Building Cloud Platforms Teams

Can Rely On

Identity-driven infrastructure on Azure and Microsoft 365

How I Build

The best platforms are not the most complex ones. They are the ones where the basics are solid and everything connects. I build access, infrastructure, deployments, and monitoring so teams can move faster without worrying about what is underneath.


These case studies walk through specific projects and the decisions behind them.


Cloud Engineering Stack

Identity & Security

Cloud &

Infrastructure

Automation &

DevOps

Integration &

Data

Security &

Monitoring

Collaboration &

SaaS

• Microsoft Entra ID

  • Active Directory

  • Azure AD Connect

  • Okta

  • Conditional Access

  • RBAC, SSO, MFA

• Microsoft Azure

  • AWS

  • Virtual Machines

  • Storage Accounts

  • Networking

  • Azure Firewall

  • AKS, ACR

• Terraform, Bicep

  • Azure DevOps

  • GitHub Actions

  • Azure CLI

  • ARM Templates

  • CI/CD Pipelines

• Azure Event Grid

  • Azure Functions

  • Azure Logic Apps

  • Azure Data Factory

  • Service Bus

  • API Management

• Microsoft Defender

  • Microsoft Sentinel

  • Microsoft Purview

  • Azure Monitor

  • Log Analytics

  • Application Insights

• Microsoft 365

  • Exchange Online

  • Teams, SharePoint

  • OneDrive

  • Salesforce

  • Google Workspace

How Every Login Gets Evaluated

User identity:

who is signing in? → Entra ID

Device compliance:

Intune or jamf-managed

Sign-in risk: Defender

for Identity signal

User risk: account compromised?

Location

Named location or unknown?

App target: Salesforce, Microsoft 365, or LatePlate

All evaluated simultaneously → 6 Terraform-managed policy types

MFA enforcement

Device compliance required

Risk-based sign-in

Named location

Session control

App-targeted restriction

Access was not consistent: some systems were locked down, while others were not.

Now every login evaluates the full picture.

Event-Driven Onboarding

Before

HR emails IT

Ticket created

Manual provisioning

Apps assigned 1-by-1


Device

configured


3-5 Days

After

HR Submits

Hire

Event Grid

Trigger

Azure Functions Trigger

Graph API Provision


Auto-Provisioned Apps + Groups + Devices


< 4 Hours

One Trigger, Zero Manual Steps. 85%+ Reduction In Provisioning TIme

How 10+ Systems Stay Synchronized

Event sources


HR system
Entra ID
Salesforce
Intune
LatePlate

Event Grid


Routes by type
Dead-letter config
Retry policies



Service Bus


Guaranteed delivery
Ordered processing
Back-pressure



Azure Functions


Provisioning logic
Graph API calls
Error handling



Targets


Entra ID
Salesforce
M365 apps
Azure SQL


Before: loosely connected manual steps. After: identity changes trigger everything downstream automatically.

Infrastructure, Compliance, and Security Ship the Same Way

Infrastructure

Terraform validate → plan → apply
AKS, Firewall, identity, monitoring

Device compliance

Intune or Jamf managed


Sign-in risk

Defender for Identity signal


↓ Shared Delivery Controls ↓

Azure DevOps Pipelines

GitHub Actions

Branch policies

Azure DevOps Artifacts

Infrastructure was built differently across teams. I standardized it into one delivery model

How I move infrastructure changes to production

Development


I write Terraform or Bicep and commit to a feature branch. Automated validation runs Terraform checks, linting, and security scans. I review the plan diff before moving anything forward.

Validation passes
Plan diff clean

Staging


I promote to staging using the same Terraform modules with staging-specific variables. If something breaks here, I catch it before it reaches production.

I approve after staging validates

Development


I run terraform apply with state locking. Health checks confirm resources are live. Every deployment is versioned and rollback-ready.



When I joined, the environment was primarily Entra ID with no broader Azure infrastructure practice. I built this entire deployment model — environment isolation, automated validation, and promotion gates from the ground up.

How security signals connect

Entra ID

Sign-in + audit logs

Defender for Endpoint

Device threat signals

Defender for Identity

Identity risk signals

Defender for Cloud Apps

SaaS session monitoring

Intune

Identity risk signals

↓ Sentinel detects patterns, not isolated events ↓

Before: alerts were scattered across tools. After: one correlation engine.

Endpoint Management: Before and After

Before

• Microsoft Defender

  • Microsoft Sentinel

  • Microsoft Purview

  • Azure Monitor

  • Log Analytics

  • Application Insights

After

• Intune + Jamf managed

  • Autopilot zero-touch

  • Compliance = access gate

  • 500+ endpoints governed

  • Defender signals in CA



From spreadsheets to policy-driven compliance across 500+ devices



Terraform Dependency Topology

Identity-First

Zero Trust Architecture

View Case Study