Course Introduction

What this course is

This is a practical M365 security architecture course built on a four-stage cycle: design the control, justify the decision, implement it in your tenant, then validate it works against real attack techniques. Fifteen modules take you from Entra ID identity architecture through authentication strategy, Conditional Access design, privileged access, data protection, endpoint security, email defense, Sentinel workspace design, detection architecture, incident response architecture, Defender XDR operations, identity governance, compliance mapping, and a capstone that assembles everything into a portfolio-grade architecture package.

The pedagogy is direct. Design it, defend the decision, build it, break-test it. Every module follows the same cycle. You analyze an architectural problem that includes the constraints real environments have — legacy applications that break modern authentication, executive exceptions to Conditional Access, E3 licensing that blocks E5 features, shared service accounts with no MFA, third-party integrations demanding excessive permissions. You design a solution that works within those constraints. You document the decision as an Architecture Decision Record — context, decision, alternatives rejected, consequences, residual risk, and the 30-second version you'd give your CISO. You implement the solution in your M365 developer tenant. Then you validate it — run the attack simulation, attempt the policy bypass, collect the audit evidence. If the control fails the validation, you find out in your lab, not in production.

The course is the answer to the question every M365 security practitioner faces: when the CISO asks why you chose this Conditional Access design over that one, when the auditor asks for evidence that your controls map to ISO 27001 Annex A, when the board asks what risk the organization accepts — the answer is the architecture package this course teaches you to build. Not a list of settings. A documented set of connected decisions with reasoning, dependencies, trade-offs, and business justification.

By course end, you have thirty or more Architecture Decision Records, completed decision matrices for every major trade-off, a risk register linking every gap to residual risk, and an executive summary you can present to leadership. Built on your own tenant.

The environment you'll build

The course builds a complete M365 security architecture across a developer tenant and Azure subscription. This is the environment you'll design, implement, and validate against — module by module, control by control.

What this course teaches

Fifteen modules across four phases. MSA0 and MSA1 are free — no account required.

Phase 1 — Identity Foundation (MSA0–MSA3). You are here now. MSA0 establishes architecture thinking — what security architecture means in M365, how to write Architecture Decision Records, how to think about design from the attacker's perspective, and your tenant baseline assessment. MSA1 covers Entra ID identity architecture — tenant design, identity types and their attack surfaces, hybrid identity decisions, directory structure, the identity lifecycle, and the governance foundations that prevent chaos at scale. MSA2 covers authentication architecture — every method ranked by phishing resistance (not by Microsoft's marketing), passwordless strategy, legacy authentication elimination, service account authentication, token protection and theft prevention. MSA3 covers Conditional Access architecture — persona-based policy design methodology, the baseline policy set, tiered access, device-based policies, break-glass accounts, policy lifecycle, exception management, hybrid CA reality including Cloud Kerberos Trust and seamless SSO gaps.

Phase 2 — Protection Stack (MSA4–MSA7). Four modules covering the protection controls that sit on top of the identity foundation. Privileged access architecture — Entra ID roles, PIM design, PAW strategy, service principal governance, cross-tenant privilege, and securing Microsoft Copilot and AI workloads (MSA4). Data protection architecture — sensitivity label taxonomy design, DLP policy architecture, information barriers, retention and records management, insider risk (MSA5). Endpoint security architecture — device trust as an identity signal, compliance policies by platform, configuration baselines, MAM-only BYOD strategy, Defender for Endpoint integration, Autopilot (MSA6). Email and collaboration security architecture — EOP and Defender for Office 365, anti-phishing policies, SPF/DKIM/DMARC, Teams and SharePoint security (MSA7).

Phase 3 — Detection and Response (MSA8–MSA11). Four modules building the operational layer. Sentinel workspace architecture — workspace design, connector selection, log retention tiers with real cost modeling, RBAC (MSA8). Detection architecture — detection philosophy, analytics rule design, identity-based detection patterns, privileged activity monitoring, data exfiltration detection, alert tuning (MSA9). Incident response architecture — playbook design, automated response, containment architecture, evidence preservation (MSA10). Defender XDR as the security operations fabric — cross-domain correlation, automated investigation design, custom detection rules across the unified schema, incident orchestration, Sentinel coexistence architecture (MSA11).

