Courses and Conferences

Contact
  1. Danish Technological Institute
  2. Courses
  3. Business areas
  4. IT Courses
  5. Cloud
  6. Microsoft Identity Master
DTI Main Reception

Do you need help?

  • Gregersensvej 8
  • 2630 Taastrup
Google MapsApple MapsRejseplanen
  • Forskerparken Fyn, Forskerparken 10F
  • 5230 Odense M
Google MapsApple MapsRejseplanen
  • Teknologiparken Kongsvang Allé 29
  • 8000 Aarhus C
Google MapsApple MapsRejseplanen
  • NordsøcentretPostboks 104
  • 9850Hirtshals
Google MapsApple MapsRejseplanen
  • Gammel Ålbovej 1
  • 6092Sønder Stenderup
Google MapsApple MapsRejseplanen
5 days course

Microsoft Identity Master

This intensive 5-day master class delivers Level 400 training on Microsoft Entra ID, hybrid identity, and cloud-native migration. Designed for experienced identity architects, IAM engineers, and security practitioners, this course goes significantly beyond Microsoft's standard curriculum with real-world deployment scenarios, advanced troubleshooting, and production operations expertise.

>> Available in Danish <<

Mastering Identity and Security in the Cloud – For Those Who Aim to Excel

This course spans five intensive days at an advanced level (Level 400), equipping you for the role of Microsoft Identity Master through a blend of lessons (60%) and practical exercises (40%).

A key theme of the course is granting the right people access at the right time – and only then. You’ll gain tools to control who can do what, as well as how to automate and monitor access to avoid errors and misuse. We focus on connecting systems so they can communicate securely, ensuring devices like computers and phones can log in without old-fashioned passwords. The course days are packed with hands-on exercises, allowing you to tackle real-world scenarios and manage both daily operations and the unusual challenges that arise when things don’t work as expected.

You will learn how to integrate identity protection with systems that monitor threats, enabling you to respond swiftly if someone attempts to breach security. We also cover how to grant machines and automated processes secure access without storing secret codes, and how to plan for system continuity should faults or disasters occur.

Prerequisites:

You should hold a SC-300 certification or 3 years or more of equivalent experience, Active Directory administration, PowerShell scripting, authentication protocols (SAML, OAuth, OIDC)

Targit Audience:

Senior Identity Architects, IAM Engineers, Security Operations Engineers, Microsoft 365 platform leads, Infrastructure architects planning AD modernization, independent consultants and Microsoft partners

What you will learn:

  • Design and deploy enterprise-scale Entra ID architectures for 50k+ users
  • Engineer advanced Conditional Access policies with custom authentication strengths
  • Implement passwordless authentication using FIDO2 and Windows Hello for Business
  • Configure PIM and Identity Governance for least-privilege access
  • Deploy Cloud PKI for certificate-based device authentication
  • Troubleshoot complex hybrid identity sync failures in production
  • Integrate Identity Protection with SIEM for automated threat response
  • Build AI agent identity governance using Entra Agent ID
  • Implement workload identity federation for secretless CI/CD pipelines
  • Design disaster recovery strategies for identity infrastructure

Content:

Day 1 — Architecture and Conditional Access

Module 1: Entra ID Architectural Engineering
  • Entra ID architectural layers: directory, authentication, authorization
  • Token flow mechanics: OAuth 2.0, OIDC, SAML deep dive, Continuous Access Evaluation
  • Multi-tenant architecture and cross-tenant synchronization
  • Entra Connect sync engine internals, performance tuning for 100k+ objects
  • Lab 1: Decode a Live Access Token with PowerShell
Module 2: Conditional Access Engineering
  • CA policy evaluation flow, precedence, Named Locations (IP, GPS)
  • Authentication context and custom authentication strengths
  • CA for workloads: service principals, managed identities, GitHub Actions
  • Policy testing: What-If tool, report-only mode, CA Insights
  • Lab 2: Conditional Access Engineering Workshop

Module 3: AI Agent Identity Deep Dive
  • Entra Agent ID architecture, agent blueprints, and Microsoft Agent 365
  • Semantic Kernel and LangChain identity integration
  • Multi-agent systems: delegation chains and token flow
  • CA policies and risk detection for AI agents, Prompt Shield integration
  • Lab 3: AI Agent Identity — Registration and Governance

Day 2 — Non-Human Identity and Governance

Module 4: Workload & Non-Human Identities
  • Managed identities: system vs user-assigned, token acquisition internals
  • Federated credentials: GitHub OIDC, Kubernetes, cross-cloud patterns
  • Service principal governance: audit, secret rotation, certificate migration
  • SyncJacking attack pattern and Entra Connect hardening
  • Lab 4: Secretless Workload Identity Federation
Module 5: Passwordless & Passkey Engineering
  • FIDO2 and WebAuthn architecture, attestation, passkey sync
  • Windows Hello for Business: trust models, deployment patterns
  • macOS Platform SSO, cross-device authentication flows
  • Enterprise rollout strategy: phased deployment, exception management
  • Lab 5: Passwordless Authentication — WHfB and Passkeys

