the most accessible — they build foundational knowledge at an introductory pace. Estimated 50-80 minutes each.

Phase 2 modules (EI3-EI8) are the most technical — they involve hands-on conditional access policy design, Identity Protection configuration, and PIM setup. Estimated 70-120 minutes each.

Expand for Deeper Context

Phase 3 modules (EI9-EI12) are governance-focused — they involve application auditing, access reviews, and lifecycle workflows. Estimated 60-90 minutes each.

Phase 4 modules (EI13-EI17) are the most advanced — EI13 (detection engineering) is the deepest technical module in the course, and EI17 (complete architecture) is the capstone that synthesizes everything. Estimated 60-120 minutes each.

How this course connects to the Ridgeline curriculum

This course does not exist in isolation. It is designed to work alongside the other Ridgeline courses, with explicit cross-references throughout:

Practical Incident Response is the companion course. This course teaches prevention; the IR course teaches investigation. Together, they provide end-to-end identity security capability. Specific connections: EI4 (CA stopping attacks) ↔ IR8 (identity compromise investigation), EI7 (token security) ↔ IR11 (Entra ID persistence), EI9 (app security) ↔ IR11 (service principal investigation), EI13 (detection rules) ↔ IR13-IR16 (investigation scenarios).

Expand for Deeper Context

Microsoft 365 Security Operations covers the broader Defender XDR ecosystem. This course focuses on Entra ID specifically; the M365 SecOps course covers Defender for Endpoint, Defender for Office 365, Sentinel, and the unified investigation experience. EI16 (Defender XDR integration) is the bridge module.

Mastering KQL for Cybersecurity provides the query skills used throughout this course. EI1 teaches the KQL patterns specific to identity security, but learners who want deeper KQL fluency should take the dedicated KQL course.

SOC Operations provides the operational tooling — detection rule packs, playbooks, and templates — that complements the identity-specific detection rules built in EI13.

Practical GRC for Security Professionals provides the governance framework. EI12 (Identity Governance) produces the access review and lifecycle evidence that the GRC course teaches you to present to auditors and board members.

What you will build: module deliverables

This course does not just teach concepts — it produces deployable artifacts. By the time you complete each module, you will have created or configured something tangible. Here is what each module produces:

EI1 (Sign-In Logs) produces a personal KQL query library for identity security — the queries you will use daily to monitor sign-in activity, validate policies, and investigate anomalies. You will also build a documented sign-in baseline for your lab environment that establishes normal patterns.

Expand for Deeper Context

EI2 (Authentication Methods) produces an authentication method migration plan — a phased roadmap for moving your organization from password-based authentication to phishing-resistant credentials, with specific timelines and communication templates.

EI3 (Conditional Access Architecture) produces a complete conditional access policy set — the specific policies your environment needs, designed with the Zero Trust framework, including emergency access procedures and named location configuration.

EI4 (Stopping Real Attacks) produces attack-specific policy additions — the conditional access configurations that stop AiTM, password spray, MFA fatigue, token theft, consent phishing, and legacy authentication exploitation. Each includes verification queries.

EI5 (Identity Protection) produces configured risk policies — user risk and sign-in risk policies tuned for your environment, with a documented triage workflow for the daily risky users review.

EI6 (PIM) produces a privileged access strategy — PIM configuration for all critical directory roles, activation requirements, and monitoring alerts for suspicious role activations.

EI7 (Token Security) produces a token protection deployment plan — the rollout methodology for binding tokens to devices, including the report-only analysis and phased enforcement strategy.

EI8 (CA Validation) produces a conditional access validation report — the evidence that every policy is working as designed, with gap analysis identifying users and applications not covered by any policy.

EI9 (Application Security) produces an application registration audit — every application in your tenant reviewed for excessive permissions, expired credentials, missing owners, and consent governance configuration.

