visit microsoft learn github for complete instructions

Lab 11 - Assign Azure resource roles in Privileged Identity Management

Login type = Azure Resource login

Microsoft Entra Privileged Identity Management (PIM) can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):

• Owner

• User Access Administrator

• Contributor

• Security Admin

• Security Manager

You need to make a user eligible for an Azure resource role.

1. Sign in to entra and search and select PIM and on left pane select Azure Resources and after selecting your subscription click on manage resources and click on overview

1. Click on assignments on the left and try to assign a role to a user and on assignement page on setting under assignment type select Eligible and specify the start and end time

or you can select Active:

Assignment types:

• Eligible assignments require the member of the role to perform an action to use the role. Actions might inclTde performing a MFA check, providing a business justification, or requesting approval from designated approvers.

• Active assignments do not require the member to perform any action to use the role. Members assigned as active have the privileges always assigned to the role.

---

Lab 12 - Manage Microsoft Entra smart lockout values

You’re learning to customize Smart Lockout settings in Microsoft Entra ID to enhance password protection and prevent unauthorized access by blocking repeated failed sign-in attempts (e.g., brute-force attacks).

What Smart Lockout Does

If a user types the wrong password too many times:

• Their account will be temporarily locked (for the duration you set).

• The lockout applies to both real and malicious failed attempts (smart logic detects this).

• Users will see:

“Your account is temporarily locked to prevent unauthorized use…”

Sign in to Microsoft Entra
Go to https://entra.microsoft.com using a Global Admin account.

Navigate to:
Identity → Protection → Authentication methods → Password protection

Configure settings:

• Lockout duration: 120 seconds

• Mode: Enforced

• Save changes

---

Lab 13 - Implement and test a conditional access policy

Exercise 1 - Set a conditional access policy to block DebraB from accessing Sway

1. Login on office.com with Debra’s account and confirm DebraB has access to Sway

2. Create a conditional access policy. Entra ID> Identity > Protection> Conditional Access > Overview> Create new policy

Now if she logs in she will get this error:

3. Under enable policy select off and try again and you can use the sway after logging off and back on again.

Exercise 2 - Test conditional access policies with "What if"

1. Test conditional access with what if under Entra ID> Identity > Protection> Conditional Access > policies > what if > under workload identity select debra > under cloud apps select sway > and select what if

Exercise 3 - Configure sign in frequency controls using a conditional access policy

1. Login with global administrator credential and go to Entra ID> Identity > Protection> Conditional Access > Overview> Create new policy

2. choose a name “sign in frequency“ and then add o365 in target resources then do these settings on session:

Note: Report-only mode is a new Conditional Access policy state that enables administrators to assess the impact of policies before enforcing them in their environment. With this feature:

• Conditional Access policies can be configured in report-only mode.

• During user sign-in, policies in report-only mode are evaluated but not enforced.

• Evaluation results are recorded in the Conditional Access and Report-only tabs within the sign-in log details.

• Customers with an Azure Monitor subscription can further analyze policy impact using the Conditional Access insights workbook.

---

Lab 14 - Enable sign in and user risk policies

Login type = Microsoft 365 admin

To enhance security, it’s recommended to enable and configure your Microsoft Entra organization’s sign-in risk and user risk policies.

1. To enable user risk policy go to Entra ID> Identity > Protection > Identity Protection > User risk policy > Assignments > Select all user> Then select high in user risk tab > Under control select block access > and leave it as enable:

2. To enable sign-in risk policy go to Entra ID> Identity > Protection > Identity Protection > User risk policy > Assignments > Select all user> Then select high in user risk tab > Under control select require MFA > and leave it as enable and then select save

---

Lab 15 - Configure an MFA registration policy

Login type = Microsoft 365 admin

To enable users to respond to MFA prompts, they must first register for Microsoft Entra multifactor authentication. Ensure that your organization’s MFA registration policy is configured and assigned to all users.

1. To setup MFA registration policy, sigin in to entra.microsoft.com as a Global Administrator > Identity > Protection > Identity Protection> MFA registration policy.

You can select all users to change it to individuals and groups or we can exclude users form the policy but you can see that we cannot change require Azure AD MFA registration.

Require Azure AD MFA registration checkbox is shown to clarify the policy’s purpose, maintain UI consistency, and support auditing even though it can’t be changed.

2. To configure Microsoft Entra Identity Protection policy for MFA registration click on enforce policy on the toggle on the above picture. (This requires MFA registration at next login.)

Note: Microsoft Entra Identity Protection requires Microsoft Entra ID Premium P2 to be activated.