MSA0.6 Lab Setup and Cost Management

This course requires a working M365 E5 tenant and an Azure subscription with a Sentinel workspace. The developer tenant is free. The Azure resources are not — but with the right configuration, you can keep costs under $25/month for the duration of the course. This sub configures both environments and establishes the cost controls that prevent surprises.

Estimated time: 60 minutes.

The lab environment

The course lab consists of two connected environments: an M365 E5 developer tenant (free) and an Azure subscription (pay-as-you-go, estimated $12–25/month with the configuration below).

The developer tenant provides M365 E5 licensing for 25 users — enough to model four persona groups, admin roles, service accounts, guest users, and break-glass accounts. It includes every E5 feature: Entra ID P2, Defender for Endpoint P2, Defender for Office 365 P2, Purview premium capabilities, and PIM.

The Azure subscription provides the Log Analytics workspace that Sentinel runs on. Sentinel's cost is driven by data ingestion volume. For a lab with 25 users and minimal real activity, ingestion stays below 1 GB/day — well within the free tier for the first 31 days and under $6/month after that. The budget alert configuration below ensures you're notified before costs exceed your ceiling.

Step 1 — M365 developer tenant

Join the Microsoft 365 Developer Program at developer.microsoft.com/en-us/microsoft-365/dev-program. You need a Microsoft account (personal or work). The program provides:

• An M365 E5 subscription with 25 licenses, renewable every 90 days as long as you're actively developing
• Sample data packs that populate the tenant with realistic users, mail, calendar events, and SharePoint content — useful for testing DLP and sensitivity label policies against real-looking data
• Full admin access to every M365 service, including Entra ID, Defender, Purview, Intune, and the Compliance portal

After creating the tenant, install the Users sample data pack. This creates 16 fictitious users with mail, calendar, and Teams data. You'll supplement these with course-specific accounts in the next step.

If you can't get a developer tenant

Microsoft has restricted the Developer Program since early 2024. The free E5 sandbox now requires a Visual Studio Professional or Enterprise subscription, or membership in the Microsoft AI Cloud Partner Program. If you see "You don't currently qualify for a Microsoft 365 Developer Program sandbox subscription" when you try to join, you're affected by this restriction.

Three alternatives, in order of cost:

Option A — Visual Studio Dev Essentials (free). Sign up at visualstudio.microsoft.com/dev-essentials/, then re-join the M365 Developer Program using the same Microsoft account. Dev Essentials membership sometimes unlocks the sandbox provisioning where a standalone personal account doesn't. This doesn't work for everyone, but it costs nothing to try and takes 5 minutes.

Option B — Microsoft 365 Business Premium trial, then single license ($22/user/month). Start a 30-day free trial at microsoft.com/en-us/microsoft-365/business/microsoft-365-business-premium. Business Premium includes Entra ID P1, Conditional Access, Intune, and Defender for Office 365. It covers Modules 1–7 of this course (identity, authentication, CA, privilege, data protection, endpoint, email). It does not include Entra ID P2 (Identity Protection, PIM), Defender for Endpoint P2, Purview premium, or the full Sentinel integration — those require E5. After the trial, a single-user license continues at approximately $22/month. If you take this option, the commands throughout the course that require P2 features will note where the feature is unavailable. You can still learn the architecture reasoning and design decisions; the hands-on configuration for P2-dependent features (PIM activation policies, risk-based CA, auto-labelling) won't execute in your environment.

Option C — Pay-as-you-go M365 E5 license ($57/user/month). Purchase a single E5 license at microsoft.com/en-us/microsoft-365/enterprise/e5. This is the full stack — Entra ID P2, Defender XDR, Purview premium, Intune, PIM, Identity Protection, and every feature the course uses. At $57/month for one user, it's more expensive than the free developer tenant but significantly cheaper than any instructor-led training. You can cancel after completing the course. This option gives you the complete hands-on experience for every module.

For Sentinel (Modules 8–11), you need an Azure subscription regardless of which M365 option you choose. Azure offers $200 free credit for new accounts, which covers several months of a dev-scale Sentinel workspace. The Sentinel configuration in Step 3 below applies to all three options.

Which option should you choose? If you can get the developer tenant (directly or via Option A), use it — it's free and includes everything. If you can't, and budget matters, start with Option B — it covers more than half the course and you can upgrade to E5 later if you want the full experience. If you want the complete course experience from day one and can absorb the cost, Option C is the most straightforward path.

Verify the tenant is working:

Connect-MgGraph -Scopes "User.Read.All" -TenantId "your-dev-tenant-id"
Get-MgUser -All | Select-Object DisplayName, UserPrincipalName, AccountEnabled |
  Format-Table -AutoSize

You should see the sample users plus your admin account. If the command fails with a consent error, navigate to the Entra admin center → Enterprise applications → Microsoft Graph → Permissions, and grant admin consent for the scopes you need.

