We Gave Away Our Microsoft Entra Masterclass Labs → Full Governance, Privileged Access & Agent ID Labs Walkthrough

Entra.Chat

0:00

-38:34

We Gave Away Our Microsoft Entra Masterclass Labs → Full Governance, Privileged Access & Agent ID Labs Walkthrough

Entra.Chat | 🇩🇰 Experts Live Denmark Edition

Merill Fernando

Feb 28, 2026

Hey folks, I have to start with a massive shout-out to Morten Knudsen and his entire team at Experts Live Denmark where I’m just returning from.

Organizing an event for over 1,200+ attendees is no small feat, and they pulled it off with incredible energy and precision. It was easily one of the most impressive community gatherings I’ve been a part of.

Amidst that massive crowd, I had the privilege of co-leading a deep-dive Identity Masterclass alongside four exceptional Microsoft MVPs: Jan Vidar Elven, Pim Jacobs, Thomas Naunheim, and Klaus Bierschenk.

We weren’t sure what to expect, but the response was overwhelming. We had over 120 dedicated attendees who stayed with us for the full 7-hour session - diving deep into the weeds of Entra ID, governance, privileged access, Agent ID and more. Instead of theory-heavy slides, we built a practical, end-to-end governance story.

Because we believe this knowledge should be accessible, we are now giving away the labs for free so everyone can skill up, learn, and implement these patterns in their own environments.

Here’s the core of what we covered, and what you will learn in this podcast walk through of the labs and what you can try out yourself today!

Links to GitHub repo and YouTube video below.

Sponsored by:

If you’re a systems administrator, you already know – patching is painful. It’s time-consuming, risky, and one small mistake can mean downtime. So, it gets postponed. Again. And again. What if patching was just… Easy?
Introducing Action1, a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps. You’ll be up and running in five minutes. No infrastructure to maintain. No complexity.
And here’s the best part: you can use Action1 on your first 200 endpoints for free. Forever. No feature limits. No credit card. No hidden tricks. Seriously, It’s NOT a disguised free trial. Too good to be true? Too good and actually true! Check for yourself, go to: on.action1.com/entrachat
So, if you’re looking for an easy-to-use patching tool that would help you save weeks, if not months of your time, go to on.action1.com/entrachat and sign up for “Patching That Just Works”.
Sign up!

1️⃣ Inbound Provisioning: Start with a Source of Truth

Most identity problems start with one issue:

There is no clean, authoritative identity source.

We demonstrated how to use Inbound Provisioning in Entra to:

Accept identity payloads via Microsoft Graph
Create users in a disabled state
Capture attributes like hire date, leave date, department
Treat HR (or another system) as the lifecycle authority

Why this matters

If identities are manually created:

Joiners are inconsistent
Leavers are missed
Privileged accounts become orphaned

Inbound provisioning allows you to:

Standardize creation
Attach lifecycle automation immediately
Reduce manual admin overhead

Key concept:
Provision first. Enable later. Automate everything in between.

2️⃣ Lifecycle Workflows: Automate Joiner / Mover / Leaver

Once a user is provisioned, lifecycle workflows take over.

We implemented:

Pre-hire workflow
Day-one onboarding workflow
Post-onboarding actions

Triggers included:

Employee hire date
Creation time
Group membership
Attribute changes

Real-world onboarding pattern

Account is created disabled
Workflow enables the account at the correct time
Temporary Access Pass (TAP) is generated
TAP is sent securely
Access is assigned automatically

This reduces:

Manual enablement
Helpdesk load
Security gaps

Design principle:
Automation should enforce timing — not people.

3️⃣ Privileged Account Design: Separate the Identities

We had a strong opinion in the session:

Admin accounts should be separate and cloud-only.

Why?

Syncing privileged accounts from on-prem introduces risk
HR systems should not directly control privileged identities
Governance features work best with cloud-native identities

We explored three creation patterns:

Inbound provisioning for privileged accounts
Access Packages (with auto-assignment or request model)
Lifecycle workflows + custom Logic Apps

Each has trade-offs.

What matters most:
Privileged identities must be:

Separately authenticated
Phishing-resistant (FIDO2 or passkeys)
Independently governed
Linked for offboarding

4️⃣ Linking Identities for Investigation

One challenge in Entra:

There’s no native “this person owns these 3 accounts” view.

We explored identity linking in Microsoft Defender XDR, where:

Multiple accounts can be associated to one identity
Incident investigations become clearer
Privileged activity can be correlated with user context

This becomes critical during:

Compromise investigations
Insider threat analysis
Lateral movement tracking

Security takeaway:
If you can’t correlate identities, you can’t fully investigate them.

5️⃣ Backup & Restore: The Truth About Entra

There is no traditional backup system in Entra.

Instead, you have:

Soft-delete (with recycle bin)
Hard-delete (irreversible)
API-based recovery
Configuration export strategies

We discussed:

Protecting deleted items with Protected Actions
Using Conditional Access to restrict destructive operations
Exporting configuration JSON regularly
Monitoring configuration drift

Reality:
If you aren’t exporting your tenant configuration, recovery becomes manual and painful.

Governance is not just about creation — it’s about resilience.

6️⃣ Protected Actions + Conditional Access

A powerful but underused feature:

Protected Actions.

You can require Conditional Access enforcement before allowing:

Hard deletes
Sensitive configuration changes

Example:

Only allow permanent deletion from a compliant device
Only allow from a trusted location
Require phishing-resistant authentication

Even Global Admins must pass policy.

Security mindset shift:
Admin role ≠ unlimited ability.

7️⃣ Agent ID & Blueprints: The Future of Identity for AI

We also explored Agent ID — one of the newer capabilities in Entra.

Why not just use a service principal?

Because agents:

Need stronger guardrails
Must support per-user instances
Require conditional access enforcement
Must be auditable at scale

Blueprints allow:

A parent definition of permissions
Individual agent instances per user
Centralized governance over many agents

As AI agents scale, identity must scale securely with them.

Forward-looking insight:
Agent governance will soon be as important as user governance.

8️⃣ Design Philosophy Behind the Lab

The entire masterclass was built around one principle:

Identity is a lifecycle, not a login.

We covered:

Provision → Enable → Assign → Elevate → Monitor → Protect → Offboard → Recover

If any step is manual, inconsistent, or undocumented — risk increases.

The labs give you a complete pattern you can implement in your own tenant.

🎯 What You Should Do Next

Watch/listen to the full podcast where we walk you through the labs.
Go try out the labs at github.com/IdentityMan/MasterclassELDK26 in your own tenant.