🔍
HomeHomeReferenzarchitekturenReference Architectures

Reference ArchitecturesReference Architectures

Referenzdesigns für kleine, mittlere und große Organisationen sowie für Hybrid Identity, App-Integration, Multi-Tenant-Zugriff, Break-Glass, PAW und Microsoft-365-Netzwerkpfade.Reference designs for small, medium, and large organizations as well as hybrid identity, app integration, multi-tenant access, break-glass, PAW, and Microsoft 365 network paths.

SMB

Small OrganizationSmall Organization
Scale

Medium OrganizationMedium Organization
ZT

Large EnterpriseLarge Enterprise
Hybrid

Hybrid IdentityHybrid Identity
Apps

Integration PatternsIntegration Patterns
B2B

Multi-TenantMulti-Tenant
BG

Emergency AccessEmergency Access
PAW

Secure Admin WorkstationSecure Admin Workstation
Net

Microsoft 365 NetworkMicrosoft 365 Network

Small Organization (<50 users)Small Organization (<50 users)

Einfaches, cloud-only Referenzdesign mit wenig Betriebslast, aber klaren Mindestkontrollen.Simple cloud-only reference design with low operational overhead but clear minimum controls.

BenutzerzahlUser count<50
Empfohlene LizenzenRecommended licensesMicrosoft 365 Business Premium
Admin-ModellAdmin model2–3 getrennte Admin-Konten + Break-Glass
PflichtkontrollenMandatory controlsMFA, Baseline CA, SSPR, Intune Compliance

DiagrammbeschreibungDiagram description

Cloud-only Tenant mit Entra ID als Identitätsquelle, Business-Premium-Lizenzen, wenigen Administrationskonten, Intune für Geräte und einer kleinen Menge Conditional-Access-Richtlinien.Cloud-only tenant with Entra ID as identity source, Business Premium licenses, a small number of admin accounts, Intune for devices, and a small baseline set of Conditional Access policies.

KonfigurationsschritteConfiguration steps

  1. Break-Glass-Konten aus dem normalen Lizenz- und MFA-Fluss ausnehmen, aber überwachen.Exclude break-glass accounts from the normal license and MFA flow, but monitor them.
  2. Business-Premium-Baseline aktivieren: Intune, Defender, Conditional Access, SSPR.Turn on the Business Premium baseline: Intune, Defender, Conditional Access, and SSPR.
  3. Mindestens drei CA-Richtlinien: MFA für alle, Block Legacy Auth, Require Compliant Device für Admins.Deploy at least three CA policies: MFA for all, block legacy auth, require compliant device for admins.

PowerShell-SetupPowerShell setup

PowerShellPowerShell 

# Small organization baseline
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess","Directory.Read.All"

$body = @{
    displayName = "Baseline - Require MFA for all users"
    state       = "enabledForReportingButNotEnforced"
    conditions  = @{
        users = @{
            includeUsers = @("All")
            excludeUsers = @("<break-glass-object-id>")
        }
        applications = @{ includeApplications = @("All") }
    }
    grantControls = @{
        operator        = "OR"
        builtInControls = @("mfa")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $body

Medium Organization (50-500 users)Medium Organization (50-500 users)

Skalierbare Cloud-First-Architektur mit strukturierten Adminrollen, PIM und Hybrid-Option.Scalable cloud-first architecture with structured admin roles, PIM, and a hybrid option.

BenutzerzahlUser count50-500
Empfohlene LizenzenRecommended licensesMicrosoft 365 E3 + Entra ID P2 für Admins
Admin-ModellAdmin modelGetrennte Admin-Tiers + PIM
PflichtkontrollenMandatory controlsCA-Set, PIM, Defender, Intune, Access Reviews

DiagrammbeschreibungDiagram description

Cloud-First-Tenant mit optionalem Hybrid-Sync, PIM für privilegierte Rollen, rollenbasierten Adminkonten und Segmentierung nach Benutzergruppen, Geräten und privilegierten Workstations.Cloud-first tenant with optional hybrid sync, PIM for privileged roles, role-based admin accounts, and segmentation by user groups, devices, and privileged workstations.