Phase 4 — Governance and Capstone (MSA12–MSA14). Three modules closing the loop. Identity governance architecture — access reviews that actually find problems, entitlement management, lifecycle workflows, workload identity governance (MSA12). Security posture and compliance architecture — Secure Score as an honest feedback signal, control mapping to ISO 27001/SOC 2/NIST CSF/Cyber Essentials, Compliance Manager design, maturity roadmaps, communicating security architecture to leadership (MSA13). Capstone — assembling the complete architecture package, defending it in a simulated review, end-to-end threat model, executive presentation, and planning for what changes next quarter (MSA14).

Study the course linearly. Every module builds on the one before — authentication architecture (MSA2) shapes Conditional Access design (MSA3), Conditional Access consumes endpoint trust (MSA6), detection architecture (MSA9) monitors what the protection stack (MSA4–MSA7) is supposed to prevent. The connections between modules are the architecture.

Who this course is for

Anyone who wants to learn how to design and defend M365 security architecture.

M365 administrator who's been given security responsibility. You can configure MFA, Conditional Access, and Defender policies. You can't explain why one configuration is better than another, or present that case to your CISO when they ask why you chose this design over the alternative. This course gives you the reasoning behind the configuration — and the documentation to prove it was deliberate.

Security engineer moving from reactive to proactive. You handle alerts and incidents. You've noticed that the same architectural gaps cause repeated incidents — the same Conditional Access exclusion, the same unmonitored service account, the same DLP coverage gap. You want to design the controls that prevent incidents instead of investigating them after they happen. This course is that transition.

SOC analyst or IR practitioner who keeps investigating the same types of compromise. You've worked identity compromise incidents and thought "this should have been prevented by architecture, not caught by detection." This course is the companion to Practical Incident Response — that course investigates when controls fail, this course designs the controls.

IT manager or security lead who needs to present decisions to leadership. You need to explain to the board why the organization should invest in E5 licensing, why Conditional Access exceptions create risk, why the current authentication strategy is insufficient. This course teaches you to build the business case — not just the technical configuration — with Architecture Decision Records, decision matrices, and executive communication templates.

Anyone transitioning into cloud security architecture. Whatever your background — network security, development, compliance, IT management, or another domain — if the subject interests you and you're willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

What makes this course different

Three things separate this course from every other M365 security course on the market.

The messy middle. Every module addresses the constraints that real environments have. Legacy applications that break modern authentication and need Conditional Access exceptions. E3 licensing that blocks E5-only features. Executive resistance to MFA. Shared service accounts that vendors refuse to update. Third-party integrations demanding app-only permissions with excessive scopes. The course doesn't just teach the ideal configuration — it teaches what to do when you can't implement the ideal, how to document the residual risk, and how to build a roadmap from where you are to where you should be. Every module includes a "Security on a Budget" callout comparing E3 and E5 capabilities, and an anti-pattern box showing what 90% of tenants get wrong and why it fails.

Architecture Decision Records. Every significant design decision is documented as an ADR — context, decision, alternatives rejected, consequences, and the 30-second version you'd give your CISO. These aren't academic exercises. They're the exact documentation your auditor wants to see when they ask "how did you decide this?" and the exact artifact your successor needs when they inherit your tenant. By course end, you have thirty or more ADRs covering every layer of the M365 security stack.

Validation, not trust. Every module's implementation is tested. The authentication architecture gets an AiTM simulation. The Conditional Access framework gets a bypass attempt. The DLP policies get a data exfiltration test. The detection rules get attack simulations. You don't deploy controls and assume they work. You deploy controls and prove they work — or discover they don't and fix them before an attacker does.

Prerequisites

One prerequisite. This course is designed to be accessible to anyone with basic M365 familiarity.

M365 administration experience. You should be able to navigate the Entra admin center, the Microsoft 365 admin center, and the Defender portal. You should know what Conditional Access policies are, even if you haven't designed a comprehensive framework. You should be comfortable creating users and assigning licenses. If you've administered an M365 tenant for six months, you have the context you need.

Nothing else is required. No security certifications, no PowerShell expertise, no prior architecture experience. The course teaches security architecture from first principles — every concept is explained at the point of use. If you've completed Admin to Defender, you have more than enough foundation.

Lab environment

You need an M365 E5 developer tenant (free) and an Azure subscription (pay-as-you-go). MSA0.6 walks you through setup and shows you how to keep costs under $25/month.

