Implement an identity management solution with Azure Active Directory, covering roles, custom domains, device registration, administrative units, and synchronization options like password hash sync and seamless single sign-on.

Trace the evolution of Active Directory from Windows 2000 to Azure Active Directory, emphasizing cloud identity, on premises synchronization, and security features like conditional access and multifactor authentication.

Azure Active Directory is a cloud-based identity and access management solution that enables employees to sign in to Microsoft 365, the Azure portal, external SaaS apps, and internal resources.

Explore how Azure Active Directory empowers IT administrators to control access, enforce multi-factor authentication, automate provisioning, and manage roles and single sign-on for cloud and on-prem apps.

Apply the principle of least privilege with Azure Active Directory roles, such as global administrator, user administrator, and billing administrator, and learn how AD roles differ from Azure roles.

Explore the differences between Azure Active Directory roles and Azure resource roles, including group-based assignments, global admin, and application developer permissions.

Global administrators hold full access to Azure Active Directory and Microsoft 365, including Exchange and SharePoint, but require explicit permissions to manage Azure resources, with Privileged Identity Management options.

Explore Azure AD roles in the Azure portal, review app developer permissions, and understand how to create custom roles with a new custom role option.

Create custom roles in Azure Active Directory using the roles and administrators console with a Premium P2 license. Define a certificate role and assign permissions to manage certificates.

Add a custom domain, verify it by updating DNS TXT or MX records at your registrar, then create users with the verified domain suffix.

Delete a custom domain in Azure Active Directory, manage the primary domain, and understand the impact on users and resources when the domain is removed.

Learn how bring your own device policies empower productivity while safeguarding assets, using Azure Active Directory and Intune to manage device identities, with registered versus joined devices for single sign-on.

Learn the difference between Azure AD registered devices and Azure AD joined devices, and how Azure AD registered enables bring-your-own-device use with local authentication and MDM control.

Join Windows 10 devices to Azure AD, enabling cloud-first and hybrid organizations to provide single sign-on for cloud and on-prem apps, managed by Intune or Configuration Manager with policy enforcement.

Join a Windows 10 device to Azure Active Directory, configure who can join or register devices, apply multi-factor authentication, and manage the device from the Azure portal.

Learn how hybrid Azure AD join devices combine on-premises Active Directory with cloud Azure AD, enabling single sign-on, conditional access, Intune management, and continued Group Policy support.

Explore how administrative units in Azure Active Directory segment users and groups to restrict permissions, assign targeted helpdesk roles, and manage IT admins across departments and geographies.

Explore administrative units in the Azure Active Directory portal by creating a manufacturing department, assigning branch and helpdesk admins, and enabling password reset within the unit.

Plan administrative units in Azure Active Directory to reflect dispersed IT departments and business units, assign permissions and custom roles, and evolve through adoption, pruning, and stabilization.

Define roles and delegate app administration in Azure Active Directory to manage enterprise applications and app registrations, with emergency accounts and just-in-time privileged access via privileged identity management.

Leverage Azure Active Directory security defaults to guard against password spray, replay, and phishing attacks by enforcing user registration, MFA, blocking legacy authentication, and protecting privileged access at no cost.

Create, configure, and manage user and group identities in Azure Active Directory. Enforce least privilege with single sign-on and multi-factor authentication to protect data and support license management.

Discover how Azure Active Directory manages user accounts—cloud identities, directory sync identities, and guest users—using access tokens and authentication to grant permissions, including inviting external vendors.

Organize users in Azure Active Directory with groups to simplify permissions. Use security groups for resource access or Microsoft 365 groups for collaboration.

Azure Active Directory enables group-based licensing, automatically assigning product licenses (for example, Dynamics 365) to group members and removing them when they depart, simplifying large-scale license management.

Meet licensing requirements by securing paid or trial subscriptions for Azure Active Directory and Office 365 enterprise licenses E3, GCC, or DOD variants, and ensure enough licenses for all members.

Learn how group-based licensing in Azure AD assigns licenses to security groups, allows disabling service plans, and updates automatically with membership changes across Microsoft 365 and Dynamics 365.

Enable secure B2B collaboration by inviting external users to your Azure Active Directory, and manage external identities and identity providers for seamless cross-organization access.

Discover how Azure AD external identities enable B2B collaboration by inviting guests, using their own credentials, and signing in with social or enterprise identity providers.

Invite external users to Azure AD B2B with a guest invitation, then assign roles in Azure Active Directory just like regular users, noting password resets are not available for guests.

Explore dynamic groups in Azure Active Directory that automatically add or remove members by attributes such as country or region, grant access to apps with P1 or P2 licenses.

Create a dynamic security group in the Azure portal with dynamic user membership. Build a query where usage location equals Germany and verify membership with dynamic rules.

