**Project Introduction – Entra Control Stack Layer Reference**

This document is a structured, layer-by-layer reference for implementing Microsoft Entra ID governance and security controls in alignment with the Entra Control Stack and SC-300 exam objectives.

 This project serves as a comprehensive technical guide that restates and expands the seven-layer framework in full operational detail. Each layer contains:

**Purpose** – The security and operational rationale for the layer.

**Core Entra Elements** – The Microsoft Entra ID features and configurations that define the control.

**Key Actions** – Implementation or validation steps written in real-tenant style with explicit navigation paths and verification methods.

**Operational Notes** – Why the control matters, common pitfalls, and study tips for SC-300 readiness.

**Audit Frequency & Mnemonics** – Maintenance guidance and memory aids for retention.

The focus is on clarity, explainability, and reusability — making it equally valuable for:

Studying for SC-300

Designing an Entra ID governance model from scratch

Auditing or remediating an existing tenant

Training junior administrators on operational security best practices

**Seven Layers of the Entra Control Stack:**

**Authority Definition** – Establish the **root of trust** by defining and securing Global Administrator and Privileged Role Administrator roles, enforcing separation of duties, and maintaining governance documentation.

**Scope Boundaries** – Contain administrative authority through Administrative Units, scoped role assignments, and exclusion lists for sensitive accounts.

**Test Identity Validation** – Prove scope boundaries work in practice by using dedicated test accounts, simulation tools, and log verification.

**External Entry Controls** – Govern and monitor guest access, cross-tenant collaboration, and Conditional Access for external identities.

**Privilege Channels** – Restrict privilege granting and elevation to Role-Assignable Groups, Privileged Identity Management, and governed Access Packages.

**Device Trust Enforcement** – Require compliant, managed devices for privileged actions and sensitive access, validated through Conditional Access and attestation logs.

**Continuous Verification** – Maintain ongoing assurance with risk-based Conditional Access, Defender/Sentinel analytics, and automated access reviews.

This document is intended as both an SC-300-aligned learning resource and a field-ready procedural reference for Entra ID governance teams. Each layer can be applied independently or as part of a complete tenant hardening effort, ensuring role clarity, privilege containment, and continuous operational assurance.

**Layer 1 – Authority Definition**

**Purpose:**
The first layer in BrightWave Analytics’ Microsoft Entra ID deployment establishes the root of trust for identity management. Without a clearly defined chain of authority—both in terms of who can make administrative changes and how those individuals are protected—every subsequent security layer is weakened. Our goal in this phase is to confirm that administrative control is assigned only to the right people, that their permissions are appropriate, and that emergency recovery pathways are documented and secure.

**A secure authority definition ensures:**
Clarity — No ambiguity about who holds the keys to the tenant.
Control — Administrative power is intentionally delegated and monitored.
Continuity — Recovery is possible if a primary administrator is unavailable or compromised.

**Core Entra Elements**
**1. Global Administrator (GA) Assignment & Verification**
Role Scope — The GA role has unrestricted control over all Microsoft Entra ID and Azure resources.
Minimization Principle — The GA list must be kept as small as possible to reduce the attack surface.
Verification Process — We check each GA account to confirm it belongs to an authorized, active individual who needs this level of access. Any accounts not meeting this standard are removed or downgraded.
Security Controls — All GA accounts must use strong MFA, preferably FIDO2 hardware keys, and be backed by break-glass accounts for emergencies.

**2. Privileged Role Administrator (PRA)**
Purpose — This role can assign and revoke other administrative roles, including GA.
Gatekeeper Function — By separating the PRA role from GA holders, we ensure no single account can unilaterally escalate its own privileges.
Assignment Validation — PRA holders are reviewed to ensure they are trusted personnel with a clear operational need for this capability.