KonfigurationsschritteConfiguration steps

  1. Adminrollen in dedizierte Gruppen verschieben und PIM-eligible statt permanent vergeben.Move admin roles into dedicated groups and make them PIM eligible instead of permanent.
  2. CA-Richtlinien nach Benutzersegmenten staffeln: Workforce, Gäste, Admins, Service Accounts.Stage CA policies by user segment: workforce, guests, admins, service accounts.
  3. Falls Hybrid nötig ist, Cloud Sync oder Entra Connect mit Staging Mode und Health Monitoring einführen.If hybrid is needed, introduce Cloud Sync or Entra Connect with staging mode and health monitoring.

PowerShell-SetupPowerShell setup

PowerShellPowerShell 

# Medium organization admin role hardening
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory","Group.ReadWrite.All"

$group = New-MgGroup -DisplayName "Eligible - Global Reader" `
                     -MailEnabled:$false `
                     -MailNickname "eligible-global-reader" `
                     -SecurityEnabled

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter @{
    action           = "adminAssign"
    principalId      = $group.Id
    roleDefinitionId = "<global-reader-role-id>"
    directoryScopeId = "/"
    justification    = "Move permanent access to PIM eligible group"
}

Large Enterprise (500-10000+)Large Enterprise (500-10000+)

Zero-Trust-Design mit klaren Tiering-Regeln, Governance und hoher Automatisierung.Zero Trust design with clear tiering rules, governance, and high automation.

BenutzerzahlUser count500-10000+
Empfohlene LizenzenRecommended licensesMicrosoft 365 E5 / Entra ID P2 / Defender Suite
Admin-ModellAdmin modelTiered admin, PAW, PIM, automation accounts
PflichtkontrollenMandatory controlsFull CA stack, Identity Protection, governance, segmentation

DiagrammbeschreibungDiagram description

Mehrschichtige Architektur mit Workforce-, Privileged-, Vendor- und B2B-Zonen, zentralem Governance-Layer, SIEM/SOAR-Anbindung und strikter Netzwerk- und Gerätevertrauenskette.Multi-layer architecture with workforce, privileged, vendor, and B2B zones, a central governance layer, SIEM/SOAR integration, and strict device and network trust chains.

KonfigurationsschritteConfiguration steps

  1. Conditional Access nach Persona, Gerätestatus, Risiko und Standort modellieren.Model Conditional Access by persona, device state, risk, and location.
  2. PAW/SAW für privilegierte Benutzer erzwingen und Identity Protection mit Risk Policies koppeln.Enforce PAW/SAW for privileged users and connect Identity Protection with risk policies.
  3. Access Reviews, Lifecycle Workflows, App Governance und Privileged Access Monitoring automatisieren.Automate access reviews, lifecycle workflows, app governance, and privileged access monitoring.

PowerShell-SetupPowerShell setup

PowerShellPowerShell 

# Large enterprise privileged baseline
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess","IdentityRiskyUser.Read.All"

$adminPolicy = @{
    displayName = "Tier 0 - Require compliant PAW and strong auth"
    state       = "enabled"
    conditions  = @{
        users        = @{ includeGroups = @("<tier0-admin-group-id>") }
        applications = @{ includeApplications = @("All") }
    }
    grantControls = @{
        operator        = "AND"
        builtInControls = @("mfa","compliantDevice")
        authenticationStrength = @{
            id = "<phishing-resistant-strength-id>"
        }
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $adminPolicy

Hybrid Identity ArchitectureHybrid Identity Architecture

Entscheidungsrahmen für Entra Connect vs. Cloud Sync inklusive Staging und Fallback.Decision framework for Entra Connect vs Cloud Sync including staging and fallback.