Module 6: Privileged Identity Management
  • PIM architecture: eligible vs active roles, activation workflows
  • PIM for Groups and Azure Resources, approval chains
  • Access reviews: quarterly attestation, automatic remediation
  • Break-glass account strategy and emergency access procedures
  • Lab 6: Privileged Identity Management — Configuration and Activation

Day 3 — Identity Protection and Hybrid Cloud Engineering

Module 7: Identity Governance Architectural Engineering
  • Lifecycle Workflows: joiner/mover/leaver automation, Logic Apps integration
  • Entitlement Management: access packages, multi-stage approval, SoD
  • Terms of Use enforcement, access review campaigns, SIEM integration
  • Lab 7: Identity Governance — Access Packages and Lifecycle Workflows

Module 8: Identity Protection & Security Copilot
  • User risk vs sign-in risk: detection types, high-confidence signals
  • Adversary-in-the-Middle attacks, token theft, leaked credentials
  • Risk-based CA policies, self-service vs admin remediation
  • Security Copilot in Entra: AI-assisted investigation, Sentinel integration
  • Lab 8: Identity Protection — Risk Policies and Investigation

Module 9: Cloud PKI Deep Dive and EntraID Backup/Restore
  • Cloud PKI: CA hierarchy, certificate lifecycle, SCEP/PFX deployment
  • Certificate-based auth: WiFi 802.1X (EAP-TLS), VPN, S/MIME
  • Entra ID Backup: scope, retention, restore scenarios
  • Disaster recovery: RTO/RPO targets, quarterly testing, DR best practices
  • Lab 9: Cloud PKI and Backup/Restore — Hands-On Deployment

Day 4 — Hybrid Identity, Migration

Module 10: Hybrid Identity — Advanced Engineering
  • Entra Connect sync engine: connector spaces, metaverse, watermarks
  • Sync cycle timing: delta vs full sync, export batching, performance tuning
  • Authentication: PHS vs PTA vs Federation — real-world trade-offs
  • PHS cryptographic security: MD4 ? SHA256 ? PBKDF2 (compliance myths)
  • Seamless SSO: Kerberos mechanics, AENTRA ID SSOACC troubleshooting
  • Custom sync rules: attribute transformations, scoping filters, precedence
  • Staging mode DR: primary + staging server, failover <30min
  • Advanced troubleshooting: duplicate proxy Addresses, soft-match, SQL LocalDB corruption
  • Lab 10 Hybrid Identity — Advanced Engineering Lab

Module 11: Migrating Hybrid Active directory to Cloud Native Lab
  • Migration strategy and readiness assessment, discovery and dependency mapping
  • Source of Authority (SOA) transfer: isCloudManaged API, converting hybrid to cloud-native
  • Application migration: modern (SAML/OIDC), legacy wrapping, Kerberos/LDAP replacement
  • Device modernization: Hybrid Join ? Entra Join, Cloud Kerberos Trust, in-place migration
  • GPO to Intune migration: Group Policy Analytics, Settings Catalog, Security Baselines
  • AD FS retirement: Application Activity Report, app migration, decommissioning sequence
  • AD DS retirement: prerequisites, DC demotion, post-retirement validation
 
 

Day 5 — Zero Trust Engineering & Architecture Design Challenge and Capstone

Module 12: Zero Trust Network Access (Global Secure Access)
  • Global Secure Access architecture: Internet Access and Private Access
  • Compliant network check in CA policies, Universal Tenant Restrictions
  • AI Prompt Shield, BYOD for Windows (Entra-registered devices)
  • Traffic correlation with Entra sign-in logs, DLP integration
  • Lab 12 Global Secure Access — Hands-On Deployment

Module 13: Architecture Design Challenge and Capstone
  • Team-based enterprise scenario: 15,000-user global organization with legacy AD, AD FS, SAP/Oracle ERP
  • Design challenge: authentication strategy, CA stack, governance model, AI agent identity, 12-month migration roadmap
  • Deliverable: Architecture Decision Record (ADR) + 10-slide visual architecture presentation
  • Team presentations, expert debrief, individual ADR submission, competency-based assessment

Instructor

With 30 years of professional experience, Andy Malone is not only a world class conference speaker but is also an award-winning author, and one of the most electrifying voices in the world of cloud and cybersecurity. His passionate style of delivery combined with a sense of fun has become his trademark and has won him multiple awards and global acclaim at events including, Microsoft Ignite, NIC, LIVE 360, Spiceworld, ESPC, and many more. Although teaching and consulting remain his primary focus. Andy also loves to inspire, and there's often an interesting story to be told.

Do you have any course related questions, please contact