EI10 (Workload Identity) produces a workload identity inventory — every service principal classified by authentication method, permissions, and monitoring coverage, with a remediation plan for those using client secrets.

EI11 (External Identities) produces a B2B access governance framework — cross-tenant access settings, conditional access policies for external users, and a guest user review process.

EI12 (Identity Governance) produces access review configurations and lifecycle workflow automation — recurring reviews for privileged roles and sensitive groups, plus automated onboarding and offboarding procedures.

EI13 (Detection Engineering) produces a complete identity detection rule library — KQL-based Sentinel analytics rules for every identity attack technique, each mapped to MITRE ATT&CK, with severity classifications and response actions.

EI14 (Monitoring) produces an operational monitoring framework — the daily, weekly, and monthly review procedures for identity security posture, plus a leadership reporting template.

EI15 (Backup/Recovery) produces a conditional access backup and identity resilience plan — exported policy configurations, recovery procedures, and a compromised tenant response runbook.

EI16 (Defender XDR) produces an integrated SOC workflow — the triage and escalation procedures for identity alerts in the unified Defender XDR incident queue.

EI17 (Complete Architecture) produces the final deliverable: a complete identity security architecture document for your environment — every policy, every configuration, every detection rule, every monitoring procedure assembled into a single deployable design with a 90-day implementation roadmap.

Every artifact is designed to be adapted for your production environment. The lab exercises create the artifact in the developer tenant; the worked examples show you how to adapt it for production deployment.

What this course does not cover

Setting expectations now prevents frustration later. This course focuses on Entra ID security — preventing, detecting, and responding to identity-based attacks in Microsoft 365 environments. It does not cover the following:

Entra ID administration. This course does not teach you how to create users, manage groups, configure SSO for applications, or set up directory synchronization. It assumes you already know how to perform basic Entra ID administration (or can learn it from Microsoft's documentation). If you are completely new to Entra ID, start with the M365 Security: From Admin to Defender course, which builds the administrative foundation this course builds on.

Expand for Deeper Context

Incident investigation methodology. This course teaches you to prevent identity compromises and detect when prevention fails, but it does not teach you how to investigate a confirmed compromise end-to-end. That is the IR course's domain. The cross-references throughout this course tell you exactly which IR module covers the investigation side of each attack technique — so when you detect a compromised account, you know where to go for the investigation methodology.

Entra External ID and customer identity (CIAM). This course covers workforce identity — the users, administrators, and service principals in your organizational tenant. Customer-facing identity scenarios (Azure AD B2C, Entra External ID) have a different threat model, different controls, and different architecture considerations that are not covered here.

On-premises Active Directory security in depth. While the hybrid identity section in EI0.1 describes the attack paths that span on-premises and cloud environments, and EI16 covers Defender for Identity integration, this course does not provide comprehensive on-premises AD hardening or attack detection. The IR course covers on-premises forensics in Phases 2-3 (IR3-IR7).

Network security and endpoint security. Conditional access evaluates device compliance and network location as signals, but the configuration of endpoint protection (Defender for Endpoint) and network security (firewalls, proxies, Global Secure Access) is covered in the M365 Security Operations course and SOC Operations course respectively.

Try it yourself

Try It — Plan Your Learning Path

Exercise: Based on your current role and the recommended paths above, write down your planned module sequence. For each module, note the estimated time and the week you plan to complete it. A realistic pace is 2-3 modules per week at 2-3 hours per week of study time.

If you are unsure which path fits your role, start with the full course in order — the module sequence is designed so that each module builds naturally on the previous ones.

⚠ Compliance Myth: "I only need the modules that map to my certification objectives"

The myth: I am preparing for the SC-200 exam. I only need the modules that cover SC-200 exam objectives and can skip the rest.