Configure Google as an external identity provider for Azure AD B2B, enabling Google and Facebook users to sign in to apps via OAuth with client ID, client secret, and claims.

Planning, designing and implementing hybrid identity across on premises and cloud using Azure AD Connect, including password hash synchronization, pass-through authentication, AD FS, and Azure AD Connect Health for monitoring.

Plan, design, and implement Azure AD Connect to synchronize on-premises Active Directory with Azure Active Directory, enabling password hash synchronization, pass-through authentication, and seamless single sign-on for hybrid identities.

Explain why organizations need AD Connect to synchronize on-premises Active Directory with Azure Active Directory. Provide a single identity for accessing cloud and on-prem resources and replace synchronization tools.

Identity acts as the new control plane, and authentication guards the cloud by supporting an Azure AD hybrid identity solution through cloud or federated authentication with on-premises AD FS.

Manage Azure AD external collaboration settings to control guest access and who can invite guests, with domain restrictions and B2B invitation policies.

Learn how pass-through authentication uses PTA agents on on-prem servers to validate against on-prem Active Directory, enabling policy enforcement, high availability with multiple servers, and failover to password hash synchronization.

Implement federated authentication by delegating to on-premises adfs managed by your organization, enabling smart card and third-party MFA, with a load-balanced adfs farm for high availability.

Explores three hybrid identity architectures for Azure Active Directory: password hash sync with Azure Active Directory Connect, pass-through authentication with on-premises agents, and federated authentication with Adfs and federation proxies.

Synchronize on-premises directories with Azure Active Directory by selecting the UPN attribute and ensuring the UPN suffix matches a verified domain, choosing express or custom Azure AD Connect settings.

Explore Azure AD Connect components, including the provisioning engine, connector space, metaverse, and sync rules, and how import, export, and run profiles enable synchronization across multiple forests with Azure AD.

Learn how password hash synchronization works with Azure AD Connect to sync password hashes from on-premises Active Directory to cloud Azure AD, including security processing and the two-minute update cycle.

Install and configure Azure AD Connect on a domain controller, choose customize or express settings, verify domain, and enable password and device writeback for on-premises to Azure AD synchronization.

Investigate common synchronization errors in Azure Active Directory, identify error types and causes, and apply practical fixes, with a focus on the export operation within import, synchronization, and export.

Identify and resolve object type mismatch errors during Azure AD Connect sync by correcting duplicated proxy addresses between on-premises and cloud objects, using Azure AD Connect Health.

Identify and fix duplicate attribute values in Azure Active Directory, such as proxy addresses and user principal name, to prevent errors from Azure AD Connect.

Identify data validation failures by verifying the user principal name's supported characters and required formats to ensure Azure Active Directory writes data and supports Azure AD Connect synchronization.

Identify and resolve large object errors by ensuring attributes stay within Azure Active Directory schema limits during synchronization, and locate the exceeding attribute in the health sync reports.

Azure AD Connect Health monitors on premises identity infrastructure with alerts and analytics to troubleshoot the sync, requiring premium P1, global admin, and the latest agent on each server.

Learn how to install the bundled azure ad connect, monitor sync health, and manage on‑premises domain controller health and alerts in azure ad connect health.

Leverage self-service remediation in Azure AD Connect Health to troubleshoot duplicate attributes, sync errors, and orphaned objects, including cloud-only users and the inability to remap on-premises users to Azure AD.

Assign and manage user roles in Azure Active Directory by adding a user to the application developer role, noting premium license requirements and how to remove assignments.

Explore Azure Active Directory tenant properties, including tenant ID, country, privacy contacts, and security defaults, and learn how MFA, privacy statements, and access management govern multi-tenant setups.

Create security groups in Azure Active Directory and assign licenses by group membership to manage access. Run reports to track license usage across Microsoft 365, SharePoint Online, and OneDrive.

Configure Azure Active Directory B2B external collaboration settings to manage guest access and who can invite guests. Enforce domain restrictions and invitation controls, including whitelisting and blacklisting domains.

Learn how to restore a deleted user in Microsoft identity and access administrator by locating the user in deleted users, restoring them, and confirming roles and group memberships are preserved.

Explore Azure Active Directory fundamentals, including roles, custom domains, device registration, external identities, B2B with Google, and seamless single sign-on, plus troubleshooting and Connect Health insights.

Introduce in-depth Azure multifactor authentication and identity protection, covering MFA server, Fido2 and passwordless options, Windows Hello for Business, conditional access, and Azure AD identity protection with risk insights.

Plan and implement Azure AD MFA to protect against unauthorized access using just username and password, and enable MFA for users and applications.

Explore how Azure Active Directory MFA strengthens identity security by requiring multiple factors—something you know, something you possess, and something you are—through flexible methods like passwords, mobile apps, or biometrics.

