Authoritative proof index

Open the source file behind each public claim.

This proof index groups repository-local Microsoft 365 / Entra and on-premises home lab evidence by reviewer question. Status labels distinguish validated, command-verified, screenshot-supported, sanitized, partial, and outstanding claims.

Download the APA-Formatted Home Lab Validation Document (.docx)Open On-Prem Lab Open M365 Export README

Source files inspectable proof inventory linked SHA-256 hash records linked limitation notes visible

Claim Export Screenshot Inventory Hash

Reviewer ground rules

What this page proves.

It proves that public Microsoft 365 and Entra claims are routed to repository-local evidence files, including CSV exports, JSON exports, screenshots, transcripts, proof inventory records, and hash records.

Validates

Repository-local evidence chain

Each supported claim resolves to a source file or control file that can be inspected from this repository.

Boundary

What this page does not claim.

External organization administration is not claimed. Production impact metrics are not claimed. Current live telemetry is not claimed. Public claims stop where repository proof stops.

Inspection

Source-file review path

Use the links below to inspect the export, screenshot, proof inventory, or hash record behind a public statement.

Relationship chain

Every public proof card answers one reviewer question.

Question

What was reviewed?

Tenant, identity, security policy, application, license, activity, device, admin center, and integrity records.

Evidence

Which file proves it?

Each card links to the exact CSV, JSON, PNG, transcript, manifest, proof map, or hash record.

Boundary

Where does the claim stop?

Limitation language separates review evidence from unsupported production, client, or endpoint-fleet claims.

Validated June 21, 2026

On-Premises Home Lab proof

This personal nonproduction lab is validated with command output, curated screenshots, safe configuration summaries, backup inventories, archive hashes, and the APA-formatted Word document. Collection and validation occurred on June 21, 2026.

Validated · document and manifests

DOCXJSONCSVSHA-256

Primary validation controls

What this proves: the published Word artifact is the supplied Office Open XML document, is 1,400,031 bytes, and has SHA-256 03a605517e2a6ebeb805b7e0f74bd1ec06c664debbdb39b99e09aecc62e4845a.

On-Prem Home Lab case study Download the APA-Formatted Home Lab Validation Document (.docx)Evidence manifest JSON Evidence manifest CSV Curated evidence index

Command-verified · architecture and services

ProxmoxAD DSDNSDHCPGPO

Host, network, identity, and Windows services

What this proves: Proxmox host and bridge state, dedicated backup storage, DC01 as the global catalog and five-role FSMO holder, AD-integrated DNS, the active DHCP scope and options, and domain/OU-linked Group Policy inventory.

Proxmox host evidence Sanitized network excerpt AD and FSMO screenshot DNS screenshot Redacted DHCP screenshot Group Policy screenshot

Command-verified · Linux01

UbuntuSSSDKerberosSSHUFWsudoAgent

Linux01 domain integration and security controls

What this proves: Ubuntu Server 26.04 LTS, static lab addressing, forward/reverse DNS, realmd membership, domain-user resolution, enabled and active SSSD, a valid Kerberos TGT, active SSH and UFW, the subnet-scoped SSH rule, delegated sudo, and active QEMU guest agent.

AD and SSSD evidence DNS evidence Sanitized Kerberos evidence SSH, UFW, and sudo evidence Maintenance and guest-agent evidence

Command-verified · snapshots and backups

4 VMsSnapshot listingsScheduled jobzstd

Snapshot and scheduled-backup coverage

What this proves: retained snapshot listings exist for VMs 100, 200, 300, and 400, and the enabled Sunday 02:00 backup job includes all four VMs. Snapshot presence is not represented as an independent backup, and archive presence is not represented as a successful restore.

Sanitized pfSense snapshot listing DC01 snapshot listing WS01 snapshot listing Linux01 snapshot listing Scheduled backup job and archive inventory

Cryptographic integrity

SCPSHA-256Backup disk

Evidence packaging and transfer

What this proves: the Linux01 evidence archive was packaged and transferred with SCP; its hash matched 5c1eff369a0055338808a93c025847cc5997db4f04614a56ede33b43f9e9b8db. The complete archive matched e8a5a40a6960557383ccb152af2da71053e50382d8287d632b9ed5ad85cb7060.

Integrity record Redacted hash screenshot SCP transfer screenshot

Limitations

What the evidence does not prove

The lab is personal and nonproduction. Backup archive presence does not prove an application-level restore. Snapshots are not independent backups. The firewall source-restriction intent was not independently tested for exclusivity. DC01 is the only domain controller.

Redactions, exclusions, and boundaries

PowerShell output validating DC01, the Active Directory forest and domain, global catalog status, and FSMO roles. — **Active Directory and FSMO roles.** Direct command evidence for DC01 identity and role ownership.

PowerShell output listing home lab Group Policy Objects and domain or organizational-unit links. — **Group Policy inventory and links.** Command output supports domain and OU link claims.

Linux01 console showing Ubuntu Server 26.04 LTS, kernel, hostname, and IPv4 address. — **Linux01 system state.** Screenshot-supported operating-system, kernel, hostname, and address evidence.

Microsoft 365 / Entra evidence

Grouped proof links with reviewer notes.

Verified export / SHA-256 hash available

CSVManifestHash

Evidence control files

What this validates: Inventory, hash records, export manifest, live proof summary, and site proof map control how public claims map back to source files.

Live proof summary Proof inventory Proof hashes Export manifest Site proof map

Verified export / Screenshot available

JSONPNGTenant

Tenant identity, domain, admin center, and subscription visibility

What this validates: Tenant ID, organization display name, tenant account, verified domains, subscribed SKU records, and Microsoft 365 admin center access screenshots.

Tenant organization domains SKUs Domains screenshot Licenses screenshot Admin center homepage

Sanitized export

User, group, role, and license review

Validates user/license state, group inventory, 19 group membership rows, directory roles, and role assignment review.

Users license state Groups CSV Group membership CSV Directory roles Role assignments

Verified export

Conditional Access, authentication, authorization, and security defaults review

Validates exported Conditional Access policy records, named location records, authentication-method policy data, authorization policy data, and security-defaults state.

Conditional Access summary Conditional Access JSON Named locations Authentication methods policy Authorization policy

Verified export

Security group targeting

Validates the SG-Block-Legacy-Auth security group and membership export used for access-control targeting review.

SG group export SG members export

Verified export

Application governance and consent review

Validates app registration, service-principal, and OAuth grant review. These files support application governance awareness within the documented personal tenant scope.

Applications CSV Service principals CSV OAuth grants summary

Verified export / Transcript available

Audit, sign-in, device, Exchange, and Microsoft 365 admin center review

Validates sign-in visibility, directory audit visibility, Entra device inventory, Microsoft 365 admin center navigation, Exchange admin center group review, and Exchange Online PowerShell connection-attempt documentation.

Sign-ins last 30 days Directory audit last 30 days Devices CSV Exchange groups export Exchange PowerShell note

Limitation documented

Intune managed-device boundary

The evidence supports device inventory review and an Intune managed-device validation attempt with documented access, licensing, or API-scope constraints.

Intune limitation README Intune limitation summary Device inventory