In my first post, I told you to "deploy Active Directory in your lab." I did not show you how. This post fixes that.
What you are about to build is not a toy. It is a scaled-down version of the exact hybrid identity architecture that I have deployed for Fortune 500 companies — an on-premises Active Directory domain synchronised to Microsoft Entra ID, with Conditional Access, MFA, and user lifecycle management.
The difference? You are building it for free. Everything in this guide uses either free Azure credits, free evaluation licences, or permanently free tiers.
By the end of this guide, you will have:
- A Windows Server 2022 VM running Active Directory Domain Services
- A properly structured domain with OUs, users, groups, and GPOs
- Microsoft Entra Connect synchronising your on-prem users to the cloud
- Conditional Access policies enforcing MFA and blocking risky sign-ins
- Self-Service Password Reset configured and working
- A portfolio-ready project you can reference in interviews
A computer with internet access. No prior lab experience needed. Set aside 3–4 hours for the initial build. Total cost: /bin/sh.
What You Are Building
Before touching a single button, understand the architecture. This is how enterprise hybrid identity works — and your lab will mirror it.
DNS Server
Domain Controller
Password hash sync
Hybrid identity bridge
Conditional Access
MFA · SSPR · SSO
Active Directory is the source of truth. Entra Connect synchronises identities to the cloud. Entra ID applies security policies. This is hybrid identity — what 90% of enterprises run.
Create Your Free Azure Account
- Go to azure.microsoft.com/free and click "Start free." Sign in with your Microsoft account or create one.
- Complete identity verification. You need a phone number and a card for verification only — you will not be charged. Microsoft gives you 00 in free credits.
- Access the Azure Portal at portal.azure.com. You now have a working Azure subscription.
Azure requires a card for verification but will not charge you unless you explicitly upgrade. The 00 free credit covers this entire lab easily — a Windows Server VM costs roughly /bin/sh.05/hour.
Deploy a Windows Server VM
Create a Resource Group
In the Azure Portal, search for "Resource Groups" → Click Create.
Create the Virtual Machine
Search for "Virtual Machines" → Click Create → Azure Virtual Machine.
Click Review + Create → Create. Deployment takes 2–4 minutes. Then Connect → RDP → download the file and log in.
Install Active Directory Domain Services
Set a Static IP (Critical)
Before installing AD, set your VM's private IP to static: VM → Networking → Network Interface → IP configurations → Change to Static → Save.
Active Directory relies on DNS, and DNS relies on a consistent IP. If your DC's IP changes, the entire domain breaks. In production, this is always static.
Install AD DS via Server Manager
- Open Server Manager → Add roles and features
- Check "Active Directory Domain Services" → Add Features
- Click Install and wait 2–3 minutes
Promote to Domain Controller
Click the yellow notification flag → "Promote this server to a domain controller."
Install → server restarts. Log back in as IAMLAB\labadmin. You have a working Active Directory domain.
Build Your Domain Structure
Create Organisational Units
Open Active Directory Users and Computers (ADUC). Right-click your domain → New → Organisational Unit:
Create Test Users via PowerShell
Create Security Groups
Create a Group Policy Object
- Open Group Policy Management
- Right-click Corporate OU → Create GPO → Name: "Password Policy - Corporate"
- Edit → Computer Config → Policies → Windows Settings → Security → Account Policies → Password Policy
- Set: Min length = 12, Complexity = Enabled, Max age = 90 days
Connect to Entra ID with Entra Connect
This is where your lab goes from "I set up AD" to "I built hybrid identity." This single step separates a homelab from an enterprise-grade lab.
- Verify your Entra ID tenant — Azure Portal → Microsoft Entra ID. Your free subscription includes one.
- Download Entra Connect V2 — on your DC VM, search microsoft.com/download for "Microsoft Entra Connect"
- Install with Express Settings — this enables Password Hash Sync (the most common production method)
- Enter Entra ID Global Admin credentials
- Enter AD DS Enterprise Admin credentials (IAMLAB\labadmin)
- Click Install
Entra Connect is synchronising your on-premises AD users to the cloud. Every user you created — Sarah Chen, Raj Patel, all of them — now exists in both your on-prem AD and Entra ID. This is hybrid identity. This is what enterprises run.
Verify: Go to entra.microsoft.com → Users → All users. Your 10 users should appear with Source = "Windows Server AD."
Configure Conditional Access and MFA
Conditional Access requires Entra ID P1. Activate the free 30-day P2 trial: Entra Portal → Licences → All products → Activate Entra ID P2 trial.
Policy 1: Require MFA for All Users
- Entra Portal → Protection → Conditional Access → New policy
- Name: "Require MFA — All Users"
- Users: All users (exclude your break-glass admin)
- Target resources: All cloud apps
- Grant: Require multifactor authentication
- Enable: Report-only first, then switch to On after testing
Policy 2: Block Legacy Authentication
- New policy → Name: "Block Legacy Auth"
- Users: All users
- Conditions → Client apps: Exchange ActiveSync + Other clients
- Grant: Block access
- Enable: On
Legacy auth protocols don't support MFA — blocking them is one of the first things you do in any enterprise.
Enable Self-Service Password Reset
- Entra Portal → Protection → Password reset
- Enabled: All
- Methods: Mobile app notification + Email
- Save
In production, SSPR alone reduces L1 ticket volume by 20–30%.
Document Everything — Build Your Portfolio
- Architecture diagram — use draw.io (free). Show: AD → Entra Connect → Entra ID → Conditional Access
- Configuration summary — list every setting: domain name, OUs, GPOs, CA policies, SSPR. Keep in a clean PDF.
- PowerShell scripts — push to a GitHub repo titled "IAM-Homelab-Scripts"
- Screenshots — ADUC structure, Entra users (synced), CA policies, SSPR config. Annotate them.
- Lessons learned — 3–5 bullets on what you learned and what you'd do differently in production
"I built a hybrid identity environment with AD, Entra Connect, Conditional Access, and SSPR — here is my documentation" is immediately more credible than only having certifications. Certifications show you studied. A lab shows you built.
Your Complete Lab Checklist
- Created Azure free account with 00 credits
- Deployed Windows Server 2022 VM (DC01)
- Set static private IP on the VM
- Installed Active Directory Domain Services
- Promoted server to Domain Controller (iamlab.local)
- Created OU structure (Corporate, IT, Disabled Accounts)
- Created 10 test users via PowerShell
- Created security groups and assigned memberships
- Created and linked a GPO (password policy)
- Installed Microsoft Entra Connect V2
- Verified user synchronisation to Entra ID
- Activated Entra ID P2 trial
- Created CA policy: Require MFA
- Created CA policy: Block legacy auth
- Enabled Self-Service Password Reset
- Created architecture diagram
- Documented all configurations
- Pushed scripts to GitHub
- Updated LinkedIn profile with lab project
What to Build Next
- Configure Azure AD PIM — just-in-time admin access with approval workflows
- Add a SAML SSO application — register a test app and configure Single Sign-On
- Enable Identity Protection — user risk and sign-in risk policies
- Build an n8n automation — trigger a workflow when a new AD user is created
- Deploy a second DC — add DC02 and configure AD replication
Go build it. The Azure free account takes 5 minutes. Your first domain controller takes 30 minutes. By tonight, you can have a working hybrid identity environment that matches what Fortune 500 companies run.
That is not a hobby project. That is a career.
— Masood
IAM Architect · 24+ years · identityfrontline.com