EntscheidungDecisionCloud Sync für einfache Syncs, Entra Connect für komplexe Writeback-/Hybrid-Anforderungen
Kritische FaktorenCritical factorsWriteback, Exchange Hybrid, custom rules, forests
BetriebOperationsHealth Monitoring, Staging Mode, least privilege
FallbackFallbackSecond server / staged agent / tested rollback

DiagrammbeschreibungDiagram description

On-Premises AD mit optional mehreren Forests, Sync-Engine in einer sicheren Tiering-Zone, Entra Health Monitoring und klar dokumentierten Sync-Regeln sowie Fallback-Instanz.On-prem AD with optional multiple forests, sync engine in a secure tiering zone, Entra health monitoring, and clearly documented sync rules plus fallback instance.

KonfigurationsschritteConfiguration steps

  1. Cloud Sync wählen, wenn nur einfache Objekt- und Passwortsynchronisierung benötigt wird.Choose Cloud Sync when only simple object and password sync is required.
  2. Entra Connect wählen, wenn Exchange-Hybrid, Geräte-Writeback oder komplexe Filterregeln im Spiel sind.Choose Entra Connect when Exchange hybrid, device writeback, or complex filtering rules are involved.
  3. Staging Mode oder sekundären Cloud-Sync-Agent produktionsreif testen.Test staging mode or a secondary Cloud Sync agent as a production-ready fallback.

PowerShell-SetupPowerShell setup

PowerShellPowerShell 

# Hybrid identity verification helper
Connect-MgGraph -Scopes "Organization.Read.All","Directory.Read.All"

Get-MgOrganization | Select-Object DisplayName, Id
Get-MgDomain -All | Select-Object Id, IsVerified, AuthenticationType

# On the sync server, pair this with:
# Get-ADSyncScheduler
# Get-ADSyncRunProfileResult -ConnectorId * -NumberRequested 10

Application Integration PatternsApplication Integration Patterns

Referenzmuster für SSO, API-Schutz, OBO und Provisioning.Reference patterns for SSO, API protection, OBO, and provisioning.

SSO-MusterSSO patternsOIDC / OAuth for modern apps, SAML for legacy SaaS, header-based only as exception
API-MusterAPI patternsOAuth2 client credentials, OBO, managed identity
ProvisioningProvisioningSCIM + group assignment + lifecycle workflows
GovernanceGovernanceConsent review, secret rotation, least privilege, app owners

DiagrammbeschreibungDiagram description

Frontend-App mit Entra-ID-Login, Middle-Tier-API für OBO, SCIM-Provisioning zu SaaS-Zielen und dedizierte Service Principals für Hintergrundjobs.Frontend app with Entra ID sign-in, middle-tier API for OBO, SCIM provisioning to SaaS targets, and dedicated service principals for background jobs.

KonfigurationsschritteConfiguration steps

  1. Moderne Apps zuerst per OIDC/OAuth integrieren; SAML nur bei Legacy-Anforderungen.Integrate modern apps with OIDC/OAuth first; use SAML only for legacy needs.
  2. Client Credentials für echte Daemons, OBO für userbezogene Middle-Tier-APIs.Use client credentials for true daemons and OBO for user-based middle-tier APIs.
  3. SCIM-Provisioning mit Gruppen- oder Rollenmapping und klaren Ownership-Regeln koppeln.Tie SCIM provisioning to group or role mapping and clear ownership rules.

PowerShell-SetupPowerShell setup

PowerShellPowerShell 

# Application integration baseline
Connect-MgGraph -Scopes "Application.ReadWrite.All","AppRoleAssignment.ReadWrite.All"

$app = New-MgApplication -DisplayName "Contoso API"
New-MgServicePrincipal -AppId $app.AppId
Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential @{
    displayName = "Initial automation secret"
}

Multi-Tenant ArchitectureMulti-Tenant Architecture

Cross-tenant Zugriff, B2B-Kollaboration und Governance zwischen Organisationen.Cross-tenant access, B2B collaboration, and governance across organizations.

