Agent Foskett Academy • Microsoft Entra Security

Microsoft Entra Security Academy.

Modern attacks rarely begin with malware.

They begin with identity: a risky sign-in, a stolen token, a weak policy, an over-privileged role or a user granting trust to something they should not.

Microsoft Entra sits at the centre of Microsoft security. It protects authentication, access, privilege, governance and the Zero Trust controls that decide who can access what.

The Agent Foskett Microsoft Entra Security Academy will teach identity security the practical way: one sign-in, one policy, one role and one investigation at a time.

Agent Foskett Microsoft Entra Security Academy learning path
Academy overview

Learn Microsoft Entra security from the ground up, covering identity protection, Conditional Access, authentication methods, privileged access, governance and real-world identity investigations.

Understand Microsoft Entra identity security
Design Conditional Access policies
Investigate risky users and sign-ins
Protect privileged access with PIM

Microsoft Entra Security Academy roadmap

This new Academy series will build identity security knowledge progressively, from core Entra concepts through to Conditional Access, identity governance, privileged access and advanced identity investigations.
Module 1 — Entra FoundationsWhat Microsoft Entra is, how identity works, how tenants are structured and why identity is now the control plane for Microsoft security.
Module 2 — Authentication SecurityMFA, authentication methods, passwordless sign-in, FIDO2, Windows Hello for Business, Temporary Access Pass and authentication strengths.
Module 3 — Conditional AccessPolicy design, named locations, device compliance, session controls, report-only mode, exclusions and safe rollout strategy.
Module 4 — Identity ProtectionRisky users, risky sign-ins, user risk, sign-in risk, risk policies and investigation workflows for compromised identities.
Module 5 — Privileged AccessPrivileged Identity Management, eligible roles, active assignments, approval workflows, just-in-time administration and role activation evidence.
Module 6 — Identity GovernanceAccess reviews, entitlement management, lifecycle workflows, guest access governance and identity lifecycle controls.

First Entra lessons to build

These are the first practical pages I recommend publishing under the new Entra folder.
Lesson 1 — What is Microsoft Entra?Explain Microsoft Entra ID, identity security, tenants, users, groups, applications, roles and how Entra fits into Microsoft 365 and Azure.
Lesson 2 — Understanding Sign-in LogsTeach how security analysts read sign-in activity, authentication requirements, status codes, IP addresses, locations and device context.
Lesson 3 — Conditional Access FundamentalsExplain how Conditional Access policies evaluate users, apps, devices, locations, risk and controls before granting access.
Lesson 4 — MFA and Authentication MethodsCover MFA registration, authentication methods, passwordless options, FIDO2, Temporary Access Pass and common MFA investigation pivots.
Lesson 5 — Risky Users and Risky Sign-insExplain Entra ID Protection risk signals and how analysts triage suspected compromised identities.
Lesson 6 — Privileged Identity Management BasicsIntroduce PIM, eligible assignments, role activation, approval, justification and audit evidence for privileged access.

How Entra connects to the existing Academy

The KQL and Defender XDR Academy pages already teach how to investigate telemetry. Entra adds the identity control plane that explains who accessed what, from where, and under which policy decision.
IdentityLogonEventsUse Defender XDR identity telemetry to investigate logons, failures, locations, IP addresses and suspicious authentication patterns.
IdentityDirectoryEventsTrack directory changes, group membership, role activity and identity changes that may indicate privilege abuse.
Impossible TravelConnect Entra risk signals and Defender identity telemetry to investigate suspicious sign-in location changes.
OAuth AbuseUnderstand how malicious consent, service principals and delegated permissions can create persistent access.
Cloud Identity Attack WorkflowUse the existing incident response workflow as the bridge between Defender XDR, Entra ID and identity-led investigations.
Zero Trust ServicesConnect Entra learning back to GEMXIT Microsoft security services and identity architecture guidance.

Entra skills this Academy will teach

The goal is not just to explain the portal. The goal is to teach identity security thinking.
Identity architectureUnderstand tenants, users, groups, enterprise applications, app registrations, roles and identity security boundaries.
Conditional Access designDesign policies that protect access without locking out administrators, service accounts or business-critical workflows.
Risk investigationInvestigate risky users, risky sign-ins, impossible travel, unfamiliar sign-in properties and suspicious authentication activity.
Privileged access controlUse PIM and role governance to reduce standing privilege and create traceable administrative activity.
Authentication hardeningImprove MFA, passwordless authentication, authentication strengths and secure registration processes.
Identity governanceManage access reviews, entitlement management, guest access and lifecycle workflows for joiners, movers and leavers.

Coming first

The next page should be the first proper Entra lesson.
Lesson 1 — What is Microsoft Entra?Agent Foskett will explain Microsoft Entra as the identity platform behind Microsoft 365 and Azure, showing how users, groups, roles, applications, authentication and Conditional Access all fit together.
Why this mattersThe KQL Academy taught students how to query security data. The Entra Academy will teach them how identity decisions are made, protected, investigated and governed.

Final thought

If attackers can control identity, they may not need malware at all.
Agent Foskett mindsetDo not treat identity as an admin task only. Identity is evidence, control, privilege, risk and access all in one place.
New Academy SeriesThe Microsoft Entra Security Academy expands Agent Foskett from KQL and XDR investigations into identity protection, Zero Trust and privileged access security.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Microsoft Entra Security Academy by Agent Foskett

The Agent Foskett Microsoft Entra Security Academy teaches identity security, Conditional Access, Identity Protection, authentication methods, privileged access, governance and real-world Microsoft identity investigations.

Learn Microsoft Entra security for Microsoft 365 and Azure

This Entra learning path explains risky users, risky sign-ins, Conditional Access policies, MFA, passwordless authentication, PIM, access reviews, entitlement management and Zero Trust identity controls.

Microsoft Entra training for Defender XDR and Sentinel analysts

The Microsoft Entra Security Academy builds on the Agent Foskett KQL Academy by showing defenders how to investigate identity signals, authentication behaviour, privileged access and suspicious cloud identity activity.