Microsoft 365 E5 provides the full security stack used by enterprise organizations. This lab simulates real IT admin work: standing up a tenant, enforcing identity-based access controls, hardening email infrastructure, and validating configurations via PowerShell and the admin portal. These are direct MS-900 and SC-900 exam skills applied in a live environment.
Registered for the Microsoft 365 Developer Program at developer.microsoft.com/microsoft-365/dev-program. Selected the E5 sandbox option, which provisions a 25-user tenant with all premium licenses including Entra ID P2, Defender for Office 365 Plan 2, and Purview compliance tools.
Verified tenant provisioning via the Microsoft 365 Admin Center and confirmed all 25 E5 licenses were active and assignable. Set up the Global Admin account and documented the tenant domain (devtenant.onmicrosoft.com).
Welcome To Microsoft Graph!
PS> Get-MgSubscribedSku | Select SkuPartNumber,ConsumedUnits,PrepaidUnits
SkuPartNumber ConsumedUnits PrepaidUnits
------------- ------------- ------------
DEVELOPERPACK_E5 3 @{Enabled=25}
AAD_PREMIUM_P2 3 @{Enabled=25}
FLOW_FREE 0 @{Enabled=10000}
Navigated to Entra ID → Security → Conditional Access. Built policies to enforce MFA for all users, block legacy authentication protocols (IMAP, POP3, SMTP AUTH), and restrict sign-ins from high-risk locations using named locations.
Created three policies: Require MFA — All Users, Block Legacy Auth, and High-Risk Sign-In Block. Placed all test accounts in a dedicated CA exclusion group to preserve admin access during testing.
PS> Get-MgIdentityConditionalAccessPolicy | Select DisplayName, State
DisplayName State
----------- -----
Require MFA - All Users enabled
Block Legacy Auth enabled
High-Risk Sign-In Block enabledForReportingButNotEnforced
# Verified policy targeting via sign-in logs — legacy auth attempts blocked
Configured email authentication records in the DNS zone for the custom domain. SPF record was set to authorize Microsoft 365 mail servers only. Enabled DKIM signing in the Exchange Online Admin Center and rotated DKIM keys. Published DMARC TXT record with a quarantine policy and reporting URIs.
v=spf1 include:spf.protection.outlook.com -all
# DKIM CNAME Records (created in Exchange Admin Center)
selector1._domainkey → selector1-devtenant._domainkey.onmicrosoft.com
selector2._domainkey → selector2-devtenant._domainkey.onmicrosoft.com
# DMARC TXT Record
v=DMARC1; p=quarantine; pct=100;
rua=mailto:dmarc-reports@devtenant.onmicrosoft.com;
ruf=mailto:dmarc-forensics@devtenant.onmicrosoft.com; fo=1
PS> Get-DkimSigningConfig -Identity devtenant.onmicrosoft.com | Select Enabled,Status
Enabled : True Status : Valid
Created mail flow rules in the Exchange Admin Center to tag external emails with a warning banner and to block outbound emails with attachments over 25 MB. Used Message Trace to follow a test email end-to-end from submission through delivery, verifying DKIM signature and spam filtering decisions.
Connected to Exchange Online.
PS> Get-TransportRule | Select Name, State, Priority
Name State Priority
---- ----- --------
External Email Warning Banner Enabled 0
Block Large Attachments Enabled 1
PS> Get-MessageTrace -SenderAddress "test@devtenant.onmicrosoft.com" -StartDate (Get-Date).AddHours(-1) | Select Received, Status, FromIP
Received Status FromIP
-------- ------ ------
3/10/2026 2:31:44 PM Delivered 40.107.94.58
Enabled Self-Service Password Reset (SSPR) in Entra ID for a pilot group, requiring two authentication methods (email + phone). Configured the SSPR registration campaign and verified password writeback to an on-prem AD lab via Azure AD Connect (pass-through auth simulation).
Created dynamic security groups based on department attributes and tested group-based license assignment for E5 and F3 license types. Verified license inheritance and propagation delay via the Entra ID portal and PowerShell.
PS> Get-MgPolicyAuthenticationMethodPolicy | Select AdditionalProperties
# Check group-based license errors
PS> Get-MgGroupMemberWithLicenseError -GroupId "a1b2c3d4-..." | Select DisplayName, LicenseAssignmentStates
No license errors found.
# Confirm dynamic group membership rule
PS> Get-MgGroup -GroupId "a1b2c3d4-..." | Select DisplayName, MembershipRule
DisplayName: IT Department Pilot
MembershipRule: (user.department -eq "Information Technology")
- Activated and fully configured a 25-seat M365 E5 developer tenant from scratch
- Enforced MFA across all users via Conditional Access; blocked all legacy authentication protocols
- Published SPF, DKIM, and DMARC records; validated DKIM signing active in Exchange Online
- Built mail flow rules and traced end-to-end email delivery through Message Trace
- Deployed SSPR with two auth methods; configured group-based license assignment with zero errors
- Managed tenant entirely via both the admin portal and Microsoft Graph PowerShell module