PT1.7 M365 Developer Tenant Configuration

Step 1: Join the Microsoft 365 Developer Program

Go to developer.microsoft.com/en-us/microsoft-365/dev-program.

Click "Join now". Sign in with a personal Microsoft account — not your work account. If you don't have a personal Microsoft account, create one at account.microsoft.com.

After signing in, you're asked to set up a developer sandbox:

1. Country/Region — select yours
2. Company — enter anything (e.g. "Purple Team Lab")
3. Language — English
4. Areas of interest — check any boxes (doesn't affect the tenant)
5. Click Save

On the next screen, choose "Instant sandbox" (not "Configurable sandbox"). The instant sandbox comes pre-populated with 16 sample users and sample data — you'll add your own test users on top of these.

1. Admin username — this becomes admin@yourname.onmicrosoft.com. Pick a short, memorable name.
2. Admin password — set a strong password. This is the Global Admin for the entire tenant.
3. Phone verification — enter a phone number for SMS verification.

After verification, the tenant provisions. This takes 1–2 minutes. You'll see a dashboard showing your subscription details:

Developer Tenant Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Domain:       yourname.onmicrosoft.com
Licences:     25 × Microsoft 365 E5 Developer
Admin:        admin@yourname.onmicrosoft.com
Duration:     90 days (auto-renews if you use it)
Cost:         Free
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

The E5 licence includes everything the course needs: Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, Entra ID P2, and Purview.

Troubleshooting:

• "You are not eligible" — the developer program requires a personal Microsoft account. If you signed in with a work/school account, sign out and use a personal account.
• "Sandbox creation failed" — try again in a few hours. Microsoft occasionally throttles sandbox creation.
• Renewal: the tenant renews automatically every 90 days as long as you use it for development activity. Running course exercises counts as activity.

Step 2: Create test users

Open the Microsoft 365 Admin Centre. Sign in as admin@yourname.onmicrosoft.com.

Navigate to Users → Active users → Add a user.

Create four users matching the course's scenario personas. For each user:

1. Click "Add a user"
2. Fill in:

User 1:
  First name:     Tom
  Last name:      Ashworth
  Display name:   Tom Ashworth
  Username:       t.ashworth   @yourname.onmicrosoft.com
  Password:       PurpleLab2026!
  ☐ Require user to change password at first sign-in  ← UNCHECK THIS

1. On the Product licences page, assign Microsoft 365 E5 Developer
2. Click Next through the remaining pages → Finish adding

Repeat for:

User 2:
  Name:     Priya Sharma
  Username: p.sharma
  Password: PurpleLab2026!

User 3:
  Name:     Marcus Webb
  Username: m.webb
  Password: PurpleLab2026!

User 4:
  Name:     Elena Petrova
  Username: e.petrova
  Password: PurpleLab2026!

Assign the E5 Developer licence to each user.

Verification — confirm users exist via PowerShell:

# Install the Microsoft Graph module if not already installed
Install-Module Microsoft.Graph -Scope CurrentUser -Force

# Connect to the tenant
Connect-MgGraph -Scopes "User.Read.All" -TenantId "yourname.onmicrosoft.com"

# List users
Get-MgUser -All | Select-Object DisplayName, UserPrincipalName, AccountEnabled |
    Format-Table

DisplayName     UserPrincipalName                        AccountEnabled
-----------     -----------------                        --------------
Tom Ashworth    t.ashworth@yourname.onmicrosoft.com       True
Priya Sharma    p.sharma@yourname.onmicrosoft.com         True
Marcus Webb     m.webb@yourname.onmicrosoft.com           True
Elena Petrova   e.petrova@yourname.onmicrosoft.com        True
Admin           admin@yourname.onmicrosoft.com            True

If Connect-MgGraph fails, you may need to consent to the required permissions. The first connection prompts for admin consent — approve it.

Step 3: Enable Defender XDR

Open the Microsoft Defender portal. Sign in as admin.

On first access, the portal initializes the Defender XDR workspace. You'll see a setup wizard:

1. Welcome screen — click "Get started"
2. Data storage location — select your region (this affects where telemetry is stored — pick the region closest to you)
3. Preview features — enable them (gives you access to the latest detection capabilities)
4. Click "Continue" or "Create workspace"

Initialization takes 2–5 minutes. Once complete, you'll see the Defender XDR home dashboard.