**3. Documentation of Identity Governance Ownership**
Accountability — BrightWave Analytics designates an **Identity Governance Owner**—a specific person or team responsible for managing administrative assignments.
Contents of Documentation — Records include who has decision authority, how escalation requests are handled, and the frequency of administrative audits.
Continuity Planning — These records are stored in a secure, shared repository to ensure governance survives staff turnover or absence.

**Key Actions in the Microsoft Entra Admin Center**

**Audit Global Administrators:**
Navigate to Microsoft Entra admin center → Roles & administrators → Global Administrator.
Review each account listed. Confirm each GA is authorized, active, and protected with MFA. Remove or downgrade any unnecessary accounts.

**Audit Privileged Role Administrators:**
Navigate to Roles & administrators → Privileged Role Administrator.
Validate each PRA holder’s business need and confirm separation of duties from GA holders.

**Establish and Store Governance Documentation**
Create a governance record in the company’s secure documentation platform (e.g., SharePoint or OneDrive with restricted access).
Include the current GA and PRA list, decision authority assignments, and the next scheduled audit date.

**Operational Notes**
This layer is equivalent to securing the “root account” in other platforms—if compromised, the attacker can bypass or disable all other controls.
GA and PRA holders should be continuously monitored for unusual sign-ins or changes to role assignments. Microsoft Entra’s Access Reviews and PIM (Privileged Identity Management) features can automate periodic revalidation.
At least one break-glass account should exist outside of MFA enforcement to be used only in emergency recovery situations, and it must be heavily monitored.

**Common Failure Points**
Retaining legacy GA accounts after employee departures or mergers.
Overlapping GA and PRA assignments for the same individual.
Incomplete governance documentation leading to unclear recovery procedures.

**Audit Frequency**
Quarterly review of all GA and PRA assignments.
Immediate review after any major staffing change, acquisition, or merger.

**Mnemonic for Memory**
“Guard the Gate” — The Global Administrator and Privileged Role Administrator form the first wall of defense. Protect them, monitor them, and verify them regularly.

**Layer 2 – Scope Boundaries**

**Purpose**
In Microsoft Entra ID, scope boundaries define where administrative authority applies and ensure that privilege is contained within intended organizational, departmental, or service-specific limits. If these boundaries are not enforced, delegated admins can inadvertently (or deliberately) make changes to resources far beyond their intended area, risking both security and operational stability. A well-implemented boundary model prevents privilege “spillover” and narrows the attack surface.

**Core Entra Elements**

**1. Administrative Units (AUs) for Delegated Management**
Administrative Units act as logical containers for users, groups, and devices. They let you assign roles in a way that limits administrative impact to only that container.
**Example:** A “West Coast Sales” AU might contain only the sales staff in that region. A delegated admin for that AU cannot reset passwords or modify accounts outside the West Coast Sales group.
This prevents overreach and enforces a principle of least privilege at the directory level.

**2. Role Scoping to Specific Users, Groups, or Devices**
When assigning roles, the scope should match only the objects the administrator truly needs to manage.
Narrow scoping prevents accidental or malicious changes to global settings or unrelated accounts.
Roles applied at the tenant-wide level should be the exception, not the default.

**3. Exclusion Lists for Sensitive Objects**
Some accounts—such as executives, finance team members, and high-value service accounts—should never fall under the control of standard delegated admins.
**Maintaining a permanent exclusion list** ensures these accounts remain outside AU scope and receive a higher level of scrutiny.
This is critical for avoiding lateral privilege escalation from a lower-tier admin.

**Key Actions**

**Step 1: Establish or Adjust Administrative Units to Match Organizational Structure**
New tenant: Create AUs before assigning roles. Model them around business units, geographic regions, or functional divisions.
Existing tenant: Audit all current AUs. Remove unused or overlapping units, and realign boundaries with the current organizational chart.

**Step 2: Implement or Confirm Scoped Role Assignments**
Assign roles at the narrowest practical scope.
**Example:** If a helpdesk administrator is responsible only for the marketing department, assign their Helpdesk Administrator role only to the “Marketing” AU, not the entire directory.
Verify that no role exceeds its intended boundary.

