**Project 1 – Add a New Guest User**

**Scenario**

As part of a business partnership, we need to invite an external contractor into our Microsoft Entra tenant. This user will require limited access to Microsoft Teams and SharePoint resources. We will perform this action in the Azure portal and validate it against the Entra Control Stack, ensuring governance hygiene, proper auditability, and minimal exposure.

**Step-by-Step Action Flow (Simulated)**

Navigate to Microsoft Entra Admin Center → Identity → Users → New guest user

Choose Invite user

Input guest email: contractor@partnerorg.com

Set display name: Partner Contractor – Marketing

Optional message: “Welcome to our tenant. Access is currently limited to Teams and SharePoint.”

Click Invite

User appears in directory as Guest type (source: External Azure AD)

**Entra Control Stack Mapping**

**Layer 1 – Authority Definition**

✅ Touched
We confirm that the signed-in admin performing the invite has delegated permission (User Administrator or higher). No changes to Global Admin roles are made.

**Layer 2 – Scope Boundaries**

❌ Not affected
No scoped roles, Administrative Units, or exclusions are configured for this guest. Default tenant-wide access boundaries apply.

**Layer 3 – Test Identity Validation**

✅ Light touch
After invite acceptance, the guest account is verified in the user directory. Optional: sign-in simulation can be used to confirm the user appears as "Guest" and logs are created.

**Layer 4 – External Entry Controls**

**✅ Primary control layer**

External collaboration policies govern this flow.

Tenant settings under External Identities > External collaboration settings define default restrictions.

Guest receives access based on these policies unless Conditional Access applies.

**Layer 5 – Privilege Channels**

❌ Not affected
No directory roles or privileged access paths are assigned. Guest is a standard unprivileged identity.

**Layer 6 – Device Trust Enforcement**

❌ Not affected
This guest user is not subject to any device compliance policy unless one is enforced via Conditional Access.

**Layer 7 – Continuous Verification**

✅ Optional post-action control

Guest access should be added to an access review cycle if long-term.

Monitoring of guest sign-ins is possible via Sign-in logs and Microsoft Defender for Identity analytics (if enabled).

Guest users should be periodically reviewed for necessity and scope.

**Observations and Follow-Up**

Guest appeared successfully in directory with UserType: Guest and Source: External Azure AD

No access was granted beyond directory presence (RBAC and resource-level permissions remain unassigned)

Governance alert: recommend that all guest accounts be reviewed periodically using automated Access Reviews (Layer 7)

**No Conditional Access applied during this exercise, though best practice would include requiring MFA for all guests**

**Entra Control Stack: Micro-Project Series**

This series simulates small but common identity tasks in Microsoft Entra ID, each mapped directly to the Entra Control Stack, a seven-layer operational governance model. The projects are intentionally narrow in scope to build muscle memory in tenant navigation, access governance, and control layer mapping.

Each facsimile project follows the principle of real-world simulation—steps are written as if executed live in the Azure portal, and each task is evaluated across the seven layers of the Entra Control Stack. Unaffected layers are explicitly noted to reinforce boundary understanding.

**Selected Micro-Projects**

• Project 1 – Add a New Guest User
Action: Invite an external B2B user to the tenant
Why: Exercises external collaboration policy, guest access review, and audit confirmation

• Project 2 – Change a Global Administrator to a Privileged Role Administrator
Action: Replace Global Admin role with delegated Privileged Role Admin
Why: Promotes least-privilege governance and delegation of sensitive permissions

• Project 3 – Assign User Administrator Role at AU Scope
Action: Assign User Administrator role scoped to a specific Administrative Unit
Why: Demonstrates role scoping and delegated control enforcement

• Project 4 – Remove a Stale User Account
Action: Disable and delete a user account no longer in use
Why: Models deprovisioning, identity hygiene, and audit compliance

• Project 5 – Create a Group and Assign Role
Action: Create a security group and assign a directory role to it
Why: Reinforces group-based RBAC and scalable access control strategies