After this lesson, you will be able to: Use the Microsoft Entra ID free tier to create users, assign roles, configure MFA, and write a basic conditional-access rule.
Microsoft Entra ID (formerly Azure AD) is the identity directory behind Microsoft 365, Azure, and tens of thousands of enterprise apps. The free tier is enough to learn the entire workflow that real IT and security teams use day to day. This lesson walks through provisioning users, assigning role-based access, turning on MFA, and authoring a conditional-access policy from scratch.
Entra ID is the identity layer for the majority of Fortune 500 companies. Even pure-AWS shops often use Entra as their workforce IdP and federate into AWS. Learning Entra unlocks two real career paths: traditional enterprise IAM and modern SaaS identity. Knowing how to navigate the admin centre is a baseline skill on most IAM job descriptions.
The Microsoft 365 Developer Program gives you a sandbox tenant free for personal learning. Treat it as a lab, never use real personal data.
Sign up at developer.microsoft.com/microsoft-365/dev-program with a personal Microsoft account
Provision an Instant Sandbox subscription (this creates a sandbox tenant with sample users and a default domain like yourname.onmicrosoft.com)
Open entra.microsoft.com and sign in as the global admin you just created
In the Overview blade, note your tenant ID and the default domain, you'll need both later
Provisioning a user with least-privilege role assignment is the single most common IAM admin task.
Identity > Users > New user > Create new user (set a display name, principal name, and temp password)
Review the Roles tab and assign the User Administrator role (NOT Global Admin, demonstrate least privilege)
Save, then open an InPrivate browser and sign in as the new user to verify they can create other users but cannot, for example, modify billing
Audit who has Global Admin in your tenant under Identity > Roles & admins > Global Administrator; in a real tenant this list should be tiny (2-4 people)
Conditional Access is the policy engine that decides who can sign in from where with what factor. Spend time here.
Identity > Protection > Security Defaults: confirm they're enabled (this enforces MFA for admins out of the box)
Protection > Conditional Access > New policy
Assign to a specific test user group (NOT All users while you experiment)
Grant control: Require multifactor authentication
Under Conditions, add: Locations > exclude trusted IPs (your home IP)
Set the policy to Report-only first, watch sign-in logs for a day, then flip to On
Verify the policy fires by signing in from a new device or VPN and seeing the MFA prompt
Assigning Global Admin instead of a scoped role (the #1 audit finding in enterprise tenants). Leaving Conditional Access policies in Report-only forever (always plan a flip-to-On date). Forgetting to exclude break-glass accounts from every conditional-access policy (lock yourself out exactly once and you'll remember forever). Not enabling sign-in risk policies (Identity Protection catches token theft and impossible-travel automatically).
Pick the role that follows least privilege.
Sign in and purchase access to unlock this lesson.