**Step 3: Configure and Maintain Exclusion Lists for Sensitive Objects**
Identify high-value accounts and service identities.
Confirm they are explicitly excluded from all AUs under delegated control.
Review AU membership and scope after mergers, restructures, or admin role changes to ensure exclusions remain intact.

**Operational Notes & Study Tips**
Why this layer matters: Proper scoping prevents “accidental global admins” and limits the blast radius if a delegated admin account is compromised.
Common failure point: Assigning roles directory-wide for convenience instead of implementing AU segmentation.
Audit frequency: Every six months, or immediately after major org changes.
Mnemonic: A-R-E — Administrative Units, Role Scoping, Exclusion Lists. If these three are in place, your scope boundaries hold.

**Layer 3 – Test Identity Validation**

**Purpose**
Even perfectly documented scope boundaries mean little if they don’t work under real-world conditions. This layer verifies that Administrative Units (AUs), scoped role assignments, and exclusion lists function as intended by actively testing them. The goal is to prove that governance controls prevent unauthorized actions in practice, not just on paper. A successful validation confirms that your identity security model can withstand both accidental overreach and deliberate misuse.

**Core Entra Elements**

**1. Test Accounts (Standard and Elevated)**
Maintain at least two dedicated test accounts:
**One standard user with no elevated privileges.**
**One delegated admin scoped to a specific AU.**
These accounts must not belong to real staff members and should be clearly labeled as test objects to avoid confusion.
By separating the test identities from production accounts, you can simulate access attempts safely without impacting business operations.

**2. Access Simulation Tools in Microsoft Entra Admin Center**
Use native Entra features like the **Check Access blade** or the **What If tool** for Conditional Access.
These tools simulate sign-ins and resource access for different identities and conditions, allowing you to test permissions without creating disruption.
They’re ideal for quickly verifying whether a given account can access a resource before trying it in a live environment.

**3. Azure AD Sign-in Logs for Scope Testing**
**Sign-in and audit logs** are the authoritative record of what was allowed or blocked.
They confirm whether scope boundaries are enforced by Microsoft Entra ID itself, rather than relying on assumptions.
Reviewing these logs ensures there’s tangible evidence of correct enforcement.

**Key Actions**

**Step 1: Establish or Maintain Test Accounts for Scope Verification**
**New tenant:** Create one test account inside an AU and one outside any AU.
**Existing tenant:** Verify that test accounts still exist, are functional, and have no extra privileges beyond their intended role.
Store test account credentials securely and restrict access to authorized auditors.

**Step 2: Implement Scoped Action Tests**
From the delegated admin account, attempt actions within the assigned AU (e.g., reset a password or modify a group) — these should succeed if permissions are correct.
Repeat the same actions outside the AU — these should fail, demonstrating that boundaries hold.
For standard user accounts, attempt admin-level actions anywhere — all should fail.

**Step 3: Configure or Review Logging and Evidence Capture**
Enable sign-in and audit logging before running tests to ensure all attempts are recorded.
After each test run, review the logs to confirm outcomes match expectations (e.g., “Access Denied” where applicable).
Archive these logs with test documentation for governance and audit readiness.

**Operational Notes & Study Tips**
Why this layer matters: Without active testing, boundary misconfigurations can persist undetected, only surfacing after an incident.
Common failure point: Temporary privilege elevation on test accounts that is never revoked, allowing scope bypass.
Audit frequency: After any major change to AU structure, role assignments, or Conditional Access policies.
Mnemonic: TAL — Test Accounts, Access Simulation, Log Verification. If all three are validated, your scope boundaries are proven in practice.

