This project documents a cloud identity management lab built to simulate a small business Microsoft Entra ID environment. The lab demonstrates modern identity and access management fundamentals relevant to entry-level helpdesk and MSP environments.
The goal of this lab is to gain hands-on experience with cloud-based user management, group structures, Role-Based Access Control, user lifecycle management, and Conditional Access policies in Microsoft Entra ID.
- Platform: Microsoft Azure / Microsoft Entra ID
- Organisation: KG Tech Solutions (mock business)
- Tenant: kaynegrahamdevicloud.onmicrosoft.com
- 9 mock users across departments
- Security groups: Finance, HumanResources, ITTeam, Staff
- Microsoft 365 groups: Operations, Sales
This lab was built to develop practical experience with:
- Cloud-based user provisioning and management
- Department-based security and Microsoft 365 group structure
- Role-Based Access Control (RBAC)
- Least privilege principles
- User onboarding and offboarding workflows
- Group membership audits
- Conditional Access policy design and implementation
- Created Microsoft Entra ID tenant
- Configured mock organisation — KG Tech Solutions
- Created 9 realistic user accounts across departments
- Created Security groups for Finance, HR, IT Team and Staff
- Created Microsoft 365 groups for Operations and Sales with shared mailboxes
- Assigned users to appropriate groups based on department
- Assigned roles based on least privilege principles
- Ensured users only had access to resources relevant to their role
- Reviewed and audited group memberships
- Practiced user onboarding — creating accounts, assigning groups and licenses
- Practiced user offboarding — disabling accounts, removing group memberships
- Practiced mid-lifecycle changes — department transfers, role changes, license updates
Configured four Conditional Access policies in Report-only mode to simulate real-world MSP security baselines without disrupting the lab environment.
- Restricts access to sign-ins originating from Australian locations only
- Blocks overseas logins as a baseline security control
- Commonly implemented for Australian businesses to reduce exposure to foreign threat actors
- Blocks authentication requests using legacy protocols such as SMTP, IMAP, and POP3
- Legacy protocols do not support MFA making them a common attack vector
- Critical policy implemented by MSPs during client onboarding
- Enforces Multi-Factor Authentication for all administrator accounts
- Admin accounts are the highest value target for attackers
- Aligns with least privilege and zero trust security principles
- Uses Entra ID Protection risk signals to trigger MFA only when suspicious behaviour is detected
- Balances security with user experience — low risk logins are not challenged
- Demonstrates risk-based Conditional Access rather than blanket enforcement
The sign-in log above shows all four Conditional Access policies evaluated against a freshly created user with Intune Administrator permissions.
- MFA for Admins — triggered as expected, the account held an admin role so MFA would have been required
- Legacy Authentication Prevention — not applicable, the user signed in via a modern browser which is the correct and expected behaviour
- Require MFA for high-risk logins — not applicable, the sign-in was not flagged as high risk by Entra ID Protection
- Device must be in Australia — not applicable, named location condition was not met for this sign-in
All policies behaved as intended. Report-only mode confirmed the logic without enforcing controls or disrupting the user.
- Microsoft Entra ID administration
- Cloud identity and access management
- Security and Microsoft 365 group management
- Role-Based Access Control (RBAC)
- Least privilege implementation
- User lifecycle management
- Conditional Access policy design
- MFA and risk-based authentication
- Technical documentation
Proper group structure and role separation are critical for scalable identity management. Designing identity correctly from the start makes onboarding, role changes, and terminations significantly more efficient and secure. This lab reinforced how important it is to apply least privilege consistently rather than granting broad access by default.
Implementing Conditional Access policies highlighted how organisations enforce security controls at the identity layer rather than relying solely on perimeter defences. Report-only mode is a valuable tool for testing policy impact before enforcement.
- Configure Azure AD Connect to sync on-premises Active Directory with Entra ID
- Build a hybrid identity environment bridging on-prem and cloud
- Explore Microsoft Intune for device management and policy enforcement