Discover how multi-factor authentication works with Azure Active Directory, including on-premises validation, MFA server verification challenges, phone calls, text messages, mobile app notifications or verification codes, and conditional access options.

Plan Azure Active Directory multi-factor authentication deployment in waves, starting with pilots to identify issues and gradually enroll the organization, supported by a comprehensive communication plan and user registration guidance.

Learn how to enforce multifactor authentication using Azure conditional access policies, applying if-then rules to require MFA for accessing specific apps, networks, or devices.

Explore Azure AD authentication methods, including SPR and self-service password reset, Microsoft Authenticator, software tokens, OTC hardware tokens, SMS, voice calls, and application passwords.

Monitor authentication methods and MFA adoption in Azure Active Directory using the usage and insights view to track registrations, including SSPR adoption, successes, and failures over the last 30 days.

Explore how Azure Active Directory authenticates users with self-service password reset, multifactor and passwordless options, password protection policies, and password changes via hybrid on-prem integration.

Explore passwordless authentication with Windows Hello, FIDO2 keys, and the Microsoft Authenticator app for secure sign-ins, and learn how Azure AD MFA and combined security information registration support SSPR.

Evaluate authentication methods by security, usability, and availability, prioritizing passwordless options like Windows Hello for Business, Authenticator App, and Fido2 when deploying Azure AD MFA.

Configure a Fido2 security key for a user in Azure by enabling the security key method, adding a Yubikey, and enabling passwordless sign-in through MFA.

Replace passwords with two-factor authentication via a device-tied credential using biometrics or a pin to access Active Directory or Azure AD. Tackle password risks like forgetting, reuse, and phishing.

Windows Hello for Business uses certificates or asymmetrical key pairs bound to the device, with private keys stored in the TPM and never leaving the device. During registration, the identity provider maps the public key to the user account, and authentication signs data locally using PIN or biometrics, without roaming between devices.

Learn how Azure AD password protection blocks weak passwords with global and custom lists, while domain controllers validate changes offline, keeping cleartext passwords on-premises and avoiding schema changes.

Configure Azure AD password protection for on-premises Active Directory by deploying the DC agent and proxy agent, syncing global and custom banned passwords, and enforcing or auditing password safety.

Deploy Azure AD password protection independently per forest; each forest's proxy serves only its joined forest. For RODC, password changes forward to writable controllers, with no agent on RODC.

Plan, implement, and manage conditional access in Azure Active Directory, testing policies, applying application controls and session management, and configuring smart lockout thresholds.

Security defaults in Azure AD enforce mfa for all users, block legacy authentication, protect privileged activities, and are available at no extra cost in the Azure portal.

Enforce Azure AD MFA for all users with a 14-day registration period; after that, sign-in is blocked until MFA is completed, and legacy authentication is addressed for privileged admin protection.

Block legacy authentication to prevent MFA bypass by older protocols like imap, smtp, and pop3. Enable security defaults to block legacy requests and promote modern protocols such as OAuth 2.0.

Plan conditional access deployment in Azure AD using signals like location, device, IP, and browser to automate access decisions and enforce multi-factor authentication.

Improve productivity and security with conditional access that prompts for multi-factor authentication, blocks risky sign-ins, and enforces trusted devices. Audit access and move toward zero trust in Azure Active Directory.

Define assignments and conditions to grant or block access to cloud apps, and apply access controls and session rules based on user, device, location, and browser.

Review and implement conditional access policies with best practices, including emergency access accounts, report-only mode, named locations to block sign-ins from certain countries, and exempt administrators to prevent lockouts.

Learn the most common condition access policies, including mandatory multi-factor authentication, high-risk sign-in controls, managed devices, approved client applications, and access blocking strategies.

Roll out conditional access policies in production in phases, starting with a small user set, verify behavior, exclude administrators during expansion, and apply to all after testing.

Create test users and a test plan to validate conditional access policies, compare expected versus actual results, and explore MFA prompts from untrusted locations under Azure AD premium licensing.

Explore how sign-in risk and user risk drive conditional access policies with Azure AD Identity Protection, using Premium P2 licenses to require MFA or secure password changes.

Demonstrate creating conditional access policies to block logins from specific locations using ip ranges and country blocks, test with a cloud user, and review sign-in details.

Explore sign-in logs in Azure Active Directory to trace user authentication, location, and application usage, enabling troubleshooting for helpdesk and security operations.

Explore how Microsoft Intune enforces device compliance through MDM policies—pin, encryption, OS version, and jailbreaking checks—and how compliance data feeds Azure Active Directory to drive conditional access.

Create a conditional access policy in the Azure portal that requires devices to be compliant with Intune policies, applying to all users and cloud apps, with a break-the-glass scenario.

Exclude certain accounts from conditional access policies, including emergency access (break the glass) and service accounts, and consider managed identities to address MFA limits and baseline policy exclusions.

