Access shifted from a fragmented, system-by-system approach to a centralized identity-driven model where Entra ID is the control plane, security signals shape every decision, and Terraform makes the whole policy layer consistent and scalable. Zero Trust went from a phrase used in security meetings to something the platform actually enforces.

Summary

• Identity: Microsoft Entra ID, Conditional Access, PIM, RBAC

  • Endpoint Compliance: Microsoft Intune

  • Threat Signals: Microsoft Defender for Endpoint, Defender for Identity

  • SaaS Control: Microsoft Defender for Cloud Apps

  • Monitoring: Microsoft Sentinel, Azure Log Analytics

  • Automation: Terraform, Azure DevOps Pipelines, GitHub, Azure CLI

  • Deployment Authentication: Service principals

  • Scale: 600+ users, 500+ managed devices, 10+ integrated SaaS platforms

Technology Stack and Ownership

• Established a consistent access model across users, devices, and applications

  • Made least privilege and time-bound elevation the default rather than the exception

  • Centralized identity and security visibility through Microsoft Sentinel

  • Reduced configuration drift by moving the policy layer into IaC

  • Enabled staged deployments with clear change tracking and rollback capability

  • Cut user provisioning time by 85%+ through identity-driven automation tied to the same control plane

  • Made identity the primary security boundary, advancing Zero Trust maturity across the platform

Technical Impact

• Inconsistent access enforcement across cloud and SaaS platforms

  • Unmanaged or non-compliant devices reaching business applications

  • Overly broad permissions accumulating without review

  • Limited visibility across identity, endpoint, and SaaS activity

  • Manual policy changes with little traceability or rollback capability

  • Difficulty testing access changes safely before production deployment

Technical Challenges Solved

The platform is built around identity-first access, not network trust. Having valid credentials or being on a known network is no longer enough. Every request gets evaluated dynamically before access is granted.

That evaluation pulls together identity, device trust, risk signals, and application context into a single policy-driven model. Devices have to meet Intune compliance requirements, identity risk is continuously assessed through Defender, and SaaS activity is monitored and controlled through Defender for Cloud Apps. The Conditional Access decision engine combines those signals in real time and selects an access outcome appropriate to the risk level.

To keep the whole layer consistent and scalable, I moved policy management itself into Terraform. Conditional Access policies, role assignments, and named locations live as code, reviewed in GitHub, and deployed through Azure DevOps using Azure CLI and service principals for non-interactive authentication. That made policy changes predictable, peer-reviewed, testable, and easy to roll back when needed. No more clicking through portals hoping a change did not break something downstream.

The system also includes a continuous improvement loop. Security signals from Defender and Entra ID feed real-time updates into the evaluation layer. Patterns in those signals drive policy refinement. Refinements ship through the IaC pipeline. Sentinel monitors and validates the deployed state, and the loop continues, advancing Zero Trust maturity over time.

Design Approach

Architecture Components

• Microsoft Entra ID

  • Conditional Access

  • Privileged Identity Management (PIM)

  • Role-Based Access Control (RBAC)

  • Named locations

  • Risk-based access policies

  • Terraform-managed identity configuration

  • GitHub for version control

  • Azure DevOps for deployment pipelines

Control Plane

• Microsoft 365

  • Azure resources

  • SaaS applications

  • Microsoft Intune

  • Microsoft Defender for Endpoint

  • Microsoft Defender for Identity

  • Microsoft Defender for Cloud Apps

  • Microsoft Sentinel

  • Azure CLI

  • Service principals

Service Layer

Microsoft Entra ID acts as the platform's identity control plane. Every access request flows through six architectural layers: it enters as a user request, gets resolved through the identity control plane, runs through a trust evaluation layer that gathers signals from Intune, Defender for Endpoint, Defender for Identity, and Entra ID Risk, and then hits a Conditional Access decision engine that evaluates identity, device, sign-in risk, MFA status, application sensitivity, and authorization before deciding whether to allow access, require MFA, require compliant device, limit session, trigger an alert, or deny outright.

Once a decision is made, access flows to the resource layer (Microsoft 365, Azure resources, SaaS, business apps, admin portals) with one of several outcomes: full access, restricted access, monitored session, elevated access through PIM, or blocked. Microsoft Sentinel, Log Analytics, Defender alerts, and governance reporting wrap the whole thing as the supporting systems layer.

Architecture Summary

As Platform Engineering Manager at Campus Cooks, I led the access architecture end to end. That included defining the identity control model, aligning policies to real business risk, standardizing enforcement across systems, and moving the whole policy layer into Terraform and CI/CD so it could scale and change cleanly. I oversaw a systems administrator and coordinated with three vendor partners across security, Salesforce, and application development to make sure the platform held together across all integration points.



Role and Ownership

• Standardized access control across Microsoft 365, Azure, endpoints, and 10+ integrated SaaS platforms

  • Reduced exposure from compromised accounts, unmanaged devices, and accumulated permissions

  • Improved visibility into identity activity, device compliance, and risky sign-in behavior

  • Replaced manual policy changes with version-controlled, peer-reviewed deployments through infrastructure-as-code

Business Impact

I rebuilt access across a cloud and SaaS environment supporting 600+ users by putting Microsoft Entra ID at the center as the platform's identity control plane. Instead of trusting users based on where they connect from, every access decision now runs against identity, device state, risk signals, and policy enforcement before anything is allowed through.


Snapshot

Engineering

Case Studies

Building cloud platforms across Azure, Microsoft 365, identity, containers, and IaC