**Layer 4 – External Entry Controls**

**Purpose**
This layer secures all inbound access points into the Microsoft Entra tenant, ensuring that only authorized, verified, and properly restricted external identities can connect. External access — whether via partners, contractors, or other organizations — introduces elevated risk because these accounts are not under your direct lifecycle management. Poorly governed guest accounts or overly permissive cross-tenant relationships can act as silent backdoors for attackers. Layer 4 enforces tight controls, clear scoping, and continuous monitoring to keep these entry points secure.

**Core Entra Elements**

**1. B2B Guest Access Policies**
Defines how external users are invited and what resources they can access.
Should use just-in-time invitations, grant the minimum necessary permissions, and apply automatic expiration where possible.
Prevents non-admin staff from freely inviting guests without oversight.

**2. Cross-Tenant Access Settings**
Governs how your tenant communicates and collaborates with other Microsoft Entra tenants.
Includes inbound trust (what others can access in your tenant) and outbound trust (what your users can access in other tenants).
Allows you to restrict trust by specific organizations, apps, or groups, reducing exposure.

**3. Conditional Access for Guest Users**
Applies adaptive, risk-based policies tailored to guest accounts.
Can enforce MFA, block sign-ins from risky locations, restrict access to compliant devices, and require Terms of Use acceptance before entry.
Ensures external accounts face the same — or greater — security hurdles as internal accounts.

**Key Actions**

**Step 1: Establish or Review B2B Guest Access Configuration**
**New tenant:** Set defaults to least privilege — disable guest invitations from non-admins, require admin approval for all guest onboarding.
**Existing tenant:** Audit the guest directory, remove inactive accounts, and enable expiration policies to automatically remove unused guest access.

**Step 2: Implement or Confirm Cross-Tenant Access Restrictions**
Identify all active cross-tenant trust relationships and validate that each has a documented business case.
Limit inbound trust to only the apps and user groups that are essential.
Block or remove outbound trust that isn’t strictly required.

**Step 3: Configure or Validate Conditional Access for Guest Accounts**
Require phishing-resistant MFA (e.g., FIDO2, Certificate-based) for all guest logins.
Apply device compliance and geographic restrictions to block risky sign-ins.
Enforce Terms of Use acceptance at onboarding and renewal.

**Operational Notes & Study Tips**
Why this layer matters: Many real-world breaches stem from neglected guest accounts or unmonitored cross-tenant relationships. Strong controls here prevent attackers from exploiting the “friend at the door” loophole.
Common failure point: Old guest accounts from past projects that still have access to sensitive resources long after the project ended.
Audit frequency: Quarterly guest directory reviews; immediate review after establishing a new cross-tenant connection.
Mnemonic: GCC — Guests, Cross-Tenant, Conditional Access. Secure all three gates to prevent unauthorized external entry.

**Layer 5 – Privilege Channels**

**Purpose**

This layer ensures that all administrative privilege — whether permanent or temporary — is granted, elevated, and used only through controlled, auditable mechanisms. By funneling all privilege through secure channels, you enforce least privilege, prevent privilege creep, and eliminate risky “side doors” into administrative power. The goal is to ensure that every path to elevated rights is intentional, approved, and time-bound.

**Core Entra Elements**

**1. Role-Assignable Groups (RAGs)**
Secure containers for directory roles, allowing role assignment only through group membership.
Centralizes control, simplifies audits, and eliminates direct user-to-role assignments that bypass governance.
Group ownership must be documented and reviewed regularly to maintain integrity.

**2. Privileged Identity Management (PIM) for Just-in-Time (JIT) Elevation**
Allows eligible users to activate privileged roles only when required.
Integrates approval workflows, MFA, and time-bound activation windows to minimize standing privilege.
All elevation events are logged, creating a verifiable audit trail for compliance and investigations.

**3. Access Packages for Controlled Role Grants**
Bundles administrative role assignments with resource or application access into a single governed request process.
Requires documented approval, applies defined expiration dates, and supports coordinated access across multiple resources.
Prevents overprovisioning by ensuring role grants align directly with business policies.