Verify Advanced Hunting works:

Navigate to Hunting → Advanced Hunting. The query editor should load with the schema explorer on the left. Run a test query:

// Test query — list identity logon events
IdentityLogonEvents
| where Timestamp > ago(24h)
| take 10

If the query returns results (or returns empty without error), Advanced Hunting is working. If you see an error about "table not found", wait 10 minutes — some tables take time to populate after workspace creation.

Step 4: Enable Defender for Endpoint

The Windows endpoint VM needs to be onboarded to Defender for Endpoint to send telemetry to both Sentinel (via the MDE connector) and Advanced Hunting.

In the Defender portal:

1. Go to Settings → Endpoints → Onboarding
2. Select Operating system: Windows 10/11
3. Select Deployment method: Local script
4. Click "Download onboarding package" — this downloads a ZIP file containing WindowsDefenderATPLocalOnboardingScript.cmd

Transfer the script to your PT-WIN-ENDPOINT VM (via shared folder, USB passthrough, or download it from a web location you control).

On the Windows endpoint, run the script as Administrator:

:: Run as Administrator
cd C:\Users\labadmin\Downloads
WindowsDefenderATPLocalOnboardingScript.cmd

Starting Microsoft Defender for Endpoint onboarding process...
Successfully onboarded machine to Microsoft Defender for Endpoint.

Verification — confirm the endpoint appears in Defender:

Back in the Defender portal, go to Assets → Devices. Your endpoint should appear within 5–10 minutes. The status should show "Active" with the hostname PT-WIN-ENDPOINT.

If the endpoint doesn't appear after 15 minutes:

• On the endpoint, check the Defender service: Get-Service Sense | Select-Object Status — should be "Running"
• Check the onboarding status: Get-MpComputerStatus | Select-Object OnboardingState — should be "Onboarded"
• Ensure the endpoint has internet access through the NAT adapter (the onboarding communicates with Microsoft's cloud)

Step 5: Enable unified audit logging

Unified audit logging captures M365 activity — sign-ins, file access, mailbox access, admin changes, consent grants. Many M365 detection rules depend on this.

Option 1 — via the admin portal:

Go to Microsoft Purview compliance portal → Audit → if you see a banner saying "Start recording user and admin activity", click it.

Option 2 — via PowerShell (more reliable):

# Install and connect to Exchange Online
Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force
Connect-ExchangeOnline -UserPrincipalName admin@yourname.onmicrosoft.com

# Enable unified audit logging
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

# Verify it's enabled
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled

UnifiedAuditLogIngestionEnabled
-------------------------------
True

# Disconnect when done
Disconnect-ExchangeOnline -Confirm:$false

Note: it can take up to 24 hours for audit events to start appearing after initial enablement. If you query the Unified Audit Log and it's empty, wait and check again tomorrow.

Step 6: Generate and verify a sign-in event

Test that sign-in logs are being captured by logging in as one of your test users.

1. Open an InPrivate / Incognito browser window
2. Go to portal.office.com
3. Sign in as t.ashworth@yourname.onmicrosoft.com with password PurpleLab2026!
4. You may be prompted to set up MFA — for a lab tenant, you can skip or set up the Microsoft Authenticator app (some course techniques test MFA bypass, so having MFA enabled is actually useful)
5. After signing in, wait 2–3 minutes

Check sign-in logs in Entra:

Go to the Entra admin centre → Identity → Monitoring & health → Sign-in logs.

You should see Tom Ashworth's sign-in event with:

User:           Tom Ashworth
Application:    Office 365 Portal
Status:         Success
IP Address:     (your public IP)
Location:       (your location)

If sign-in logs are empty, wait 5 minutes and refresh. Sign-in logs typically appear within 1–5 minutes of the event.

Check sign-in logs in Advanced Hunting:

// Check if identity events are flowing
IdentityLogonEvents
| where Timestamp > ago(1h)
| where AccountUpn =~ "t.ashworth"
| project Timestamp, AccountUpn, ActionType, Application, IPAddress

This query may take 15–30 minutes to show results after the sign-in — Advanced Hunting has higher ingestion latency than the Entra portal for identity events.

Verification checklist

☐ Developer program account created
☐ Tenant provisioned (yourname.onmicrosoft.com)
☐ Admin can sign in to admin.microsoft.com
☐ Four test users created with E5 licences
☐ Defender portal accessible (security.microsoft.com)
☐ Advanced Hunting loads and test query runs
☐ Defender for Endpoint onboarding script run on Windows endpoint
☐ Endpoint appears in Defender device inventory
☐ Unified audit logging enabled
☐ Sign-in as t.ashworth generates a visible sign-in log in Entra
☐ (Optional) MFA configured on test users