█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Identity and Access Management/Hands-on: Microsoft Entra ID
50 minIntermediate

Hands-on: Microsoft Entra ID

After this lesson, you will be able to: Use the Microsoft Entra ID free tier to create users, assign roles, configure MFA, and write a basic conditional-access rule.

Microsoft Entra ID (formerly Azure AD) is the identity directory behind Microsoft 365, Azure, and tens of thousands of enterprise apps. The free tier is enough to learn the entire workflow that real IT and security teams use day to day. This lesson walks through provisioning users, assigning role-based access, turning on MFA, and authoring a conditional-access policy from scratch.

Prerequisites:Privileged Access Management

Why Entra matters even if you never touch Microsoft cloud

Entra ID is the identity layer for the majority of Fortune 500 companies. Even pure-AWS shops often use Entra as their workforce IdP and federate into AWS. Learning Entra unlocks two real career paths: traditional enterprise IAM and modern SaaS identity. Knowing how to navigate the admin centre is a baseline skill on most IAM job descriptions.

Spin up a free Entra tenant

The Microsoft 365 Developer Program gives you a sandbox tenant free for personal learning. Treat it as a lab, never use real personal data.

  1. 1

    Sign up at developer.microsoft.com/microsoft-365/dev-program with a personal Microsoft account

  2. 2

    Provision an Instant Sandbox subscription (this creates a sandbox tenant with sample users and a default domain like yourname.onmicrosoft.com)

  3. 3

    Open entra.microsoft.com and sign in as the global admin you just created

  4. 4

    In the Overview blade, note your tenant ID and the default domain, you'll need both later

Create a user and assign a role

Provisioning a user with least-privilege role assignment is the single most common IAM admin task.

  1. 1

    Identity > Users > New user > Create new user (set a display name, principal name, and temp password)

  2. 2

    Review the Roles tab and assign the User Administrator role (NOT Global Admin, demonstrate least privilege)

  3. 3

    Save, then open an InPrivate browser and sign in as the new user to verify they can create other users but cannot, for example, modify billing

  4. 4

    Audit who has Global Admin in your tenant under Identity > Roles & admins > Global Administrator; in a real tenant this list should be tiny (2-4 people)

Turn on MFA and authoring conditional access

Conditional Access is the policy engine that decides who can sign in from where with what factor. Spend time here.

  1. 1

    Identity > Protection > Security Defaults: confirm they're enabled (this enforces MFA for admins out of the box)

  2. 2

    Protection > Conditional Access > New policy

  3. 3

    Assign to a specific test user group (NOT All users while you experiment)

  4. 4

    Grant control: Require multifactor authentication

  5. 5

    Under Conditions, add: Locations > exclude trusted IPs (your home IP)

  6. 6

    Set the policy to Report-only first, watch sign-in logs for a day, then flip to On

  7. 7

    Verify the policy fires by signing in from a new device or VPN and seeing the MFA prompt

💡 What this looks like on a resume

'Configured Microsoft Entra ID conditional access policies enforcing MFA for privileged accounts and trusted-location bypass for service desk, reducing helpdesk MFA tickets by 30%.' Hiring managers care about Entra hands-on far more than theory. Even a sandbox-tenant project counts when you write up what you did.

Common mistakes only experienced admins catch

Assigning Global Admin instead of a scoped role (the #1 audit finding in enterprise tenants). Leaving Conditional Access policies in Report-only forever (always plan a flip-to-On date). Forgetting to exclude break-glass accounts from every conditional-access policy (lock yourself out exactly once and you'll remember forever). Not enabling sign-in risk policies (Identity Protection catches token theft and impossible-travel automatically).

Quick Check

Which Entra role grants the LEAST privilege for someone who only needs to reset user passwords?

Pick the role that follows least privilege.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Privileged Access Management
Back to Identity and Access Management
Hands-on: AWS IAM Policies→