**Key Actions**

**Step 1: Establish or Confirm Role-Assignable Group Usage**
**New tenant:** Place all high-impact roles (Global Admin, Privileged Role Admin, Security Admin) into RAGs before any user assignment.
**Existing tenant:** Audit for direct role assignments and migrate eligible ones into RAGs for centralized governance.

**Step 2: Implement or Verify PIM Workflows**
Require MFA and approver validation for all JIT activations.
Limit activation durations to operational necessity (e.g., 1–4 hours).
Review PIM logs monthly for unusual elevation patterns or unapproved activations.

**Step 3: Configure or Validate Access Packages**
Deliver administrative roles only through Access Packages with explicit approval and expiration.
Conduct quarterly package audits to ensure relevance and minimal access footprint.
Retire packages that grant excess rights or bypass Conditional Access.

**Step 4: Review and Reduce Standing Privileges**
Identify all accounts with permanent administrative roles.
Remove standing assignments unless explicitly justified for break-glass or critical continuity.
Transition eligible assignments to PIM or Access Packages for controlled access.

**Operational Notes & Study Tips**
Why this layer matters: The majority of privilege misuse comes from internal over-assignment or dormant admin accounts, not outside attackers. Eliminating uncontrolled privilege channels reduces the impact of both insider threats and compromised accounts.
Common failure point: Direct role assignments that bypass RAGs or “temporary” assignments that never expire.
Audit frequency: Monthly review of PIM activations; quarterly review of all active role assignments.
Mnemonic: RPA — Role-Assignable Groups, PIM, Access Packages. All privilege flows through RPA to keep administrative control paths secure.*

**Layer 6 – Device Trust Enforcement**

**Purpose**

Ensure that only secure, compliant endpoints can access sensitive resources or perform administrative actions. Device trust enforcement integrates endpoint health into authentication decisions, preventing compromised or unmanaged devices from serving as backdoors into the tenant. This layer ties user identity assurance directly to device assurance, closing one of the most overlooked attack surfaces.

**Core Entra Elements (What must exist at all times in this layer)**

**Microsoft Intune Device Compliance Policies**
• Define minimum device standards such as OS version, encryption status, antivirus presence, and patch currency.
• Tier policies by sensitivity — for example, apply stricter baselines to admin workstations than to standard user devices.
• Flag non-compliant devices for remediation and block privileged access until compliance is restored.

**Conditional Access Requiring Compliant or Hybrid-Joined Devices**
• Enforce Conditional Access rules that require devices to be compliant or hybrid Azure AD–joined before accessing sensitive resources.
• Apply additional conditions for administrative roles, such as platform-specific restrictions and geographic access rules.
• Ensure device posture is evaluated alongside user identity before granting access.

**Device ID Attestation in Sign-In Logs**
• Capture and review Device IDs in sign-in logs to confirm that the authenticating device is recognized, enrolled, and compliant.
• Use attestation data to validate device ownership and status during investigations.
• Detect anomalous device usage patterns, such as sign-ins from devices outside the managed inventory.

**Key Actions (How to implement or validate each core element)**

**Configure or verify Intune compliance policies**
• **In a new tenant**, deploy baseline compliance policies immediately, enforcing encryption, secure boot, and endpoint protection.
• **In an existing tenant**, audit current policies to ensure they meet current security standards.
• Monitor compliance dashboards in Intune and remediate persistent non-compliance promptly.

**Implement or confirm Conditional Access enforcement for device compliance**
• Require device compliance or hybrid join status for all privileged role activations (via PIM or Access Packages).
• Add session controls to restrict downloads or enforce app restrictions when using unmanaged devices.
• Test CA enforcement with both compliant and non-compliant devices to ensure policies trigger correctly.

**Validate device identity in sign-in and audit logs**
• Cross-check Device ID values in Azure AD sign-in logs against the known inventory.
• Investigate sign-ins from unknown or non-compliant devices, paying close attention to privileged activity.
• Maintain a monthly governance report that documents device compliance and anomalies.

