Skip to Content

Entra ID — Engineering Experiments


Microsoft Entra ID serves as the identity control plane for today’s IT environments.

This page shares hands-on Entra ID experiments done in separate lab tenants to show real authentication behaviour, privilege boundaries, session persistence, and identity failure modes.

​Everything here is based on what was actually observed, not just what the documentation says.


A MacBook with lines of code on its screen on a busy desk

What This Page Covers

This page serves as a central index of experiments for Entra ID testing on F11.ca.

You will find:

  • A live index of Entra ID experiments
  • Tested identity scenarios with clear outcomes
  • Security impact based on real tenant behaviour
  • Links to detailed experiment records

This is not an Entra ID overview or best-practice guide.

Entra ID Experiment Index

Each experiment ID links to a detailed record including configuration, logs, and observed behavior.


IDCategoryDescriptionResultRisk

EID-EXP-001

BaselineDefault Entra ID tenant security postureWeak default protections🟠 Medium

EID-EXP-002

Authentication

Sign-In Logs Deep Dive – Visibility Gaps in Authentication Events

Critical authentication context is easy to miss or misinterpret

🔴 High

EID-EXP-003

Baseline

Break-Glass Account misconfigurations

Frequent misconfigurations elevate access risks and limit visibility

🔴 High

EID-EXP-004

Identity Protection

Identity Protection Alerts

Default identity risk alerts do not block access and are often ignored by admins

🔴 High
EID-EXP-005

Identity Protection

Enforce remediation unless Conditional Access policies

Risk-based Conditional Access forces remediation (password reset / MFA)

🔴 Critical

EID-EXP-006 Emergency AccessBreak-glass account excluded from policiesRecovery successful🟢 Low

EID-EXP-007

Identity Protection

Block High-Risk Sign-ins

High-risk sign-ins are blocked via Conditional Access

🔴 High

EID-EXP-008

Identity Protection

MFA Fatigue Simulation

MFA repetition alone did not consistently trigger elevated identity risk

🟠 Medium


Experiment Categories

We group these experiments to highlight patterns of identity-related failures:

Topics include:

  • Baseline: Default tenant behavior and assumptions
  • Authentication: MFA, sessions, tokens, and sign-in behavior
  • Privilege: Role assignment and escalation paths
  • Sessions & Tokens: Token reuse and persistence
  • Monitoring: Visibility and detection gaps
  • Emergency Access: Tenant recovery and lockout scenarios


MacBook Pro on table beside white iMac and Magic Mouse

Authentication

Labs that examine how authentication actually works in practice.

Topics include:

  • MFA enforcement behavior

  • Session persistence and token reuse

  • Password resets vs active sessions

  • Legacy and modern authentication paths

  • Passwordless and FIDO2 testing

Example labs:

  • Authentication – MFA Enforcement vs Session Tokens

  • Authentication – Password Reset Does Not Invalidate Sessions

a laptop computer sitting on top of a wooden desk

Conditional Access

Labs that test policy evaluation, enforcement order, and bypass scenarios.

Topics include:

  • Policy evaluation logic

  • Grant controls vs session controls

  • Trusted location risks

  • Device and sign-in state edge cases

  • MFA fatigue and partial enforcement

Example labs:

  • Conditional Access – Policy Not Evaluated Scenario

  • Conditional Access – MFA Bypass via Trusted Locations

low-angle photography of metal structure

Privileged Access

Labs focused on high-risk identity roles and administrative exposure.

Topics include:

  • Global Admin vs non-GA attack paths

  • Role misuse and escalation

  • Privileged Identity Management (PIM)

  • Permanent vs eligible access

Example labs:

  • Entra ID – High-Risk Non-GA Roles

  • Privileged Access – PIM Misconfiguration Impact

low-angle photography of metal structure

Emergency Access

Labs that validate tenant recovery and break-glass design.

Topics include:

  • Emergency access account design

  • MFA exclusions and monitoring

  • Lockout and recovery scenarios

  • Logging and alerting gaps

Example labs:

  • Emergency Access – MFA Exclusion Risk

  • Emergency Access – Monitoring Break-Glass Usage

red Emergency Pull lever

Lab Structure

Each Entra ID lab on F11.ca follows a consistent format:

  • Lab objective

  • Tenant and configuration state

  • Control or scenario tested

  • Expected behavior

  • Observed behavior

  • Logs, screenshots, or evidence

  • Security takeaway

This structure ensures labs are repeatable, verifiable, and practical.

Overhead view of two people at a table working with a Microsoft laptop and notebook

Common Entra ID Findings

Across multiple lab scenarios, the following patterns appear repeatedly:

  • MFA alone does not protect active sessions

  • Conditional Access policies are often not evaluated when assumed

  • Session controls are frequently misunderstood or ignored

  • Over-privileged roles create silent attack paths

  • Emergency access accounts are rarely monitored

These findings are expanded through individual labs linked on this page.

MacBook Pro on brown wooden table inside room

Notes & Scope


  • All labs are performed in isolated test environments

  • Results may vary based on licensing, tenant age, and configuration

  • This page does not replace Microsoft documentation

  • Official references are linked where relevant


F11 = Full-Scale Engineering Mode

Hands-on identity labs. Real outcomes. No assumptions.

cable network