Microsoft 365 & Entra Basics
The modern identity and productivity stack
Open interactive version (quiz + challenge)Real-world analogy
M365 + Entra is the digital office building for most companies. Mail, chat, documents, meetings, identity, device posture — one tenant. If you keep this clean, the whole company works. If you don’t, every user feels it.
What is it?
M365/Entra administration is the modern productivity stack. Most corporate IT work happens here. Juniors who can create users, assign licenses, configure MFA and CA, manage distribution groups, and pull audit logs are instantly useful.
Real-world relevance
HR onboards 5 new hires. You create accounts from an existing template, assign correct groups (which drives licensing and Teams/SharePoint access), enforce MFA registration, enroll devices in Intune, and share a welcome checklist. No tickets for 30 days afterward.
Key points
- Tenant — the building itself — An M365/Entra tenant is a dedicated instance with its own users, domains, licenses, and policies. A company is typically one tenant. Mergers create multi-tenant pain.
- Licensing basics — Each user gets licenses (E3, E5, Business Basic/Standard/Premium, Teams, Intune, Defender, etc.). Missing license = disabled service for that user. Know the common SKUs by name.
- Users, guests, and groups — Members are internal users. Guests are external collaborators. Groups can be security (permissioning) or M365 groups (Exchange + Teams + SharePoint + Planner). Don’t mix them randomly.
- Admin roles — least privilege — Entra and M365 have many role names (Global Admin, User Admin, Helpdesk Admin, Authentication Admin, Exchange Admin, Security Reader, etc.). Assign the smallest role that does the job. Break-glass global admin is tightly controlled.
- MFA, Conditional Access, risky sign-ins — MFA is table stakes. Conditional Access enforces policies (compliant device, trusted locations, risk-based). Identity Protection flags risky sign-ins. Together they’re the modern ‘perimeter’.
- Exchange Online, Teams, SharePoint, OneDrive — Exchange: mail. Teams: chat + meetings + collaboration. SharePoint: sites + document libraries. OneDrive: personal cloud files. Know which owns which data.
- Audit logs and message trace — Unified audit log (compliance portal) + Exchange message trace + Entra sign-in logs — three knobs that answer most ‘what happened?’ tickets in minutes.
- Retention, DLP, and eDiscovery — Retention policies keep or delete content per rules. DLP prevents leaks (e.g., credit card numbers in email). eDiscovery supports legal investigations. Regulated shops configure all three.
Code example
// M365 / Entra — daily ops snippets (PowerShell + admin UI)
# Connect
Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All","Directory.Read.All"
Connect-ExchangeOnline
# Create a new user
New-MgUser -DisplayName "Alice Rahman" -UserPrincipalName "alice@contoso.com" \
-MailNickname "alice" -AccountEnabled:$true \
-PasswordProfile @{Password="TempP@ssw0rd!";ForceChangePasswordNextSignIn=$true}
# Assign license (replace GUIDs with your plan IDs)
Set-MgUserLicense -UserId alice@contoso.com -AddLicenses @(@{SkuId="ENTERPRISEPACK-GUID"}) -RemoveLicenses @()
# Add to a group
Add-MgGroupMember -GroupId <groupId> -DirectoryObjectId (Get-MgUser -UserId alice@contoso.com).Id
# Message trace (Exchange Online)
Get-MessageTrace -SenderAddress alice@contoso.com -StartDate (Get-Date).AddDays(-2) -EndDate (Get-Date)
# Export risky sign-ins (Entra Identity Protection) via portal or Graph
# Review recent risky users and risky sign-ins for that tenantLine-by-line walkthrough
- 1. Daily M365 snippets
- 2. Connect to Graph with scopes
- 3. Connect to Exchange Online
- 4. Blank separator
- 5. Create user block
- 6. Assign license block
- 7. Add to group
- 8. Blank separator
- 9. Message trace example
- 10. Blank separator
- 11. Risky sign-in export note
Spot the bug
To ‘fix’ a user’s email problem quickly, a junior makes the user Global Admin.Need a hint?
Which policies and audit concerns does this violate?
Show answer
Least privilege (no need for Global Admin to fix user email); audit trail (privileged actions without justification); risk amplification (stolen GA account = tenant compromise). Correct: assign the smallest necessary role (e.g., Exchange Admin or Helpdesk Admin), with justification and time-limited assignment via PIM where possible.
Explain like I'm 5
M365 is the office, Entra is the security desk. Desks, chairs, meeting rooms, chat, email — all work because the security desk knows who you are and what you’re allowed to touch.
Fun fact
Microsoft has moved the M365 admin experience across several portals and brand names over a decade (Office 365 Admin Center → Microsoft 365 Admin Center; Azure AD → Entra). Junior admins should learn concepts, not logos.
Hands-on challenge
Sign up for a Microsoft 365 Developer tenant (free). Create 3 users, 1 security group, 1 distribution list, enforce MFA, configure a basic conditional access policy requiring MFA for all users. Note what you saw.
More resources
- Microsoft 365 admin center docs (Microsoft Learn)
- Microsoft 365 Developer Program (Microsoft)
- Entra ID documentation (Microsoft Learn)