HauptzielPrimary goalControlled partner access with strong trust boundaries
KernbausteineCore building blocksCross-tenant access settings, B2B collaboration, entitlement packages
SchutzmaßnahmenProtectionsTrust only approved tenants, MFA/device trust evaluation, guest lifecycle
BetriebOperationsQuarterly access reviews and tenant allow-list governance

DiagrammbeschreibungDiagram description

Zwei oder mehr Tenants mit Cross-Tenant-Access-Policies, B2B-Gastkonten, Shared Channels oder dedizierten Partner-Apps sowie Rezertifizierung und Ablaufsteuerung.Two or more tenants with cross-tenant access policies, B2B guest accounts, shared channels or dedicated partner apps, and recertification plus expiration controls.

KonfigurationsschritteConfiguration steps

  1. Externe Tenants auf Allow-Lists begrenzen und eingehenden/ausgehenden Trust bewusst konfigurieren.Limit external tenants with allow-lists and configure inbound/outbound trust deliberately.
  2. Gastzugriffe über Entitlement Management und Access Reviews rezertifizieren.Recertify guest access through entitlement management and access reviews.
  3. Shared Channels, App-Consent und Cross-Tenant-Sync nur mit dokumentierten Use Cases freigeben.Allow shared channels, app consent, and cross-tenant sync only for documented use cases.

PowerShell-SetupPowerShell setup

PowerShellPowerShell 

# Multi-tenant visibility helper
Connect-MgGraph -Scopes "Policy.Read.All","Directory.Read.All"

Get-MgPolicyCrossTenantAccessPolicyDefault |
    Select-Object DisplayName, AutomaticUserConsentSettings

Get-MgUser -Filter "userType eq 'Guest'" -Top 25 -Property DisplayName,UserPrincipalName,ExternalUserState

Emergency Access (Break-Glass) AccountsEmergency Access (Break-Glass) Accounts

Hochverfügbare Notfallkonten mit Isolation, Überwachung und Testplan.Highly available emergency accounts with isolation, monitoring, and a test plan.

AnzahlCountMindestens 2 cloud-only Konten
SchutzProtectionLange Passphrase, FIDO2/Certificate where possible, excluded from risky CA only
MonitoringMonitoringAlerts on every sign-in + weekly review
TestsTestingQuarterly controlled sign-in and documented recovery runbook

DiagrammbeschreibungDiagram description

Zwei isolierte Cloud-only-Konten in einem Hardware-Safe-/Secret-Vault-Prozess, aus wenigen Notfallrichtlinien ausgenommen, aber mit voller Alarmierung und Audit-Pflicht.Two isolated cloud-only accounts in a hardware safe/secret-vault process, excluded from only a few emergency policies, but fully monitored and audited.

KonfigurationsschritteConfiguration steps

  1. Konten cloud-only anlegen und nicht in Hybrid-Sync oder Standard-Lizenzgruppen aufnehmen.Create the accounts cloud-only and keep them out of hybrid sync or standard licensing groups.
  2. Nur gezielt von MFA-/CA-Policies ausnehmen, die in Katastrophenfällen blockieren würden.Exclude them only from MFA/CA policies that would block emergency recovery.
  3. Jeden Login per SIEM/Alerting eskalieren und vierteljährlich Testzugriff durchführen.Escalate every sign-in through SIEM/alerting and perform quarterly test access.

PowerShell-SetupPowerShell setup

PowerShellPowerShell 

# Break-glass monitoring helper
Connect-MgGraph -Scopes "User.Read.All","AuditLog.Read.All"

$breakGlass = @("bg-admin1@contoso.com","bg-admin2@contoso.com")
Get-MgAuditLogSignIn -Top 50 |
    Where-Object UserPrincipalName -in $breakGlass |
    Select-Object UserPrincipalName, CreatedDateTime, AppDisplayName, IpAddress

Secure Admin Workstation (SAW/PAW)Secure Admin Workstation (SAW/PAW)

Privilegierte Arbeitsplätze mit starkem Device Trust, Applikationskontrolle und separatem Admin-Kontext.Privileged workstations with strong device trust, application control, and separate admin context.