Create a conditional access policy to block all apps except Office 365 from untrusted locations in report-only mode. Then require MFA or a compliant device for Office 365.

Test and troubleshoot conditional access policies, diagnose sign-in errors across Azure Active Directory, review policy details, and use support workflows to resolve access issues.

implement conditional access to require approved client applications for Microsoft 365, Exchange Online, and SharePoint Online using SAML and OAuth; ensure iOS and Android devices are Azure AD registered.

Enforce approved mobile client apps for Microsoft 365 by configuring Android and iOS modern authentication policies, conditional access for Exchange Online, and Intune app protection.

Configure Azure AD conditional access to require approved client apps for Exchange Online and SharePoint Online on Android and iOS, using Intune app protection and Azure AD P1 or P2.

Apply app protection policies to enforce access and monitor or prohibit actions within managed apps, protecting organizational data across work, school, and personal devices via MDM solutions like Intune MAM.

Protect company data accessed from personal devices by implementing app protection policies with Microsoft Intune. Operate these policies independently of any MDM solution, restricting access and minimizing data loss.

Explore Azure Active Directory identity protection, including user and sign-in risk policies, and multifactor authentication and registration policies, while monitoring, investigating, and remediating risky users.

Learn how Azure identity protection automates detection and remediation of identity-based risks, analyzes portal data, exports risk detections to third-party tools, and uses 6.5 trillion signals to inform conditional access.

Identify sign-in risk signals in Active Directory and SaaS apps, including anonymous IPs, atypical locations and times, malware IPs, leaked credentials, and password spray, aided by MCAs and threat intelligence.

Identify who can view identity protection logs and reports, detailing role-based access for global admins, global readers, security readers, operators, and readers with full, view-only, or restricted capabilities.

Azure Active Directory identity protection requires a premium P2 license. A chart shows free, P1, and P2 licenses, with P2 granting full access to risk policies, security reports, and notifications.

This lecture covers sign-in risk policy and user risk policy, where sign-in risk detects suspicious logins from atypical times or risky IPs, and user risk flags potentially compromised accounts.

Balance user experience and security by setting user risk high and sign-in risk medium or higher, with Microsoft guidance and exclusions like trusted network locations reviewed regularly.

enable self remediation by registering users for self service password reset and Azure AD multifactor authentication, using a combined security information registration experience; admins can still see and investigate events.

Navigate Azure Active Directory identity risk reports, including risky users, risky sign-ins, and risk detections, and export data as CSV or JSON for analytics and admin actions.

Learn to remediate risks and unblock users by applying automated risk policies, performing manual resets, or dismissing risk, while monitoring the user risk level (low, medium, high) to protect accounts.

Explore user risk remediation options in Azure Active Directory, including self remediation with MFA and self-service password reset, manual password reset, dismissing risk, and closing detections.

Upgrade to Azure Active Directory Premium P2 and enable enterprise-wide multi-factor authentication, then create a conditional access policy to enforce MFA for guest users accessing Office 365.

Configure and deploy self-service password reset for a security group, create and add a user, enable MFA methods, and test the flow with Mary’s SPR registration and reset.

Explore security defaults in Azure Active Directory, how to enable or disable them via manage security defaults, and how they affect basic security mechanisms and conditional access policies.

Create a conditional access policy to control user sign-in frequency across all cloud apps, set to 30 days, enable it, and use reports-only mode to evaluate impact via sign-in logs.

Enable smart lockout in Azure AD to detect brute force attempts and protect accounts by enforcing temporary logouts; customize lockout threshold and duration in password protection settings.

Configure Azure AD identity protection sign-in and user risk policies to add risk-based access control; assign users or groups, exclude service accounts, set actions by risk level, and enforce policies.

Configure the Azure AD multi-factor authentication registration policy to require all users to register, with exceptions for service accounts, enforce the policy, and save the changes.

Conclude module two by summarizing how Azure Active Directory and on premises Active Directory protect users and resources, manage authentication, and apply conditional access with identity protection.

Explore module three of the SC-300 certification to plan, implement, and monitor enterprise applications for single sign-on with Azure Active Directory, including Amcas, Adfs, and pre-integrated Gallery registrations.

Discover Microsoft Cloud App Security, a casb solution that provides visibility across cloud and on-prem resources with deployment modes such as log collection, api connectors, and reverse proxies.

Explore the cloud app security architecture, including cloud discovery from uploaded logs, snapshot reports, and application connectors that enable real-time visibility and conditional access.

Learn to migrate on-premises ADFS to Azure Active Directory for federation and single sign-on across on-premises and cloud apps. Use the ADFS application activity report to identify migration-ready applications.

Discover how to view Azure AD application activity and migration status via the Adfs Connect Health Agent, assessing readiness to migrate to Azure Active Directory.

