📄️ 001: Design Conditional Access posture
Overview
📄️ 002: Stop buying or building Active Directory dependent apps
Overview
📄️ 003: Discover and triage modern apps
Overview
📄️ 004: Discover and triage legacy apps
Overview
📄️ 005: Rollout CA with MFA controls
Overview
📄️ 006: Rollout CA with device controls
Overview
📄️ 007: Rollout CA with risk controls
Overview
📄️ 008: Rollout CA for External Identities
Overview
📄️ 009: Migrate VPN auth to Entra
Overview
📄️ 010: Enable on-prem remote access for web apps without VPN
Overview
📄️ 011: Rollout governance for app assignments
Overview
📄️ 012: Define app infra server management strategy
Overview
📄️ 013: Deploy Entra Domain Services
Overview
📄️ 014: Remove app infra servers from AD
Overview
📄️ 015: Define and rollout VDI strategy
Overview
📄️ 016: Migrate print servers to cloud
Overview
📄️ 017: Migrate SSO for employee federated apps
Overview
📄️ 018: Migrate SSO for employee WAM apps
Overview
📄️ 019: Decommission WAM servers
Overview
📄️ 020: Migrate SSO for External Identities federated apps
Overview
📄️ 021: Migrate SSO for external ids (WAM & others)
Overview
📄️ 022: Stop issuing on-prem accounts for new external users
Overview
📄️ 023: Start provisioning cloud apps via Entra app provisioning
Overview
📄️ 024: Migrate on-prem external ids & workflows to Entra External ID
Overview
📄️ 025: Decommission on-prem external user systems
Overview
📄️ 026: Rollout governance for External IDs
Overview
📄️ 027: Migrate existing SaaS app provisioning to Entra
Overview
📄️ 028: Migrate HR provisioning flow to Entra
Overview
📄️ 029: Migrate joiner/mover/leaver workflows to Entra
Overview
📄️ 030: Migrate existing on-prem app provisioning to Entra
Overview
📄️ 031: Rollout Authenticator App (MFA, SSPR, Passwordless)
Overview
📄️ 032: Migrate on-prem MFA systems
Overview
📄️ 033: Migrate self-service password reset
Overview
📄️ 034: Develop credential (incl. Passwordless) strategy
Overview
📄️ 035: Deploy Password Protection
Overview
📄️ 036: Turn on Password Hash Sync
Overview
📄️ 037: Migrate to Password Hash Sync authentication
Overview
📄️ 038: Decommission on-prem federation servers
Overview
📄️ 039: Rollout Windows Hello for Business
Overview
📄️ 040: Rollout FIDO2
Overview
📄️ 041: Rollout Authenticator Passwordless
Overview
📄️ 042: Drive passwordless usage
Overview
📄️ 043: Migrate to modern tools for collab (OneDrive, Teams, SharePoint)
Overview
📄️ 044: Migrate distributions lists to Microsoft 365 Teams & Groups
Overview
📄️ 045: Use cloud groups for new cloud app authorization
Overview
📄️ 046: Enable group writeback
Overview
📄️ 047: Rollout governance for groups
Overview
📄️ 048: Migrate group management workflows
Overview
📄️ 049: Enable user writeback
Overview
📄️ 050: Change provisioning flow of existing users to AAD
Overview
📄️ 051: Decommission on-prem IDM system
Overview
📄️ 052: Remove password as credential
Overview
📄️ 053: Change provisioning flow of existing groups to Entra
Overview
📄️ 054: Deploy Entra hybrid join
Overview
📄️ 055: Define Entra join strategy
Overview
📄️ 056: Rollout Entra join for new workstations
Overview
📄️ 057: Rollout AutoPilot
Overview
📄️ 058: Remove DJ Windows clients from Active Directory
Overview
📄️ 059: Deploy macOS Identity management
Overview
📄️ 060: Deploy macOS SSO Extension
Overview
📄️ 061: Define policy & use least privileged roles
Overview
📄️ 062: Use cloud-only privileged accounts
Overview
📄️ 063: Rollout PIM for Tier-Zero roles
Overview
📄️ 064: Discover & remediate existing over-privileged Workload Identities
Overview
📄️ 065: Lock down Entra tenant config
Overview
📄️ 066: Rollout Access Reviews for cloud privileged accounts & groups
Overview
📄️ 067: Plan privileged accounts lifecycle (JML)
Overview
📄️ 068: Rollout PIM for remaining roles
Overview
📄️ 069: Discover & analyze privileged usage for Workfload Identities (eg scripts)
Overview
📄️ 070: Rollout strong auth credentials for Workload Identities
Overview
📄️ 071: Rollout Conditional Access for Workload Identities
Overview
📄️ 072: Enforce authentication with strong creds for all privileged accounts