M365 E5 Developer Tenant. Free tenant with 25 E5 user licenses for non-production development and learning. Provides Entra ID, Exchange Online, SharePoint, Teams, Defender XDR, Purview, Intune — everything the course uses. Sign up at developer.microsoft.com/microsoft-365/dev-program. Setup takes about thirty minutes.

Azure Subscription. Pay-as-you-go for the Sentinel workspace and Log Analytics. Azure offers $200 of free credit on new accounts. Realistic cost during active course progression: $19–32 per month. After the course, when you're not actively ingesting logs, ongoing cost drops below $12/month. MSA0.6 includes a cost modeling spreadsheet and techniques for keeping within budget.

Test accounts. Ten or more personas covering different roles, risk levels, and device types — created in MSA1 and used throughout the course for Conditional Access testing, PIM configurations, and attack simulations.

No hosted lab images. You build the environment yourself, module by module. This is deliberate — the architecture you design is the architecture you implement. By course end, you have a fully configured M365 security architecture in a tenant you own and can continue to use.

What you can skip: you don't need to set up anything before starting MSA0. The first module is architecture thinking — concepts, ADR methodology, and your tenant baseline assessment. Build your developer tenant when you reach MSA0.6.

How the course is structured

Every content sub follows a consistent delivery pattern designed around the four-stage architecture cycle.

Conceptual introduction. Every sub teaches what the topic IS — what it does, why it exists architecturally, and what problem it solves — before any command or portal step. You understand the concept before you see the implementation.

Portal-first, then command. Every configurable action includes the portal navigation as the primary instruction, with PowerShell following as the automation complement. You learn to work the way most organizations actually work — portal for configuration, PowerShell for verification and bulk operations.

Architecture section. The core content — the design, the reasoning, the alternatives considered, the trade-offs. Includes decision matrices where applicable and "Security on a Budget" callouts where licensing impacts the design. This section is 40–50% of the sub's word count.

Implementation and validation. Hands-on in your M365 tenant. Every implementation includes a verification step — query the API, confirm the setting is active. Then validate it works: attack simulation, policy bypass attempt, audit evidence collection.

ADR. You write the Architecture Decision Record for the sub's design choice.

Reusable script. All commands from the sub assembled into a single operational script for production use.

Module completion pattern. Each module has content subs (five to thirteen depending on scope), a lab exercise, a guided walkthrough connecting cross-sub findings, a module summary, and a Check My Knowledge section with scenario-based questions.

Time per phase

The course is self-paced. No cohorts, no deadlines, no streaks.

Phase 1 (MSA0–MSA3): Three to four weeks at six to eight hours per week. MSA0 is architecture thinking and lab setup (5 hours). MSA1 is identity architecture (6–8 hours). MSA2 is authentication architecture (8–10 hours). MSA3 is Conditional Access — the densest module in the course (10–12 hours).

Phase 2 (MSA4–MSA7): Three to four weeks at the same pace. Four modules covering privileged access, data protection, endpoint security, and email/collaboration security.

Phase 3 (MSA8–MSA11): Three to four weeks. Four modules covering Sentinel, detection, incident response, and Defender XDR operations.

Phase 4 (MSA12–MSA14): Two to three weeks. Governance, compliance, and the capstone. Plan a full weekend for the capstone — assembling the architecture package and writing the executive presentation.

Full course at six to eight hours per week: twelve to sixteen weeks. The design-justify-implement-validate cycle means each module takes longer than a configuration-only course — budget time for the lab work, the ADR writing, and the validation testing. A learner who does two to three subsections per week makes steady progress and produces real artifacts throughout.

Start here

Go to MSA0.1 — What Security Architecture Actually Is next. It establishes the difference between configuring M365 security features and designing M365 security architecture — and why the difference is where attackers succeed. The three questions it teaches you to ask about every security setting in your tenant will change how you evaluate every configuration for the rest of the course.

After MSA0.1, the remaining MSA0 subsections cover the M365 security stack mapped as an architecture (MSA0.2), Architecture Decision Records methodology (MSA0.3), threat-informed architecture design (MSA0.4), your tenant baseline assessment (MSA0.5), lab setup and cost management (MSA0.6), and the architecture package structure you build across the course (MSA0.7).

Work through MSA0 in order. The ADR methodology from MSA0.3 and the baseline assessment from MSA0.5 are the foundation every subsequent module builds on.