Repository Owner: Jason Wiggins
Role: Senior Identity & Endpoint Security Engineer
Focus: Zero Trust Architecture, Automated Governance, and Disaster Recovery.
This repository contains production-ready Infrastructure-as-Code (IaC) artifacts for managing Microsoft Entra ID (formerly Azure AD). It demonstrates a "Security-First" approach to identity management, moving away from manual portal clicks to automated, version-controlled configurations.
- Objective: Automated backup of Conditional Access policies for change management.
- Artifacts:
Export-Policy_CA001-BlockLegacyAuth-AllUsers.ps1(Targeted Policy Export)Export-CAPolicies.ps1(Bulk Export Utility)
- Tech: PowerShell + Microsoft Graph (
Policy.Read.All).
- Objective: Complete design and implementation of a resilient identity perimeter.
- Documentation:
Zero-Trust-Architecture.md - Status: Deployed (Report-Only Mode).
- Objective: Implementation of Least Privilege using Privileged Identity Management (PIM).
- Documentation:
Identity-Governance-PIM.md - Feature: Just-In-Time (JIT) activation for administrative roles with audit trails.
- Objective: Automated governance for external vendors to prevent "Guest Sprawl."
- Documentation:
Identity-Governance-B2B.md - Tech: Entitlement Management, Access Packages, Self-Service Approvals.
- Objective: Secure integration of enterprise applications and custom API connections.
- Documentation:
Enterprise-App-Integration.md(SaaS App integration logic)Custom Graph API Integration.md(Custom API permission models)
- Objective: Prevention of AiTM (Adversary-in-the-Middle) attacks on administrative identities.
- Documentation:
Phishing-Resistant-MFA.md - Tech: Conditional Access Authentication Strengths, FIDO2/Passkeys, Graph API.
This project established a resilient identity perimeter for an M365 tenant, aligning with Microsoft Zero Trust principles ("Verify Explicitly"). The implementation enforces phishing-resistant authentication for high-privilege roles while mitigating the risk of tenant lockout through a redundant emergency access strategy.
Objective: Ensure tenant recovery capabilities during identity service outages.
- Accounts: 2x Cloud-only accounts (
svc-backup01...) provisioning via PIM. - Role Assignment: Global Administrator (Active/Permanent).
- Authentication: FIDO2 Security Keys (Hardware-bound).
- Exclusion Logic: Managed via security group
Sec-BreakGlass-Exclusion.
Objective: Reduce attack surface by restricting authentication attempts to trusted geographies.
- Policy:
Block-Untrusted-Locations - Conditions: Block access from high-risk regions; Allow Corporate HQ (
1.2.3.4/32). - Safety Mode: Report-Only.
Objective: Mitigate "MFA Fatigue" and "Adversary-in-the-Middle" (AiTM) attacks.
- Policy:
CA-002-RequirePhishingResistant-Admins - Grant Control: Require Phishing-Resistant MFA (FIDO2 / CBA).
- Target Roles: Global Admin, Security Admin.
This module demonstrates the transition from standard MFA (Push Notifications) to high-assurance credentials to stop modern identity attacks.
The policy configuration was exported via Microsoft Graph to ensure version control and disaster recovery capability.
Policy enforcement state is verified programmatically using the Microsoft Graph PowerShell SDK to prevent configuration drift.
Evidence of secure deployment state (Report-Only) and successful API connection.