The reality: This course is not designed as certification prep — it is designed to build operational identity security capability. Certification exams test knowledge of features and configuration options. This course teaches you to design defenses against specific attacks, verify they work, and detect when they fail. The skills overlap with SC-200 and SC-300 objectives but go significantly deeper in operational methodology. If your goal is certification, the M365 Security Operations course is more directly aligned with SC-200. If your goal is defending identity in production — which is what makes you effective at the job the certification qualifies you for — this course provides the depth that certifications cannot.

📋 Investigation Artifact — Personal Learning Plan Template

Adapt this template for your personal learning schedule:

Entra ID Security — Personal Learning Plan

Name: [Your name]

Role: [Current role]

Learning path: [Full course / SOC analyst / Security engineer / IR practitioner]

Target completion: [Date]

Study cadence: [Hours per week]

Phase 1 — Foundations (Free):

- EI0 Identity Threat Landscape — Week [__] — Completed: [ ]

- EI1 Sign-In Logs — Week [__] — Completed: [ ]

- EI2 Authentication Methods — Week [__] — Completed: [ ]

Phase 2 — Conditional Access + Identity Protection:

- EI3 CA Architecture — Week [__] — Completed: [ ]

- EI4 Stopping Attacks — Week [__] — Completed: [ ]

- EI5 Identity Protection — Week [__] — Completed: [ ]

- EI6 PIM — Week [__] — Completed: [ ]

- EI7 Token Security — Week [__] — Completed: [ ]

- EI8 CA Validation — Week [__] — Completed: [ ]

Phase 3 — Application + Workload Identity:

- EI9 App Security — Week [__] — Completed: [ ]

- EI10 Workload Identity — Week [__] — Completed: [ ]

- EI11 External Identities — Week [__] — Completed: [ ]

- EI12 Governance — Week [__] — Completed: [ ]

Phase 4 — Detection + Operations:

- EI13 Detection Engineering — Week [__] — Completed: [ ]

- EI14 Monitoring — Week [__] — Completed: [ ]

- EI15 Backup/Recovery — Week [__] — Completed: [ ]

- EI16 Defender XDR — Week [__] — Completed: [ ]

- EI17 Complete Architecture — Week [__] — Completed: [ ]

Priority modules for my role: [List top 5]

Decision point

You are reviewing NE's Entra ID security posture. You find 4 accounts with Global Administrator role, but NE's policy says maximum 2. The extra 2 were added during the AiTM incident for emergency response and never removed. Do you remove them?

Remove them — but through the proper process, not unilaterally. Notify the account owners that their emergency GA assignment is being revoked, confirm they have their standard role assignments restored, and document the removal with the rationale ('emergency assignment during INC-NE-2026-0227-001, no longer required'). Then add a PIR action item: 'Implement PIM time-limited role assignments for future incident response — emergency GA assignments auto-expire after 8 hours rather than persisting indefinitely.' The stale emergency assignment is a governance failure, not a technical failure — the fix is procedural.

NE's Entra ID security audit reveals: 4 Global Administrators (policy says 2), 23 users with Global Reader from a completed project, a break-glass account with no monitoring rule, and 3 guest accounts with no expiry date. Which finding is the highest priority?
The 4 Global Administrators — 2 extra GAs doubles the attack surface.
The break-glass account with no monitoring rule. The 4 GAs and stale Global Readers are governance issues that should be remediated — but they are existing conditions, not active threats. The unmonitored break-glass account is a critical detection gap: if the break-glass account is compromised or misused, the SOC has no alert. A break-glass account is excluded from CA policies by design — it is the most powerful and least restricted account in the tenant. Without monitoring, its compromise or misuse is invisible. Deploy the monitoring rule (any sign-in to the break-glass account = Severity 1 alert) before addressing the other findings.
The 23 stale Global Readers — this is the largest number of affected accounts.
The 3 guest accounts — external accounts without expiry are the highest risk.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

  • 17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
  • The Defense Design Method — the six-step framework applied to every identity control you'll build
  • EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
  • Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
  • Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain
Unlock the full course with Premium See Full Syllabus
← Previous Next →