GeräteklasseDevice classDedicated admin workstation or hardened cloud PC
PflichtkontrollenMandatory controlsIntune compliance, Defender, App Control, local admin removed
NutzungUsageOnly privileged admin actions, no email or general browsing
IdentityIdentityDedicated admin account + phishing-resistant MFA

DiagrammbeschreibungDiagram description

Separater Gerätepool oder Cloud-PCs für Admins, verwaltet in Intune, abgesichert durch Defender, starkes Authentifizierungsniveau und eingeschränkte erlaubte Applikationen.Separate device pool or cloud PCs for admins, managed in Intune, protected by Defender, phishing-resistant auth, and a tightly restricted application set.

KonfigurationsschritteConfiguration steps

  1. PAW-Geräte in eigene Entra-/Intune-Gruppen trennen.Separate PAW devices into dedicated Entra/Intune groups.
  2. Conditional Access so modellieren, dass privilegierte Rollen nur von compliant PAWs aus aktiviert werden können.Model Conditional Access so privileged roles can only be activated from compliant PAWs.
  3. Allgemeine Produktivitätsnutzung auf denselben Geräten verbieten.Disallow general productivity usage on the same devices.

PowerShell-SetupPowerShell setup

PowerShellPowerShell 

# PAW group baseline
Connect-MgGraph -Scopes "Group.ReadWrite.All","Device.Read.All"

New-MgGroup -DisplayName "PAW - Administrators" `
            -MailEnabled:$false `
            -MailNickname "paw-admins" `
            -SecurityEnabled

Microsoft 365 Network ArchitectureMicrosoft 365 Network Architecture

Netzwerkpfade für Microsoft 365 mit Split Tunneling, Optimierungszonen und Performance-Governance.Network paths for Microsoft 365 with split tunneling, optimization zones, and performance governance.

OptimierenOptimizeExchange Online, Teams media, SharePoint/OneDrive core endpoints
PrinzipPrincipleLocal internet breakout where possible
KontrolleControlEgress policy, DNS design, QoS for voice/video
MonitoringMonitoringLatency, packet loss, Teams call quality, proxy bypass validation

DiagrammbeschreibungDiagram description

Benutzerstandorte mit lokalem Internet-Breakout, Proxy-Bypass für Optimize-Endpunkte, dedizierter Medienpfad für Teams und zentrale Telemetrie zur Qualitätsüberwachung.User locations with local internet breakout, proxy bypass for optimize endpoints, dedicated media path for Teams, and central telemetry for quality monitoring.

KonfigurationsschritteConfiguration steps

  1. Microsoft-365-Endpoint-Kategorien (Optimize, Allow, Default) in Netzwerkregeln abbilden.Map Microsoft 365 endpoint categories (Optimize, Allow, Default) into network policy.
  2. Teams-Medienverkehr vom zentralen Proxy ausnehmen und lokal ausleiten.Exclude Teams media from the central proxy and break it out locally.
  3. DNS, Proxy und Firewall regelmäßig gegen den M365 Endpoint Service validieren.Regularly validate DNS, proxy, and firewall against the M365 Endpoint service.

PowerShell-SetupPowerShell setup

PowerShellPowerShell 

# Example helper to export Microsoft 365 endpoint feed
$serviceAreas = Invoke-RestMethod -Uri "https://endpoints.office.com/endpoints/worldwide?clientrequestid=$(New-Guid)"
$serviceAreas |
    Select-Object id, serviceArea, category, urls, ips |
    Export-Csv .\m365-network-endpoints.csv -NoTypeInformation -Encoding UTF8