1. Objective
This lab demonstrates an end-to-end identity lifecycle within Microsoft Entra ID, focusing on identity provisioning, group-based access control (RBAC), and authentication validation using exported audit and sign-in telemetry.
The objective is to analyse identity behaviour using structured, evidence-based interpretation of Entra ID logs, focusing on how identity creation, access modification, authentication events, and session behaviour are represented within an IAM system.
2. Evidence Sources and Analysis Method
This analysis is based exclusively on exported Microsoft Entra ID audit and sign-in logs in CSV format. No live portal interaction or SIEM integration was used.
The analysis was performed by systematically reviewing CSV log data and filtering identity events by timestamp, event type, user principal identity, and authentication outcome. This enabled reconstruction of identity lifecycle activity across provisioning, authentication, and access control modification events.
Entra ID Audit Logs represent directory-level identity operations such as group membership changes, administrative actions, and identity-related modifications. Entra ID Sign-In Logs represent authentication-layer events including login attempts, authentication outcomes, token handling, session behaviour, and contextual metadata such as IP address and application target.
This separation is fundamental to IAM analysis because directory operations and authentication events operate at different layers of the identity system.
3. Evidence Storage Structure
All supporting datasets are stored in a structured repository to ensure traceability and reproducibility of analysis.
The audit and sign-in datasets are stored as CSV exports under the Evidence directory. This ensures that all conclusions can be independently verified from raw identity telemetry.
No external monitoring tools, endpoint telemetry, or SIEM correlation systems were used in this exercise.
4. Identity Environment
The lab was conducted within a Microsoft Entra ID tenant acting as the identity authority for authentication and access control operations.
The dataset contains both:
- a dedicated lab identity used for RBAC and authentication testing
- an external/B2B-linked identity context associated with tenant administration activity
A test identity was assigned to a security group to simulate role-based access control. Access was controlled through group-based assignment aligned with Azure RBAC principles.
5. Identity Lifecycle Evidence
Audit logs confirm identity management activity within the Entra ID directory, establishing the identity lifecycle baseline.
Audit evidence confirms security group management activity used as an access control boundary for RBAC-style assignment.
Group membership activity demonstrates dynamic identity state modification:
- a user removal event from a security group
- followed shortly by re-addition of the same user to the group
This demonstrates that identity access state within Entra ID is mutable and can be modified during administrative or testing workflows.
Additional audit telemetry also confirms MFA-related identity state activity associated with Microsoft Entra authentication services.
6. Authentication Evidence
Sign-in log analysis confirms multiple authentication events associated with the identity environment, including failed, interrupted, and successful authentication states.
Observed authentication activity includes:
- a credential validation failure due to invalid username or password
- a session interruption event related to “Keep me signed in” behaviour
- multiple successful authentication events across later sessions
Successful authentication events confirm valid identity verification and token issuance within Microsoft Entra ID.
MFA-related telemetry indicates that authentication requirements were satisfied through token-based MFA claims within the session context rather than necessarily requiring a fresh interactive MFA challenge during each authentication event.
Conditional Access telemetry within the observed sign-ins was recorded as “Not Applied”.
7. IAM Interpretation
Authentication behaviour reflects a mixed identity lifecycle involving credential validation, session continuity handling, and token-based authentication reuse.
The authentication sequence does not represent a simple linear failure-to-success pattern. Instead, the dataset reflects distinct authentication states across the login lifecycle, including:
- credential failure
- session interruption
- successful token-backed authentication
Entra ID audit logs represent directory-layer identity operations, while sign-in logs represent authentication-layer validation events within the IAM authentication pipeline. Understanding this separation is essential for accurate identity analysis in cloud environments.
No evidence of compromised authentication, token abuse, anomalous sign-in geography, or malicious identity activity was identified within the dataset.
8. Identity Governance Considerations
At enterprise scale, similar identity telemetry would be used to evaluate:
- authentication failure distribution patterns
- MFA satisfaction mechanisms
- session persistence and token lifecycle behaviour
- Conditional Access policy enforcement
- group membership change frequency and access drift
- B2B identity interactions across tenant boundaries
This type of analysis supports identity governance decisions, access control optimisation, and security posture management within Azure identity environments.
9. Evidence Classification
Identity management and group membership modification events are classified as direct evidence with high confidence.
Successful and failed authentication events are also classified as direct evidence based on Entra ID sign-in telemetry.
Interpretation of authentication flow behaviour, session continuity, and identity state transitions is classified as inference with medium confidence.
No indicators of malicious identity activity or account compromise are present in this dataset.
10. Outcome
This lab demonstrates structured identity lifecycle analysis within Microsoft Entra ID, including:
- group-based RBAC activity
- authentication validation using sign-in telemetry
- session and token lifecycle interpretation
- dynamic identity state modification within directory services
All identity events were validated at log-level granularity without reliance on UI interpretation, ensuring evidence-based analysis of IAM behaviour.
11. Portfolio Value Statement
This project demonstrates practical capability in Microsoft Entra ID identity lifecycle analysis, authentication log interpretation, RBAC implementation, and structured IAM reasoning.
It reflects foundational Identity and Access Management (IAM) competency aligned with Azure identity administration and cloud identity operations roles.
This work is directly relevant to entry-level IAM and Azure identity roles where structured analysis of authentication and directory telemetry is required.
Evidence Files
All evidence used in this lab is stored in the repository under the Evidence directory: