A Microsoft 365 enterprise security expansion covering Intune endpoint governance, Entra ID identity hardening, Purview compliance controls, Conditional Access, RBAC, DLP, and Exchange Online mail security — all deployed in safe, governance-first modes across 4 admin centers.
Phase 2 expands the Meridian lab into a multi-admin-center security operations environment — hardening identity, governing endpoints, protecting sensitive data, and securing mail flow.
Each control area built sequentially — later steps assumed earlier ones were in place.
Documented and configured Intune compliance controls: Windows security baseline, update rings, Defender and firewall policies, BitLocker enforcement, and PowerShell validation commands for endpoint state reporting.
Created DLP policies targeting Canadian PII (SIN, health card numbers), Communication Compliance policies, retention labels for Exchange and SharePoint, and captured Compliance Manager / NIST assessment evidence.
Built RBAC delegated admin roles (Helpdesk, Security Reader), MFA security groups, SSPR configuration, and Conditional Access report-only policies for MFA enforcement, legacy auth blocking, and compliant-device access.
Provisioned the IT Helpdesk shared mailbox, configured address and display name, created a transport rule to block external auto-forwarding, and reviewed anti-spam, Safe Attachments, and DKIM governance.
PowerShell commands were used to validate endpoint compliance states, Exchange mail flow rules, Purview policy deployment, and Entra ID role/CA configurations — making every control evidence-backed and repeatable.
# Connect to Microsoft Graph with Intune scopes
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All","DeviceManagementManagedDevices.Read.All"
# List all device compliance policies
Get-MgDeviceManagementDeviceCompliancePolicy | Select DisplayName,Id,CreatedDateTime
# List compliance policy assignments
Get-MgDeviceManagementDeviceCompliancePolicy -All |
ForEach-Object {
$policy = $_
Get-MgDeviceManagementDeviceCompliancePolicyAssignment -DeviceCompliancePolicyId $policy.Id |
Select @{N='Policy';E={$policy.DisplayName}}, Target
}
# List endpoint security baselines
Get-MgDeviceManagementIntent | Select DisplayName,TemplateName,IsAssigned
# Validate device configuration profiles
Get-MgDeviceManagementDeviceConfiguration | Select DisplayName,OdataType,LastModifiedDateTime
# Connect to Exchange Online
Connect-ExchangeOnline
# Validate shared mailbox creation
Get-Mailbox -RecipientTypeDetails SharedMailbox | Select DisplayName,PrimarySmtpAddress,Alias
# List all transport / mail flow rules
Get-TransportRule | Select Name,State,Priority,Description
# Validate external auto-forwarding block rule
Get-TransportRule | Where-Object { $_.Name -like "*forward*" } |
Select Name,State,RedirectMessageTo,RejectMessageEnhancedStatusCode
# Check remote domain forwarding settings
Get-RemoteDomain | Select DomainName,AutoForwardEnabled,AllowedOOFType
# Verify anti-spam / connection filter policies
Get-HostedConnectionFilterPolicy | Select Name,IsDefault,IPAllowList,IPBlockList
# Connect to Security & Compliance PowerShell
Connect-IPPSSession
# List all DLP policies and their state
Get-DlpCompliancePolicy | Select Name,Mode,Workload,CreatedBy,WhenCreated
# List DLP rules under each policy
Get-DlpComplianceRule | Select Name,ParentPolicyName,BlockAccess,NotifyUser
# Validate retention labels
Get-ComplianceTag | Select Name,RetentionDuration,RetentionAction,IsRecordLabel
# List retention policies and their locations
Get-RetentionCompliancePolicy | Select Name,Enabled,ExchangeLocation,SharePointLocation
# Check communication compliance policies
Get-SupervisoryReviewPolicy | Select Name,Enabled,Reviewers,SamplingRate
# Result: DLP policies — Canadian PII types protected
# SIN (Canada Social Insurance Number), Health Card — active in Exchange+SharePoint+Teams
# Connect with identity + CA read scopes
Connect-MgGraph -Scopes "RoleManagement.Read.Directory","Policy.Read.All"
# List all active role assignments in the tenant
Get-MgRoleManagementDirectoryRoleAssignment -All |
Select RoleDefinitionId,PrincipalId,DirectoryScopeId
# Show role display names + assigned users
Get-MgDirectoryRole | ForEach-Object {
$role = $_
Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id |
Select @{N='Role';E={$role.DisplayName}}, @{N='Member';E={$_.Id}}
}
# List all Conditional Access policies + their state
Get-MgConditionalAccessPolicy | Select DisplayName,State,CreatedDateTime
# Result: 3 CA policies — all in Report-Only (safe staged mode)
# Require MFA for Admin Roles → reportOnly
# Block Legacy Authentication → reportOnly
# Require Compliant Device → reportOnly
Configuration evidence across Microsoft Intune, Entra ID, Purview, Exchange Online, and PowerShell — cleaned, organized, and documented for portfolio walkthroughs and interview storytelling.
Phase 2 proves hands-on security administration across identity, compliance, endpoint, and email governance — not just basic tenant configuration.
This phase demonstrates that Meridian Institute is more than a tenant setup — it's a simulated enterprise security operations environment covering identity hardening, compliance governance, endpoint management, and mail flow security. Each control area is evidence-backed and interview-ready.