Step 2 — Test accounts

Create the accounts that represent the persona groups used throughout the course. These are the identities you'll use throughout the course for CA policy testing, PIM configuration, attack simulation, and sign-in log analysis.

# Connect with User.ReadWrite.All and Directory.ReadWrite.All
Connect-MgGraph -Scopes "User.ReadWrite.All","Directory.ReadWrite.All"

# Create test persona accounts
$password = @{
  Password = 'TempP@ss2026!NE'
  ForceChangePasswordNextSignIn = $false
}

$testUsers = @(
  @{ Display = "Test CISO";  UPN = "test-ciso";   Title = "CISO";               Dept = "Security" }
  @{ Display = "Test Architect";    UPN = "test-architect";      Title = "Security Architect";  Dept = "Security" }
  @{ Display = "Test SOC Analyst 1";   UPN = "test-soc1";  Title = "SOC Analyst L1";      Dept = "Security" }
  @{ Display = "Test SOC Analyst 2";   UPN = "test-soc2";    Title = "SOC Analyst L1";      Dept = "Security" }
  @{ Display = "Test IT Director";   UPN = "test-itdir";   Title = "IT Director";         Dept = "IT" }
  @{ Display = "Test GRC Analyst";  UPN = "test-grc";   Title = "GRC Analyst";         Dept = "Security" }
  @{ Display = "SVC-CRM-Sync";   UPN = "svc-crm";    Title = "Service Account";     Dept = "IT" }
  @{ Display = "SVC-ERP";        UPN = "svc-erp";     Title = "Service Account";     Dept = "IT" }
  @{ Display = "Break Glass 01"; UPN = "bg01";        Title = "Emergency Access";    Dept = "IT" }
  @{ Display = "Break Glass 02"; UPN = "bg02";        Title = "Emergency Access";    Dept = "IT" }
)

$domain = (Get-MgOrganization).VerifiedDomains |
  Where-Object { $_.IsDefault } | Select-Object -ExpandProperty Name

foreach ($u in $testUsers) {
  New-MgUser -DisplayName $u.Display `
    -UserPrincipalName "$($u.UPN)@$domain" `
    -MailNickname $u.UPN `
    -PasswordProfile $password `
    -AccountEnabled `
    -JobTitle $u.Title `
    -Department $u.Dept
}

After creation, create four security groups representing the persona model. These groups will be the targets for every CA policy you build from MSA3 onward:

$groups = @(
  @{ Name = "SG-Persona-Standard";  Desc = "Standard users — all employees not in other persona groups" }
  @{ Name = "SG-Persona-Finance";   Desc = "Finance department — elevated data sensitivity" }
  @{ Name = "SG-Persona-Executive"; Desc = "Senior leadership — highest risk targets" }
  @{ Name = "SG-Persona-ITAdmin";   Desc = "IT and Security — privileged access population" }
  @{ Name = "CA-Exclude-MFA";       Desc = "MFA exclusion group — document every member in an ADR" }
  @{ Name = "CA-Exclude-LegacyAuth"; Desc = "Legacy auth exception — SMTP service accounts pending migration" }
)

foreach ($g in $groups) {
  New-MgGroup -DisplayName $g.Name -Description $g.Desc `
    -MailEnabled:$false -MailNickname $g.Name `
    -SecurityEnabled -GroupTypes @()
}

Assign the test accounts to their groups. Add the IT Director test account and the service accounts to the MFA exclusion group — you'll remediate this in MSA2 and MSA3, but the starting state needs to mirror common real-world gaps.

Step 3 — Azure subscription and Sentinel workspace

Create an Azure subscription if you don't have one. A pay-as-you-go subscription requires a credit card but charges only for resources consumed. For this course, the primary cost driver is Sentinel data ingestion.

Create the Log Analytics workspace and enable Sentinel:

# Install Az modules if needed
# Install-Module Az.OperationalInsights, Az.SecurityInsights

Connect-AzAccount
$rg = New-AzResourceGroup -Name "rg-msa-lab" -Location "uksouth"

$workspace = New-AzOperationalInsightsWorkspace `
  -ResourceGroupName $rg.ResourceGroupName `
  -Name "law-msa-sentinel" `
  -Location "uksouth" `
  -Sku "PerGB2018" `
  -RetentionInDays 90

# Enable Sentinel on the workspace
New-AzSentinelOnboardingState `
  -ResourceGroupName $rg.ResourceGroupName `
  -WorkspaceName $workspace.Name `
  -Name "default"

The PerGB2018 SKU charges per GB ingested. First 5 GB/day is included in the Log Analytics pricing (free tier). For a lab tenant with 25 users, daily ingestion will be well under 1 GB unless you're running attack simulations.

