Merge pull request #54014 from Rob-Barefoot/fundlp4m4

Initial commit: guided-project-new-employee-access

Author: AnnaMHuff

learn-pr/wwl-azure/guided-project-new-employee-access/1-introduction.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: "Introduction"
+  ms.date: 03/16/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-azure/guided-project-new-employee-access/2-exercise-create-user-group.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.exercise-create-user-group
+title: Exercise - Create user and group
+metadata:
+  title: Exercise - Create user and group
+  description: "Exercise - Create user and group"
+  ms.date: 03/16/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 7
+content: |
+  [!include[](includes/2-exercise-create-user-group.md)]

learn-pr/wwl-azure/guided-project-new-employee-access/3-exercise-assign-role.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.exercise-assign-role
+title: Exercise - Assign RBAC role at scope
+metadata:
+  title: Exercise - Assign RBAC role at scope
+  description: "Exercise - Assign RBAC role at scope"
+  ms.date: 03/16/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 7
+content: |
+  [!include[](includes/3-exercise-assign-role.md)]

learn-pr/wwl-azure/guided-project-new-employee-access/4-exercise-verify-least-privilege.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.exercise-verify-least-privilege
+title: Exercise - Verify least-privilege model
+metadata:
+  title: Exercise - Verify least-privilege model
+  description: "Exercise - Verify least-privilege model"
+  ms.date: 03/16/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 6
+content: |
+  [!include[](includes/4-exercise-verify-least-privilege.md)]

learn-pr/wwl-azure/guided-project-new-employee-access/5-validate-success.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.validate-success
+title: Validate success
+metadata:
+  title: Validate success
+  description: "Validate success"
+  ms.date: 03/16/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 2
+content: |
+  [!include[](includes/5-validate-success.md)]

learn-pr/wwl-azure/guided-project-new-employee-access/6-clean-up-resources.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.clean-up-resources
+title: Clean up resources
+metadata:
+  title: Clean up resources
+  description: "Clean up resources"
+  ms.date: 03/16/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 5
+content: |
+  [!include[](includes/6-clean-up-resources.md)]

learn-pr/wwl-azure/guided-project-new-employee-access/7-knowledge-check.yml

@@ -0,0 +1,51 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge check
+  description: "Knowledge check"
+  ms.date: 03/29/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 5
+content: |
+  [!include[](includes/7-knowledge-check.md)]
+quiz:
+  title: "Check your knowledge"
+  questions:
+  - content: "What is the benefit of assigning RBAC roles to a group instead of individual users?"
+    choices:
+    - content: "Groups automatically inherit permissions from the subscription."
+      isCorrect: false
+      explanation: "Groups do not automatically inherit permissions. Roles must be explicitly assigned."
+    - content: "It simplifies access management when users join or leave the team."
+      isCorrect: true
+      explanation: "When you assign a role to a group, new members automatically get the role and removed members automatically lose it."
+    - content: "Groups can hold more permissions than individual users."
+      isCorrect: false
+      explanation: "The same roles and permissions are available for both users and groups."
+  - content: "What RBAC role provides view-only access to Azure resources without allowing changes?"
+    choices:
+    - content: "Contributor"
+      isCorrect: false
+      explanation: "The Contributor role allows creating and managing resources, not just viewing them."
+    - content: "Owner"
+      isCorrect: false
+      explanation: "The Owner role grants full access including the ability to assign roles to others."
+    - content: "Reader"
+      isCorrect: true
+      explanation: "The Reader role grants view-only access. Users can see resources but cannot create, modify, or delete them."
+  - content: "At what scope level was the RBAC role assigned in this guided project?"
+    choices:
+    - content: "Subscription"
+      isCorrect: false
+      explanation: "The role was scoped more narrowly than the entire subscription to follow least-privilege principles."
+    - content: "Resource group"
+      isCorrect: true
+      explanation: "The Reader role was assigned at the resource group level, limiting access to only the resources in that group."
+    - content: "Individual resource"
+      isCorrect: false
+      explanation: "While you can scope roles to individual resources, this project scoped the role at the resource group level."

learn-pr/wwl-azure/guided-project-new-employee-access/8-summary.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.guided-project-new-employee-access.summary
+title: Summary
+metadata:
+  title: Summary
+  description: "Summary"
+  ms.date: 03/16/2026
+  author: wwlpublish
+  ms.author: robbarefoot
+  ms.topic: unit
+  ms.custom:
+  - N/A
+durationInMinutes: 2
+content: |
+  [!include[](includes/8-summary.md)]

learn-pr/wwl-azure/guided-project-new-employee-access/includes/1-introduction.md

@@ -0,0 +1,40 @@
+This guided project focuses on setting up identity and access for a new employee using Microsoft Entra ID and Azure role-based access control (RBAC).
+
+Microsoft Entra ID is the identity service that manages users and groups in Azure. RBAC lets you assign specific permissions at a specific scope, so users get exactly the access they need and nothing more. Together, they implement the principle of least privilege.
+
+## Scenario
+
+A new support analyst is joining your team and needs read-only access to a development resource group. You create the user account, add them to a security group, assign the Reader role at the resource group scope, and then sign in as the new user to verify that least-privilege access works as expected.
+
+- Exercise 1 - Create a user account and security group in Entra ID.
+- Exercise 2 - Assign the Reader role to the group at resource group scope.
+- Exercise 3 - Verify that read access is granted and write access is denied.
+
+:::image type="content" source="../media/overview-architecture.png" alt-text="Diagram showing the identity and access flow from Entra ID user and group through RBAC role assignment to resource group scope." border="false":::
+
+By the end of this project, you have hands-on experience creating identities, assigning group-based RBAC, and validating access controls.
+
+> [!NOTE]
+> This is a guided project module where you complete a project by following step-by-step instructions.
+
+## Skilling areas
+
+In this project, you practice skills in the following areas:
+
+**Manage identities in Entra ID**
++ Create a security group.
++ Create a user account.
++ Add a user to a group.
+
+**Assign Azure RBAC roles**
++ Assign a built-in role to a group at resource group scope.
++ Understand scope inheritance and the Reader role.
+
+**Validate access and audit changes**
++ Use Check access to preview effective permissions.
++ Review role assignment events in the Activity Log.
++ Enable and generate a Temporary Access Pass (TAP).
++ Sign in as the new user and test permissions firsthand.
+
+> [!IMPORTANT]
+> This project uses the Azure portal for every step. No prior Azure experience is required.

learn-pr/wwl-azure/guided-project-new-employee-access/includes/2-exercise-create-user-group.md

@@ -0,0 +1,91 @@
+This guided project consists of the following exercises:
+
+ - **Create user and group**
+ - Assign RBAC role at scope
+ - Verify least-privilege model
+
+In this exercise, you create a security group, a new user account, and add the user to the group. This sets up the identity foundation that you assign permissions to in the next exercise.
+
+This exercise includes the following tasks:
+
+ - Prepare the environment
+ - Create a test storage account
+ - Create the security group
+ - Create the user account
+ - Add the user to the group
+
+**Outcome:** A new user account and security group are ready for access assignment.
+
+> [!TIP]
+> Pause after each major action and confirm the page status before moving on. This habit prevents compounding mistakes.
+
+## Task 1: Prepare the environment
+
+Set up your Azure environment before you begin. You create a resource group and a test resource as a safe sandbox for practicing access control.
+
+> [!WARNING]
+> This project creates Azure resources that may incur charges. Complete the clean-up unit when you're done to avoid unintended expenses.
+
+1.  Sign in to the [Azure portal](https://portal.azure.com) with an account that can manage users and role assignments.
+2.  In the portal search bar, search for **Resource groups** and select **Resource groups**.
+3.  Select **+ Create**. Name the resource group **rg-gp-access-model**, choose your preferred region, and select **Review + create** then **Create**.
+
+## Task 2: Create a test storage account
+
+Create a storage account inside the resource group. This resource provides a scope for your RBAC role assignments.
+
+1.  In the portal search bar, search for **Storage accounts** and select **Storage accounts**.
+2.  Select **+ Create**.
+3.  On the Basics tab, select **rg-gp-access-model** as the resource group.
+4.  For **Storage account name**, enter a globally unique name (for example, **stgpaccessmodel** followed by your initials and a number).
+5.  For **Region**, use the same region as the resource group.
+6.  For **Preferred Storage Type**, select **Azure Blob Storage or Azure Data Lake Storage Gen 2**.
+7.  For **Performance**, select **Standard**.
+8.  For **Redundancy**, select **Locally-redundant storage (LRS)**.
+9.  Select **Review + create** and then select **Create**.
+10. When deployment finishes, select **Go to resource**.
+
+## Task 3: Create the security group
+
+Set up a security group that serves as a container for your new user. Using groups makes permission management scalable—you assign permissions once to a group, then add or remove users as needed.
+
+1.  In the portal search bar, search for **Microsoft Entra ID** and select **Microsoft Entra ID**.
+2.  In the left menu under **Manage**, select **Groups**.
+3.  Select **New group**.
+3.  For **Group type**, select **Security**.
+4.  For **Group name**, enter **gp-rg-readers**.
+5.  For **Group description**, enter **Readers for the guided project resource group**.
+6.  Select **Create**.
+
+> [!NOTE]
+> **Validation step:** Verify the **gp-rg-readers** security group now exists in your tenant.
+
+> [!NOTE]
+> Each exercise includes validation steps like this one. Track your results as you go—you'll review them all in the validation unit at the end of this module.
+
+## Task 4: Create the user account
+
+Create a new identity in Entra ID for the team member. This user account will be added to the security group, inheriting all permissions assigned to that group.
+
+1.  In the portal search bar, search for **Microsoft Entra ID** and select **Microsoft Entra ID**.
+2.  In the left menu under **Manage**, select **Users**.
+3.  Select **New user** and then select **Create new user**.
+4.  For **User principal name**, enter a unique name (for example, **alexgp**). This is the sign-in name the user would use to access Azure (combined with your tenant domain, it becomes something like **[email protected]**). Record this value—you need it for later validation.
+5.  For **Display name**, enter **Alex Guided Project**.
+6.  Select **Review + create** and then select **Create**.
+7.  The Users list may not refresh automatically. Select **Refresh** to confirm the new user appears in the list.
+
+> [!NOTE]
+> **Validation step:** Confirm the new user account is created. Record the user principal name (UPN) for later validation.
+
+## Task 5: Add the user to the group
+
+Complete the group membership by adding the new user. This establishes the connection between the user and the group, so the user now inherits all RBAC permissions assigned to the group.
+
+1.  In the Users list, select the checkbox to the left of **Alex Guided Project**.
+2.  In the horizontal menu at the top, select **Edit**.
+3.  Select **Add to group**.
+4.  Search for and select **gp-rg-readers**, then select **Select**.
+
+> [!NOTE]
+> **Validation step:** Confirm the user is now a member of **gp-rg-readers**. Any RBAC permissions assigned to this group will apply to all members.