**Operational Notes & Study Tips**
Why this layer matters: A compromised admin account on a secure device is dangerous — but on an unmanaged or infected device, it’s catastrophic. Device trust ensures endpoint posture is part of the security equation.
Common failure point: Allowing privileged actions from unmanaged personal devices or from browser-only sessions that bypass Conditional Access controls.
Audit frequency: Monthly review of compliance and CA enforcement; quarterly full-scope testing with varied device states.
Mnemonic for memory: CCD — Compliance, Conditional Access, Device Attestation. If all three are enforced and monitored, your endpoints become a trusted extension of your identity governance.

**Layer 7 – Continuous Verification**

**Purpose**
Maintain ongoing assurance that identities, devices, and access patterns remain within acceptable security risk thresholds. Continuous verification shifts the mindset from one-time authentication to an always-on evaluation, where every sign-in, privilege elevation, and resource request is dynamically analyzed against current risk signals. This ensures that changes in user behavior, device health, or network conditions trigger immediate protective responses.

**Core Entra Elements (What must exist at all times in this layer)**

**Microsoft Defender for Identity / Microsoft Sentinel Analytics**
• Defender for Identity monitors on-premises AD and hybrid environments for identity-based threats such as pass-the-hash, Kerberos anomalies, and lateral movement.
• Microsoft Sentinel ingests Defender signals and correlates them with other identity, device, and network telemetry.
• Together, they enable behavioral baselining, anomaly detection, and advanced threat correlation at scale.

**Sign-In Risk Policies in Microsoft Entra ID Protection**
• Entra ID Protection assigns a sign-in risk level (low, medium, high) based on factors such as unusual IP addresses, impossible travel patterns, and token anomalies.
• Risk-based Conditional Access can automatically require MFA, block access, or trigger password resets.
• Policies must be tuned to align with operational risk tolerance, avoiding excessive false positives.

**Automated Access Reviews**
• Access reviews validate that users retain only the roles, groups, and application permissions they still require.
• Microsoft Entra supports automated recurring reviews with results routed to managers, role owners, or security teams for approval.
• Regular reviews prevent privilege creep and ensure stale access is removed promptly.

**Key Actions (How to implement or validate each core element)**

Configure or verify risk-based Conditional Access policies
• **In a new tenant**, enable sign-in risk detection in **Entra ID Protection** and configure automated enforcement (MFA challenge or block) for medium/high-risk sign-ins.
• **In an existing tenant,** review policy accuracy and adjust thresholds to avoid user lockouts while still containing high-risk activity.
• Test policy triggers under controlled conditions to validate detection logic before enabling enforcement.

**Integrate Microsoft Defender for Identity and Sentinel analytics**
• Connect Defender for Identity to Sentinel using native **data connectors**.
• Build custom Sentinel analytics rules for events such as privilege escalation attempts or repeated failed sign-ins from unusual sources.
• Configure alerts to flow into SOC workflows with defined response playbooks.

**Implement and maintain automated access reviews**
• Schedule quarterly reviews for high-impact administrative roles, monthly reviews for sensitive groups, and annual reviews for general applications.
• Assign the most knowledgeable business or IT owner for each resource to validate necessity of access.
• Track review completion and remediate unapproved access immediately.

**Operational Notes & Study Tips**
Why this layer matters: Identity risk fluctuates constantly. Without ongoing validation, security controls grow stale and attackers can remain undetected for months. Continuous verification enforces an active defense posture that adapts in real time.
Common failure point: Enabling identity risk detection but failing to link it to enforcement actions, resulting in a flood of unused alerts.
Audit frequency: Quarterly review of Conditional Access risk policies; monthly Sentinel/Defender correlation tuning; continuous adherence tracking for scheduled access reviews.
Mnemonic for memory: RDA — Risk-based CA, Defender/Sentinel Analytics, Automated Reviews. Keep all three in motion and your verification process becomes a living control, not a static checklist.