Sign In
In this module

EI0 Module Summary

50-70 minutes · Module 0 · Free

Module summary

EI0 established the complete foundation for identity security. Here is what you now understand across all ten subsections:

Identity is the primary attack surface (EI0.1). The network perimeter model is gone. In cloud environments, every access decision is made at the identity layer. The real-world breach walkthrough demonstrated how an AiTM attack progresses from phishing email to persistent access in under thirty minutes. The hybrid identity expansion showed how on-premises Active Directory and Entra Connect create additional attack paths.

Authentication is a multi-step flow with specific attack points (EI0.2). OAuth 2.0 and OIDC govern authentication to Microsoft 365. The flow produces authorization codes, access tokens, refresh tokens, and Primary Refresh Tokens — each stored in specific locations on different platforms, each with different theft methods and risk profiles. The FOCI mechanism means stealing a single Microsoft refresh token grants access to all Microsoft applications in the family.

Entra ID is a platform of interconnected security components (EI0.3). Conditional Access is the policy engine at the center. The components form a signal-and-enforcement chain where each feeds data to the others. The deployment priority sequence mirrors the course module order: authentication methods first, then conditional access, then Identity Protection, then PIM, then governance, then detection.

The Entra admin center is your operational interface (EI0.4). Four primary areas handle identity security. PowerShell and KQL provide programmatic access at scale. Six Entra ID roles provide graduated access from Security Reader through Global Administrator.

Seven attack techniques define the threat model (EI0.5). AiTM credential phishing, password spray, MFA fatigue, token theft and replay, consent phishing, privilege escalation, and workload identity abuse. Each has specific indicators, specific defenses, and specific course modules.

The identity kill chain maps the complete attack lifecycle (EI0.6). Six stages from reconnaissance through data exfiltration. Each stage produces evidence in Entra ID logs and each has specific defensive controls. The kill chain response checklist ensures remediation covers every stage.

Zero Trust is the architectural framework (EI0.7). Verify explicitly, least privilege, and assume breach translate into specific Entra ID configurations. The maturity continuum provides a progression path from implicit trust through comprehensive control.

Real-world breaches reveal where controls fail (EI0.8). Three case studies demonstrated that breaches succeed because controls have specific gaps — not because controls are absent entirely. The common pattern: the defensive controls exist in the current license but are not deployed.

The lab environment is ready (EI0.9). M365 E5 developer tenant, Azure subscription with Sentinel, diagnostic settings routing logs, and sample users for exercises.

The course structure provides a clear learning path (EI0.10). Four phases, 18 modules, role-based recommended paths, and cross-course connections.

What comes next

EI1: Sign-In Logs — Your Identity Telemetry. Every module from EI1 onward uses sign-in logs for verification. EI1 teaches you to read them fluently — every field, every authentication detail, every conditional access evaluation, every risk signal.

EI2: Authentication Methods — Your First Line of Defense. The authentication method determines which attacks are possible. EI2 covers the full hierarchy and teaches you to plan phishing-resistant authentication deployment.

Authentication is a multi-step flow with specific attack points. OAuth 2.0 and OIDC govern how users authenticate to Microsoft 365. The flow produces authorization codes, access tokens, refresh tokens, and Primary Refresh Tokens — each with different lifetimes, different risk profiles, and different theft implications. Every identity attack targets a specific point in this flow, and every defense protects a specific point.

Entra ID is a platform of interconnected security components. Conditional Access is the policy engine at the center. Identity Protection provides the risk signals. Authentication Methods determine what attacks are possible. PIM governs privileged access. Token Protection binds tokens to devices. Identity Governance manages access lifecycle. Application and Workload Identity Security covers non-human identities. Sign-in logs and audit logs provide the telemetry. Defender XDR and Sentinel provide correlation and response.

Seven attack techniques define the threat model. AiTM credential phishing, password spray, MFA fatigue, token theft and replay, consent phishing, privilege escalation, and workload identity abuse. Each is defeated by a specific combination of controls that this course teaches you to design, deploy, and verify.

The Defense Design Method structures every defense. What attack does this stop → Where is the control configured → How should it be designed → How do you verify it works → What does failure look like → What do you do next. This six-step pattern applies to every control in every module.

What comes next

EI1: Sign-In Logs — Your Identity Telemetry. The sign-in log is the data source you will use in every subsequent module to verify that your controls are working. EI1 teaches you to read it fluently — every field, every authentication detail, every conditional access evaluation, every risk signal. By the end of EI1, you will be able to query sign-in logs to answer any identity security question about your environment.

EI2: Authentication Methods — Your First Line of Defense. The authentication method determines which attacks are possible against your users. EI2 covers the full hierarchy from passwords to phishing-resistant credentials and teaches you to plan and deploy a migration to stronger authentication across your organization.

These two free modules — EI0 and EI1 — give you the foundation. From EI2 onward, you build the conditional access architecture, configure Identity Protection, deploy PIM, implement token protection, govern applications and workload identities, build detection rules, and assemble the complete identity security architecture.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

  • 17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
  • The Defense Design Method — the six-step framework applied to every identity control you'll build
  • EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
  • Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
  • Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain
Unlock the full course with Premium See Full Syllabus
← Previous Next →