Learn how to restrict who can register applications in azure active directory by turning off user registration and granting the application developer role to selected users.

Configure pre-integrated apps in Azure Active Directory, manage user access, and set up single sign on for apps like Dropbox for business, including user assignment options.

Implement token customizations and consent settings for enterprise apps, use Azure AD application proxy for on-premises integrations, provision SaaS apps for SSO, and monitor and audit sign-ins to Azure AD.

Understand how consent allows a user or admin to authorize an application to access protected resources. Review the consent prompt components and permissions to assess data access and trust.

Explore user consent settings in Azure Active Directory, including app consent policies, when end users can grant permissions, admin review, and how to configure admin consent requests and expiry days.

Explore Azure AD application proxy to enable single sign-on for on premises and cloud apps, using a connector on premises and a service in Azure AD.

Learn how azure ad application proxy lets you access on-premises apps from the internet by authenticating users through azure ad and using a connector for single sign-on.

Explains azure active directory as identity as a service, supporting OAuth 2.0 and OpenID Connect, tokens for Microsoft Graph, and compares OAuth, OpenID Connect, and SAML for authentication and authorization.

Discover automatic and manual provisioning in Azure Active Directory for SaaS apps, automating user and group provisioning, deprovisioning, attribute mappings, governance, alerts, and log analytics.

Compare manual and automatic provisioning in Azure Active Directory, noting manual requires app-side setup and automatic uses the provisioning connector for seamless user synchronization.

Adopt the scim standard to automate provisioning and de-provisioning of users and groups across SaaS apps, syncing across on-premises and Azure Active Directory with SAML or OpenID Connect.

Demonstrates setting up automatic provisioning with Azure Active Directory using SCIM, enabling automatic provisioning of users and groups for Box and Dropbox.

Use the SCIM user management API to enable automatic provisioning of users and groups between your application and Azure Active Directory via a common REST-based schema.

Explore how to monitor enterprise applications with Azure Active Directory usage and insights reports, analyzing sign-ins, failures, and success rates, and access audit logs for compliance.

Explore how to plan and implement line-of-business application registrations and configure permissions within Azure Active Directory to support secure integration.

Explore how application objects in azure active directory define apps for token issuance, including attributes such as name, redirect URLs, logos, secrets, api dependencies, oauth, and rbac.

Learn how service principals serve as identities for applications, services, and automation tools to access resources via API permissions, authenticating with a client secret or certificate-based authentication.

Explore how the application object relates to the service principal in Azure Active Directory, and how Microsoft and SaaS directories organize apps via the application gallery and application proxy.

Explore who can create app registrations in azure ad, including global admins, default user settings for consenting to apps, and auditing, plus roles for application developers and administrators.

Learn how Azure Active Directory uses tenants to isolate users and applications, and configure who can sign in to your app—single-tenant, multi-tenant, or Microsoft accounts.

Identify permission types in Microsoft identity platform. Delegated permissions require a signed-in user and may need admin consent for privileges; application permissions run without a user and require admin consent.

Grant admin consent for the default directory to act on behalf of any user in the tenant, enabling organization-wide use of Graph API and application permissions such as calendars read/write.

Configure tokens and claims in Azure Active Directory by adding optional and group claims, selecting ID or access or SAML tokens, and managing the manifest for OpenID Connect single sign-on.

Deploy an Azure web app and integrate it with Azure Active Directory as the identity provider, configure app registrations, redirect URL, ID tokens, and token claims for seamless authentication.

Learn to use Saml Tracer for troubleshooting SAML authentication between identity provider and relying party, decode ID tokens and claims, and follow security precautions to protect passwords in traces.

Summarizes module three on planning and designing enterprise app integration for seamless single sign-on, covering amcas and adfs reports, access management, gallery SaaS apps, and app registrations with permissions.

Explore entitlement management within Azure identity governance and Azure Active Directory, including catalogs, access packages, entitlements, terms of use, and external user lifecycle; learn access reviews, privileged access, and auditing.

Plan and implement entitlement management in Azure Active Directory. Ensure appropriate access, establish access reviews, manage terms of use, and govern external user life cycle with access packages.

Explore how Azure Active Directory entitlement management addresses common access challenges by ensuring employees have the right access, streamlined approvals, and consistent management for internal and external users.

Explore entitlement management capabilities, including delegating access package creation to non-admins, defining request and approval policies, expiration rules, and inviting users from connected organizations with automatic B2B removal.

Explore entitlement management terminology by defining access packages, catalogs, and policies, and explain access requests, approvals, assignments, time limits, resource directory, and resource roles across a connected organization.

Discover how entitlement management uses access packages in Azure Active Directory to govern access to resources for internal and external users via apps, groups, SharePoint, licenses, and Azure resources.