Overview
📄️ 073: Deploy Cloud Privileged Access Workstations
Overview
📄️ 074: Integrate all Entra logs into SIEM
Overview
📄️ 075: Develop security playbooks based on Entra logs
Overview
📄️ 076: Remediate risk signals from Identity Protection & MDI
Overview
📄️ 077: Implement monitoring for Entra Connect Sync
Overview
📄️ 078: Remediate Entra Connect Health alerts
Overview
📄️ 079: Implement monitoring for hybrid connectors
Overview
📄️ 080: Discover existing privileged roles
Overview
📄️ 081: Discover & remediate existing over privileged accounts
Overview
📄️ 082: Design and Plan MDI Deployment
Overview
📄️ 083: Create Inventory of On-Prem AD Infrastructure
Overview
📄️ 084: Test Internet Access from AD Infra to MDI
Overview
📄️ 085: Deploy MDI on DCs, ADFS, AD CS, Entra Connect Servers
Overview
📄️ 086: Run Post Deployment Tests and Configurations
Overview
📄️ 087: Review Initial Health Alerts
Overview
📄️ 088: Configure Identity Entity Tags
Overview
📄️ 089: Review Identity Inventory
Overview
📄️ 090: Review / Tune Security Alerts
Overview
📄️ 091: Confirm Internet Access
Overview
📄️ 092: Identify Data Sources for Workforce Data
Overview
📄️ 093: Deploy provisioning connectors for data sources
Overview
📄️ 094: Review and assess resulting data updates
Overview
📄️ 095: Rollout data flows
Overview
📄️ 096: Implement monitoring
Overview
📄️ 097: Define Attribute Schema, Semantics, and Data Flows
Overview
📄️ 098: Identify tasks to automate issuance of authentication credentials for joiners
Overview
📄️ 099: Deploy custom logic runtime environment (optional)
Overview
📄️ 100: Configure workflows for workforce
Overview
📄️ 101: Validate workflows with manual triggering
Overview
📄️ 102: Rollout automated scheduling
Overview
📄️ 103: Implement monitoring
Overview
📄️ 104: Identify additional tasks to automate for lifecycle events (J/M/L)
Overview
📄️ 105: Identify custom logic requirements
Overview
📄️ 106: Stop using on-premises groups to assign access to new applications / resources
Overview
📄️ 107: Identify custom logic requirements
Overview
📄️ 108: Map organizational role model to platform capabilities
Overview
📄️ 109: Design policies to assign access per job function
Overview
📄️ 110: Define Access Packages per job function
Overview
📄️ 111: Roll out access packages / initial assignment
Overview
📄️ 112: Define and rollout reconciliation processes for access assignment
Overview
📄️ 113: Implement Monitoring
Overview
📄️ 114: Inventory applications and resources, attributes needed from users, and owners
Overview
📄️ 115: Deploy custom logic runtime environment (if needed)
Overview
📄️ 116: Define the organization's policy with user prerequisites and other constraints for access to an application
Overview
📄️ 117: Define approach for stand-alone groups
Overview
📄️ 118: Determine sequence of application onboarding and Entra Integration
Overview
📄️ 119: Deploy connectors
Overview
📄️ 120: Configure attribute flows
Overview
📄️ 121: Enable automated provisioning
Overview
📄️ 122: Define and rollout reconciliation processes for access provisioning
Overview
📄️ 123: Implement Monitoring
Overview
📄️ 124: Deploy ECMA connector host (if needed)
Overview
📄️ 125: Identify groups needed per resource inventory
Overview
📄️ 126: Configure group provisioning to AD (if needed)
Overview
📄️ 127: Transfer SOA of existing groups
Overview
📄️ 128: Deploy group provisioning to AD (if needed)
Overview
📄️ 129: Prioritize remediation per inventory
Overview
📄️ 130: Conduct access reviews of existing resources
Overview
📄️ 131: Clean up unused groups (cloud and on-prem) based on inventory
Overview
📄️ 132: Review and triage all existing identities
Overview
📄️ 133: Define patterns of initial access for guests
Overview
📄️ 134: Assign sponsors to existing guests
Overview
📄️ 135: Convert existing guests to governed
Overview
📄️ 136: Configure onboarding access packages for guests
Overview
📄️ 137: Implement guest cleanup
Overview
📄️ 138: Define guest cleanup criteria
Overview
📄️ 139: Implement monitoring
Overview
📄️ 140: Define requirements to onboard new partner organizations
Overview