Microsoft Identity & Endpoint Lab

Hands-on Microsoft cloud administration lab focused on identity, endpoint management, access control, and automation.

---

Overview

This project documents a practical Microsoft cloud administration lab built to strengthen core skills across:

• Microsoft Entra ID user and group administration
• Role-based access control
• Multi-factor authentication
• Conditional Access
• Microsoft Intune compliance and configuration management
• Microsoft Graph PowerShell automation

The lab was built in a separate Microsoft 365 Business Premium tenant and used dedicated lab accounts, security groups, Intune policies, and PowerShell-based exports to simulate common real-world administration tasks.

---

Lab Objectives

• Create and manage users in Microsoft Entra ID
• Build security groups for Intune and Conditional Access targeting
• Assign administrative roles to dedicated lab accounts
• Validate MFA prompting through Conditional Access
• Create Windows compliance and configuration policies in Intune
• Use Microsoft Graph PowerShell to query and export tenant objects
• Document the environment with screenshots and exported outputs

---

Technologies Used

• Microsoft Entra ID
• Microsoft Intune
• Microsoft 365 Business Premium
• Conditional Access
• Multi-Factor Authentication
• Microsoft Graph PowerShell
• PowerShell 7
• Windows 10/11 policy templates
• macOS Terminal

---

Environment Design

Lab Accounts

The lab used dedicated administrative and test accounts:

• Lab Admin
• Breakglass Admin
• Test User 1
• Test User 2

Security Groups

The following security groups were created for policy targeting and access control:

• GRP-Intune-Users
• GRP-CA-All-Users
• GRP-CA-Exclude

Group Purpose

• GRP-Intune-Users
  Used to assign Intune compliance and configuration policies.

• GRP-CA-All-Users
  Used to target Conditional Access policy scope.

• GRP-CA-Exclude
  Used to exclude emergency or recovery accounts from Conditional Access.

---

Completed Lab Work

1. Entra ID User and Group Administration

Completed tasks:

• Created multiple Entra ID lab users
• Assigned Microsoft 365 Business Premium licences
• Created security groups for Intune and Conditional Access
• Verified group membership through both portal and Microsoft Graph

2. Administrative Role Assignment

Completed tasks:

• Assigned administrative access to the dedicated lab admin account
• Configured a separate break-glass account for recovery and exclusion scenarios

3. MFA and Conditional Access

Completed tasks:

• Created a Conditional Access policy for administrative access
• Scoped policy to a defined user target with exclusion handling
• Validated MFA prompt and registration flow for the lab admin account

4. Intune Device Management Foundation

Completed tasks:

• Created a Windows 10/11 compliance policy
  CP01 - Windows Baseline Compliance
• Created a Windows settings catalog configuration profile
  CFG01 - Windows Baseline Settings
• Assigned both policies to GRP-Intune-Users

5. Microsoft Graph PowerShell Automation

Completed tasks:

• Installed PowerShell 7 on macOS
• Installed and imported Microsoft Graph PowerShell
• Connected to Microsoft Graph with delegated permissions
• Queried users and groups from the tenant
• Exported users, groups, and group membership data to CSV

---

PowerShell Automation

Scripts created in this project include:

scripts/powershell/
├── export-users.ps1
├── export-groups.ps1
└── export-group-members.ps1

These scripts were used to:

• export Entra ID users
• export groups
• export group membership relationships

---

Repository Structure

Microsoft-Identity-Endpoint-Lab/
├── README.md
├── docs/
│   ├── build-notes.md
│   ├── users-export.csv
│   ├── groups-export.csv
│   ├── group-members-export.csv
│   └── screenshots/
│       ├── active-users-overview.png
│       ├── lab01-security-groups.png
│       ├── lab02-ca-policy-report-only.png
│       ├── lab02-mfa-prompt.png
│       ├── lab03-windows-compliance-policy.png
│       ├── lab03-windows-config-profile.png
│       └── lab04-group-members-export.png
├── scripts/
│   └── powershell/
└── .gitignore

---

Screenshots

Active Users Overview

Security Groups

Conditional Access Policy

MFA Prompt

Windows Compliance Policy

Windows Configuration Profile

Group Membership Export

---

Key Outcomes

This lab demonstrated practical Microsoft cloud administration capability across identity, security, endpoint management, and automation.

Key outcomes included:

• building a separate Microsoft cloud lab environment
• administering users and groups in Entra ID
• implementing Conditional Access with MFA prompting
• creating Intune compliance and configuration policies
• using Microsoft Graph PowerShell for administrative queries and exports
• documenting the lab with screenshots and scripted outputs

---

Future Improvements

Potential next steps for expanding this lab include:

• device enrollment testing with a Windows endpoint
• Intune application deployment
• additional Conditional Access policies
• Microsoft Graph user lifecycle automation
• licence assignment automation
• reporting and sanitized export workflows for public portfolio use

---

Purpose

This repository forms part of a hands-on cloud administration portfolio focused on practical Microsoft identity, endpoint, and security operations.

It is intended to demonstrate both technical capability and structured documentation across common real-world Microsoft administration tasks.