Use access packages for time-limited, task-specific access and approvals, including cross-organization collaboration. Learn how access package manager and internal/external policies govern groups, applications, and SharePoint resources in Azure AD B2B.

Plan, implement, and manage access reviews for groups and applications, monitor findings, and govern licenses. Automate and configure recurring access reviews to strengthen governance in identity protection.

Plan access reviews with a deployment strategy and clear reviewer cycles. Engage IT administration, development teams, and governance to ensure policy and regulation-compliant reviews via Azure AD Identity Governance.

Azure AD identity governance balances security and productivity by protecting, monitoring, and auditing who has access to resources, across on-premises and cloud environments.

Demonstrate end-to-end access reviews by creating an access package to grant Mary role-based access control to groups and applications, with Avenger approving requests to authorize membership and app access.

Pilot initial access reviews with a small group targeting non-critical resources to refine processes and communications, verify Azure AD email addresses, document pilot removals, and audit events.

Plan and execute effective access reviews by defining what resources and access to review, who reviews, how often, and what automatic or manual actions and communications to trigger.

Proactively communicate changes in accountability and access reviews to users and resource owners, train them to use insights for decisions, and manage privileged role assignments via customized emails.

Create and manage access reviews for groups or applications in Azure Active Directory, including recurring reviews, reviewer roles, duration rules, and automatic actions on completion.

Explore the access review workflow, select primary and fallback reviewers, view access packages, and approve or deny user access with justification while leveraging recommendations and the option to revoke decisions.

Plan and implement privileged access with Azure AD Pim for admin roles and resources, covering role assignment, Pim requests, audit reports, and break-the-glass accounts.

Discover how Azure Active Directory privileged identity management provides just-in-time, time-based access with approval, justification, and multi-factor authentication to protect resources across Azure, Microsoft 365, and Intune.

Identify all stakeholders for privileged identity management, secure a premium P2 license, and define roles from identity architect to security owner to support a successful PIM rollout.

Enforce the principle of least privilege across Azure Active Directory and Azure roles, plan least-privilege delegation, and use Privileged Identity Management and access reviews to reduce global admins.

Prioritize protecting high-risk Azure AD roles with PIM, starting with global administrator and security administrator, then extend to guest and sensitive reader roles to reduce attack risk.

Identify critical subscriptions and resources to protect. Protect Azure Active Directory and Azure roles with PIM, prioritize by severity and apply PIM workflows to owner and user access administrator roles.

Assign Azure AD roles in privileged identity management via the Azure portal or PowerShell, with permanent or time-bound activations and eligible versus active assignment types.

Configure Pim in Azure Active Directory to tailor activation and assignment settings for privileged roles, including approval workflows, MFA, notifications, and compliance role customization.

Discover how to use Azure Active Directory and PIM to protect Azure resources by discovering and selecting subscriptions and resources to manage, and review audit history using reports.

Create emergency access accounts to prevent Azure Active Directory lockout, using two or more highly privileged, non-personal accounts for break-glass use during identity provider outages and last global admin deletion.

Create two or more cloud-only emergency accounts with dot microsoft.com suffix, unassociated with individuals, stored securely, with a permanent global administrator role and distinct authentication from other admin accounts.

Explores exclusions in Azure Active Directory. Excludes emergency access accounts from per-user MFA policy and conditional access, including third-party MFA, to avoid blocking fixes.

Train staff to use emergency break-glass accounts and maintain updated procedures; verify no MFA or self-service reset is registered. Audit every 90 days or after IT or Azure AD changes.

Monitor and maintain Azure Active Directory to audit events, understand diagnostic logs, and troubleshoot access issues. Explore analyzing sign-in data, manage sign-in with a third-party SIM tool, and learn reporting.

Analyze the Azure Active Directory reporting architecture with activity and security components, including sign-ins, audit and provisioning logs, and risky sign-ins or users flagged for risk.

Identify access to sign-in, activity, and security logs by role—security administrator, security reader, global reader, and global admin—while non-admins access only their own logs via Microsoft Graph API.

Explore the sign-in report in Azure Active Directory to analyze interactive sign-ins, view metadata and conditional access, apply filters, and export results as json or csv.

Explore how Azure Active Directory captures sign-in data, tracks who signed in, the target application, status, MFA, and IP details, with weekly and daily views in the portal.

Explore how audit logs in azure active directory track user and group changes, including creations, attribute modifications, password updates, and membership updates, with csv or json export.

Export logs to third-party security solutions by routing Azure Monitor data to a single event hub and leveraging SIM connectors, enabling diagnostic settings per resource and AZ Log integration.

Explore integrating third-party siem solutions like Splunk, ArcSight, and Qradar with Microsoft Azure using official add-ons and step-by-step documentation for Azure Monitor and Event Hub.

