I have been building a portable hybrid identity lab, tracked as Infrastructure-as-Code in hybrid-lab-iac. This post is a brief look at what I am trying to achieve with it and how it is put together.
The goal
I wanted a repeatable environment to practice and demonstrate a realistic enterprise identity lifecycle end to end, rather than a bare domain controller with a handful of manually created test accounts. The lab is built to be provisioned from scratch by scripts, run once or torn down and recreated, so the whole stack stays reproducible.
Identity flow
The current design follows a layered identity architecture:
- HR source file(s) act as the authoritative source of identity -- simulating an HR system feeding new hires, changes, and terminations.
- midPoint sits in front as the IAM/identity governance layer, consuming the HR data and provisioning accounts into Active Directory.
- Active Directory is organized with a tiering model (Tier 0/1/2), separating privileged infrastructure accounts from standard user and workstation accounts.
- Azure AD Connect synchronizes AD objects to Microsoft Entra ID, with password writeback enabled so self-service password changes in the cloud flow back down to on-premises AD.
Infrastructure automation
The environment itself is provisioned through PowerShell-driven Hyper-V automation: VM definitions, unattended install ISOs, network segmentation, and Microsoft Security Baseline hardening are all scripted, with Azure resources (Bicep/Terraform) extending the lab into the cloud. The aim is a single entry point that can stand up networking, VMs, roles, and Azure connectivity together.
Why this design
Starting from an HR feed rather than manually created accounts forces the lab to deal with the same joiner-mover-leaver problems a real identity team faces. Layering midPoint in front of AD, tiering AD itself, and wiring up Entra ID with password writeback lets me exercise hybrid identity governance, privileged access separation, and cloud/on-premises password synchronization together, not as isolated exercises.
Work on this lab also fed directly into two Microsoft Applied Skills credentials I earned in Active Directory Domain Services and Microsoft 365 Copilot security and compliance.