Step 4 — Budget alerts

This is the step most lab setup guides skip — and the step that prevents bill shock. Configure an Azure budget alert that emails you when your forecast exceeds your ceiling:

$budget = @{
  Name       = "MSA-Lab-Monthly-Ceiling"
  Amount     = 30  # USD — adjust to your comfort level
  TimeGrain  = "Monthly"
  TimePeriod = @{
    StartDate = (Get-Date -Day 1).ToString("yyyy-MM-dd")
    EndDate   = (Get-Date -Day 1).AddMonths(6).ToString("yyyy-MM-dd")
  }
  Notification = @{
    "ForecastExceeds80" = @{
      Enabled        = $true
      Operator       = "GreaterThan"
      Threshold      = 80
      ThresholdType  = "Forecasted"
      ContactEmails  = @("your-email@example.com")
    }
    "ActualExceeds100" = @{
      Enabled        = $true
      Operator       = "GreaterThan"
      Threshold      = 100
      ThresholdType  = "Actual"
      ContactEmails  = @("your-email@example.com")
    }
  }
}

Set this up through the Azure portal under Cost Management + Billing → Budgets if you prefer the UI. The two alerts are: a forecasted alert at 80% (warns you before you hit the ceiling) and an actual alert at 100% (notifies you if charges reach the full budget). Set the ceiling to whatever you're comfortable with — $25–35/month covers the entire course for most learners.

Step 5 — Verify foundational services

Before moving to MSA0.7, verify that the services you'll configure throughout the course are accessible:

# Entra ID — CA policies accessible?
Connect-MgGraph -Scopes "Policy.Read.All"
(Get-MgIdentityConditionalAccessPolicy).Count
# Should return 0 (clean tenant) or a small number (sample policies)

# Intune — device management accessible?
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"
Get-MgDeviceManagementDeviceCompliancePolicy | Measure-Object
# Should return 0 on a clean tenant

# Authentication strength policies — built-ins present?
Get-MgPolicyAuthenticationStrengthPolicy | Select-Object DisplayName
# Should return MFA, Passwordless MFA, Phishing-resistant MFA

# Sentinel — workspace reachable?
Get-AzSentinelOnboardingState -ResourceGroupName "rg-msa-lab" `
  -WorkspaceName "law-msa-sentinel"
# Should return the onboarding state

If any of these fail, check your license assignment (ensure E5 is assigned to your admin account), your Graph permissions (re-consent if needed), and your Azure subscription state.

Cost model for the course

Estimated monthly costs depend on which lab option you're using:

Component                        Developer Tenant    Business Premium    E5 Single Licence
---------                        ----------------    ----------------    -----------------
M365 license                     $0 (free)           $22/month           $57/month
Azure Log Analytics (Sentinel)   $5–15               $5–15               $5–15
Azure budget alerts              $0                  $0                  $0
Defender for Endpoint testing    $0 (E5 included)    Not included (P1)   $0 (E5 included)
Attack simulation training       $0 (E5 included)    Not included        $0 (E5 included)
Total estimated                  $5–20/month         $27–37/month        $62–72/month

The developer tenant is the clear winner on cost. If you're using Option B (Business Premium), Modules 1–7 are fully hands-on. Modules 8–11 (Sentinel and detection) work with any option as long as you have the Azure subscription. Modules 4 and 12 (PIM and governance) require P2 features that Business Premium doesn't include — you'll follow the NE worked examples for those sections.

The primary cost variable is Sentinel ingestion. During modules where you're not actively generating telemetry (MSA1, MSA0, MSA12–14), ingestion will be minimal. During detection modules (MSA8–11), ingestion increases when you enable additional data connectors. The budget alert protects you if ingestion spikes unexpectedly.

If cost is a hard constraint, you can pause the Sentinel workspace between modules — disable it and re-enable when you reach MSA8. The M365 tenant remains free regardless.

Before moving on, verify your understanding: Verify your developer tenant is working by listing all users with Get-MgUser -All. Confirm you see both the sample data pack users and the test persona accounts you created. Verify your Sentinel workspace is accessible by running Get-AzSentinelOnboardingState. If this fails, check that Sentinel was enabled on the workspace (not just the Log Analytics workspace itself).

Reusable script — the commands from this sub assembled for operational use:

Run each command from Step 5 and record the results. You should have:

• M365 E5 developer tenant with 25+ user accounts (sample pack + test personas)
• Four persona security groups created and populated
• MFA exclusion group with Test IT Director and service accounts (intentional starting state)
• Azure subscription with Log Analytics workspace and Sentinel enabled
• Budget alert configured at your ceiling
• All foundational services (CA, Intune, authentication strength, Sentinel) returning valid responses

If any item fails, resolve it before moving to MSA0.7. The course assumes this environment is functional from MSA1 onward.