Explore Azure Active Directory workbooks and reporting to analyze sign-in activity across enterprise applications, view top apps, failed sign-ins, and success rates with the usage and insights report.

Plan and implement entitlement management, implement and manage access reviews, plan and implement privileged access, and monitor and maintain Azure Active Directory.

Explore how a SIEM solution collects and analyzes logs from all systems, enabling alerting, anomaly detection, dashboards, and incident management through the Kusto query language.

Explore Microsoft Sentinel, a cloud-native siem that ingests data from across cloud and on-prem sources, enabling threat detection, investigation, and automated responses with ml, threat intelligence, and playbooks.

Explore the key components of Microsoft Sentinel, including data connectors, log retention workbooks, analytics-generated alerts, threat hunting incidents and investigations, and automation playbooks.

Ingest data into Microsoft Sentinel using data connectors from syslog, CTF formats, and common event formats, and import TAXII threat intelligence across Azure, AWS, Google Cloud, Oracle, and on-premises sources.

Set up and manage log retention for Azure Sentinel by understanding how ingested data is stored in Log Analytics and using its rich query capabilities to gain insights.

Visualize data with workbooks in Microsoft Sentinel and Azure Monitor, using built-in and custom dashboards powered by queries, and edit them or create from scratch.

Set up proactive analytics alerts across your data to be notified when something suspicious happens, using built-in sentinel alerts plus custom and scheduled options powered by Microsoft machine learning.

Explore threat hunting with Azure Sentinel, using built-in and custom hunting queries, and leverage Azure Notebooks for advanced hunting with programming to hunt through data.

Learn how alerts in Microsoft Sentinel trigger incidents, manage them with status changes and assignments, and use investigation visuals that map entities across log data with a timeline.

Explore how Microsoft Sentinel automates incident response with Azure logic apps, runbooks, and playbooks, ingesting cloud and on-prem data for analysis, remediation, and SoC automation.

Create a log analytics workspace, attach Microsoft Sentinel to it, and review provisioning steps, workspace navigation, and basic permissions and roles in Azure Sentinel.

Assign Azure sentinel rbac roles by mapping log analytics and sentinel permissions, from reader to responder to contributor, while considering prior Azure roles; note that playbooks require logic apps.

Onboard devices to Microsoft Sentinel by configuring data connectors across Microsoft 365, Azure, and third-party sources, learn to use CEF or syslog formats and follow setup steps.

Onboard a Windows host to Microsoft Sentinel by using the security events connector or the legacy log analytics agent, streaming all security events to a Microsoft Sentinel workspace.

Onboard Windows host to sentinel and stream security and app locker events with the legacy agent connector. Configure log analytics to collect Windows events and performance counters for coastal queries.

Discover how Microsoft Sentinel watchlists collect external data (IP addresses, file hashes, business lists) to fuel search, detection rules, threat hunting, and playbooks, stored in the workspace for low latency.

Create a watchlist in the Microsoft Sentinel portal by importing a CSV of Tor exit nodes and mapping the header, then start a hunting party to monitor Tor IPs.

Create a custom hunting query in Azure Sentinel using a watch list and log analytics to monitor Azure activity through Tor exit nodes in real time.

Explore Microsoft Sentinel's livestream feature for real-time query results during investigations, add queries to livestream, and simulate alerts using Tor browser and Azure Portal.

Learn to simulate alerts by capturing traffic from Tor exit nodes using Azure Sentinel, watch lists, livestreams, and Log Analytics to support threat hunting and investigation.

Create analytical rules in Sentinel to generate real-time alerts from indicators of attack, covering initial access, compromised accounts, behavior analysis, and incident response with scheduling, thresholds, and automated playbooks.

Explore fusion analytics and analytical rule types in Microsoft Sentinel to detect anomalous activities and multi-stage attacks, including data exfiltration and compromised identities.

Configure security solutions to feed alerts into Microsoft Sentinel, unifying logs from Defender, Cloud App Security, and Identity Protection, then apply SIM and XDR concepts with machine learning.

Discover built-in machine learning behavioral analytics in Microsoft identity and access; analytical rules detect suspicious activities by correlating signals to reduce noise and generate near real time alerts.

Examine anomaly-based rules using machine learning to detect unusual behaviors, scheduled alerts for flexible customization and filtering via the coastal query language, and near real-time rules that run every minute.

Create analytics rules from templates in the Azure portal. Enable or disable rules with pre-filled tactics and techniques, select the template source, and configure alerts and automated actions.

Create analytic rules using the wizard and custom scheduled queries in Microsoft Sentinel; define KQL logic, entity mappings, timing, thresholds, and automated responses with playbooks.

Manage analytical rules through four actions: edit, disable, duplicate, and delete, where editing preserves inputs and can attach automated playbooks; disable retains configuration and re-enables later; delete is permanent.

