1. Objective
This lab demonstrates an end-to-end identity lifecycle within Microsoft Entra ID, focusing on identity provisioning, group-based access control (RBAC), and authentication validation using exported audit and sign-in telemetry.
The objective is to analyse identity behaviour using structured, evidence-based interpretation of Entra ID logs, focusing on how identity creation, access modification, and authentication events are represented within an IAM system.
2. Evidence Sources and Analysis Method
This analysis is based exclusively on exported Microsoft Entra ID audit and sign-in logs in CSV format. No live portal interaction or SIEM integration was used.
The analysis was performed by systematically reviewing log data and filtering identity events by event type, user principal identity, timestamp, and authentication outcome. This enabled reconstruction of identity lifecycle behaviour across provisioning, authentication, and access control modification events.
Entra ID Audit Logs represent directory-level identity operations such as user-related changes, group membership updates, and administrative actions. Entra ID Sign-In Logs represent authentication-layer events including login attempts, session behaviour, token issuance, and contextual metadata such as IP address and application target.
3. Evidence Storage Structure
All supporting datasets are stored in a structured repository to ensure traceability and reproducibility of analysis.
The audit and sign-in datasets are stored as CSV exports under the Evidence directory. This ensures that all conclusions can be independently verified from raw identity telemetry.
No external monitoring tools, endpoint telemetry, or SIEM correlation systems were used in this exercise.
4. Identity Environment
The lab was conducted within a Microsoft Entra ID tenant acting as the identity authority for authentication and access control operations.
Two identity contexts appear in the dataset:
- A lab identity: IAM Lab User 01
- An external/B2B-linked identity context associated with the same tenant environment
A test identity was assigned to a security group to simulate role-based access control. Access control was implemented using group-based assignment aligned with Azure RBAC principles.
5. Identity Lifecycle Evidence
Audit logs confirm provisioning-related and identity management activity within the Entra ID directory, establishing the identity lifecycle baseline.
Security group management events confirm the existence of an access control boundary used for RBAC-style assignment.
Group membership activity shows a dynamic modification pattern:
- A removal of a user from a group
- Followed shortly by re-addition of the same user to the group
This indicates non-linear identity state changes, likely reflecting corrective administrative action or iterative configuration during the lab environment.
6. Authentication Evidence
Sign-in telemetry shows a multi-event authentication lifecycle associated with the identity context.
Events include:
- A failed authentication attempt due to invalid credentials
- A session interruption related to “Keep me signed in” behaviour
- Multiple successful authentication events across later sessions
Successful authentication events are confirmed in Entra ID sign-in logs, indicating valid identity verification and token issuance.
Authentication success is also associated with MFA state satisfaction via token-based claims, indicating that MFA requirements were already fulfilled within the session context rather than necessarily triggered as a fresh interactive prompt for each sign-in.
7. IAM Interpretation
Authentication behaviour reflects a mixed identity lifecycle consisting of credential validation, session continuity handling, and token-based authentication reuse.
The presence of:
- One explicit credential failure
- One session interruption event
- Multiple successful authentication events
indicates normal authentication system behaviour rather than a linear failure-to-success chain.
No evidence of compromised authentication, token abuse, or anomalous identity takeover behaviour is present in the dataset.
Group membership changes demonstrate that identity access state is dynamic and can be modified within short time windows, reflecting real-world administrative and operational IAM behaviour.
8. Identity Governance Considerations
At enterprise scale, similar telemetry would be used to evaluate:
- Authentication failure distribution across users
- Session persistence and token lifecycle behaviour
- MFA satisfaction mechanisms (interactive vs token-based)
- Group membership change patterns and access drift
- B2B identity interactions within tenant boundaries
These factors contribute to identity governance maturity and access control reliability in Azure environments.
9. Evidence Classification
Identity provisioning and group-related changes are classified as direct evidence with high confidence.
Authentication events (successful and failed sign-ins) are also classified as direct evidence based on Entra ID sign-in telemetry.
Interpretation of authentication flow behaviour, session continuity, and identity state transitions is classified as inference with medium confidence.
No indicators of malicious identity activity or compromise are present in this dataset.
10. Outcome
This lab demonstrates structured identity lifecycle analysis within Microsoft Entra ID, including:
- Identity and access control activity via group-based RBAC
- Authentication validation using sign-in telemetry
- Session and token lifecycle interpretation
- Non-linear identity state transitions within directory services
All analysis is based on raw log evidence, ensuring reproducible and verifiable IAM investigation methodology.
11. Portfolio Value Statement
This project demonstrates practical capability in Microsoft Entra ID identity lifecycle analysis, authentication log interpretation, RBAC implementation, and structured IAM reasoning.
It reflects foundational Identity and Access Management (IAM) competency aligned with Azure identity administration and cloud security operations roles.
This work is directly relevant to entry-level IAM and Azure identity roles where structured analysis of authentication and directory telemetry is required.
Evidence Files
All evidence used in this lab is stored in the repository under the Evidence directory: