Cloud Architecture

Full cloud-native security architecture designed and built from scratch for a HIPAA-regulated, 6-site diagnostic imaging organization — 83 users, 39 endpoints, Microsoft 365 Business Premium. No on-premises infrastructure. No inherited security posture.

Environment Overview

Component	Detail
Identity	Microsoft Entra ID (P1) — cloud-native, no on-prem AD, no hybrid join
Endpoint MDM	Microsoft Intune — sole MDM authority
Threat Protection	Microsoft Defender for Business (EDR block mode)
Email Security	Defender for Office 365 (Safe Links, Safe Attachments, ZAP)
Data Protection	Microsoft Purview (DLP, sensitivity labels, retention)
Monitoring	Azure Log Analytics (`law-mosaic-security`) + KQL
Network	Cisco Meraki MX75 × 6 sites — hub-and-spoke AutoVPN
VPN MFA	Cisco Duo Auth Proxy (RADIUS) on Ubuntu 24.04 LTS
AI/Automation	n8n + Docker + Ollama (self-hosted, ePHI-adjacent)

Identity & Access Architecture

Entra ID as sole authoritative IdP — Conditional Access, tenant-wide MFA, legacy auth blocking, phishing-resistant enforcement (FIDO2)
Least-privilege RBAC — structured security groups, scoped admin roles, no standing Global Admin for daily ops
Windows LAPS — standing local admin eliminated across all managed endpoints
Break-glass emergency access governance aligned to HIPAA §164.312(a)(2)(i)
Entra diagnostic logging forwarded to Azure Log Analytics

Endpoint Governance Architecture

Full Windows 11 compliance pipeline via Intune: Autopilot → Entra ID join → configuration profiles → security baselines → compliance enforcement
Defender for Business: EDR block mode, ASR rules, tamper protection, PUA blocking
BitLocker encryption with key escrow, Secure Boot, TPM 2.0 health as compliance conditions
No BYOD, no unmanaged production Windows endpoints
Linux AI servers: documented exception from Intune MDM with compensating controls (LVM encryption, wired-only, restricted service account)