This project demonstrates the ability to build and manage an enterprise Microsoft 365 environment from scratch — the same stack used by mid-to-large companies globally. It covers user identity management, device enrollment, security policy enforcement, and hybrid infrastructure simulation. These are core L1/L2 and junior sysadmin skills that directly translate to day-one productivity in an IT support role.
Using Microsoft's free M365 E5 developer tenant program, I built a production-grade enterprise environment from scratch. The goal was to simulate the full identity, endpoint, and security stack that a corporate IT team manages daily — going beyond just reading documentation by actually deploying and configuring each component.
The project covers three interconnected areas: Identity & Access Management (Entra ID, RBAC, MFA), Endpoint Management (Intune, Autopilot, compliance policies), and Hybrid Infrastructure (virtualised Windows Server 2022 with GPO and network segmentation via Hyper-V).
Enrolled in the Microsoft 365 Developer Program to obtain a free E5 tenant with the full enterprise tool suite — Entra ID P2, Intune, Defender, and all M365 apps.
- Created a dedicated tenant domain (
aayushacharya.onmicrosoft.com) - Assigned global admin credentials and secured with MFA immediately
- Verified E5 licenses were active across all services in M365 Admin Centre
Built out a realistic user and group structure simulating a company with multiple departments.
- Created users across departments (IT, Finance, HR, Management) with consistent naming conventions
- Built Security Groups and Microsoft 365 Groups for each department
- Assigned Role-Based Access Control (RBAC) — helpdesk staff as Helpdesk Administrator, not Global Admin
- Configured Dynamic Groups using attributes so users auto-join the correct group on creation
- Set password policies, account lockout thresholds, and self-service password reset (SSPR)
Implemented a Zero Trust posture — no user or device is trusted by default, access granted only when identity and compliance conditions are met.
- Conditional Access policies: require MFA for all users, block legacy auth, restrict to compliant devices only
- Enforced phishing-resistant MFA (Authenticator number matching + FIDO2 for admins)
- Configured Named Locations to allow/block by country or IP range
- Set up Sign-in Risk policies via Entra ID Protection — auto-blocking high-risk sign-ins
- Tested policies by attempting blocked sign-ins and verifying Entra ID logs showed correct deny reason
- Configured MDM and MAM policies for both corporate and BYOD devices
- Created Compliance Policies — required BitLocker, minimum OS version, Defender enabled, screen lock timeout
- Built Configuration Profiles to push Wi-Fi profiles, VPN configs, browser settings, and restrictions
- Tested Remote Wipe, Remote Lock, and BitLocker key recovery via Intune portal
- Created an Autopilot Deployment Profile — User-Driven mode, Azure AD joined, OOBE screens hidden
- Built an Enrollment Status Page (ESP) to ensure apps and policies install before user hits desktop
- Configured required apps to install automatically on enrollment (M365 Apps, Defender, Chrome)
- Registered a test device hardware hash and validated the full zero-touch flow
- Installed Hyper-V on a physical machine to host virtual servers
- Deployed Windows Server 2022 VM and promoted to Domain Controller with AD DS role
- Created AD domain with OUs mirroring the Entra ID structure
- Built GPOs: password complexity, mapped drives, desktop lockdown, software restriction policies
- Configured network segmentation using Hyper-V virtual switches
- Set up Entra Connect to sync on-premises AD users to the cloud tenant (hybrid identity)
Click any image to expand.
Intune — Windows Apps Deployed
Intune — Devices Overview (Windows + iOS enrolled)
Intune — Device Configuration Policies
Conditional Access — Aus Only Policy
M365 Admin — Teams & Microsoft 365 Groups