Outline cyber threat intelligence (CTI) and indicators of compromise (IOC) used to detect threats. Learn to import threat indicators into Microsoft Sentinel, view logs, and enable threat hunting.

Create threat indicators in Azure Sentinel by adding domain indicators, tagging as malicious, and setting revoke and confidence levels; query the threat intelligence indicator table in Log Analytics to verify.

Learn to connect logs to Microsoft Center using the Office 365 connector and CEF format logs with Microsoft Sentinel, and link threat indicators and third-party services.

Explore Microsoft 365 Defender. Learn how alerts from Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for IoT, Cloud Applications, and 365 Insider Risk feed Microsoft Sentinel.

Configure the Office 365 data connector in Azure Sentinel to ingest office activity logs from Exchange, SharePoint, and Teams, revealing ongoing user actions like downloads, access requests, and PowerShell activity.

Explore the Azure Active Directory connector for Azure Sentinel, ingesting audit and sign-in data, and onboarding steps to map logs like audit logs and assigning logs.

Connect the Azure Active Directory Identity Protection connector to Sentinel, enabling incident creation from Identity Protection alerts, auto remediation policies, and a security alert table for consolidated risk data.

Connect Microsoft Defender for Office 365 to Sentinel to ingest email-based alerts and protect your organization from malicious emails, URLs, and phishing threats.

Integrate Defender for Endpoint with Microsoft 365 Defender to stream hunting events into Azure Sentinel via Defender for Endpoint connector, using tables built on Defender portal schema for retention.

Connect threat indicators to Microsoft Sentinel using taxi or threat intelligence platform connectors, configure in Azure portal, and query the threat intelligence indicator table in Log Analytics.

Explore security incidents and the threat response system using playbooks in Microsoft Sentinel. Learn to analyze user entity behaviors, and query, visualize, and monitor data in Microsoft Sentinel.

Explore how Microsoft Sentinel organizes technology threats into incidents and teaches key concepts like data connectors, events, analytical rules, alerts, and incident tracking.

Explain how data connectors feed events into the log analytics workspace for Microsoft Sentinel, with Windows and Linux sources, and show how analytics rules produce alerts and incidents.

Explore incident management in Microsoft Sentinel, from the overview and incident details to ownership, status, and severity; track metadata, assign owners, and review evidences and entities involved.

Learn incident management in Microsoft Sentinel, from overview to details, including evidences, entities, and tactics, then assign ownership, status, and classify outcomes as true positive, false positive, or undetermined.

Simulate a brute force attack on the Azure portal by creating an analytics rule from templates, testing incognito logins, and reviewing the Sentinel incident; also log API token workflow.

Learn to monitor Azure Active Directory changes and alert on global administrator role modifications using Log Analytics, Microsoft Sentinel playbooks, and a logic app that notifies teams.

Create a Sentinel analytical rule to monitor Azure Log Analytics audit logs for role membership changes, trigger alerts and incidents, and run a logic apps playbook to notify teams.

Create and manage Azure Active Directory users, assign roles like billing administrator, and verify audit log updates; then export audit logs to Log Analytics via diagnostic settings linked to Sentinel.

Verify that Azure Active Directory audit logs export to Log Analytics and reflect the added user as global administrator, then check the Sentinel workspace for a related incident.

Microsoft Sentinel surfaces incidents from analytical rules and log analytics, linking audit logs to SIEM and SOAR workflows, and enables automated responses via logic apps.

Create and deploy a logic app in the Azure portal, configure triggers and actions, and post Azure Sentinel alerts to a Microsoft Teams channel.

Edit the analytics rule to add the logic apps playbook. Prepare Azure Active Directory changes so membership audits feed log analytics and trigger Sentinel incidents and SOC messages.

Demonstrates end-to-end integration of audit logs with log analytics and Sentinel, triggering logic apps to post incident alerts to teams for Azure AD changes.

Explore how UEBA analyzes user and entity behavior with AI and ML to detect anomalies, establish baselines, and identify threats across devices and IoT.

Explore entity behavior analytics in a Microsoft Sentinel workspace by examining alerts over the last 30 days and how identifiers from user accounts, IP addresses, and hostnames are unified.

Navigate entity pages, view left panel details from Azure Active Directory, Azure Monitor, Defender for Cloud, and Microsoft 365 Defender, and analyze the center timeline with behavioral insights for investigations.

Learn to navigate entity pages in Microsoft Sentinel, examining user and IP address entities through left panel details, center event timeline, and right panel behavioral insights to spot anomalies.

Create and customize workbooks in the Microsoft Sentinel portal using templates or from scratch, including Azure Active Directory sign-in logs and troubleshooting insights.

Create and edit a Microsoft Sentinel workbook from scratch, add tiles and visualizations, and configure time ranges and styles, then save within a subscription and resource group.