Offensive Entra ID (Azure AD) and hybrid AD security
Over the past years more and more companies adopted Microsoft Entra (formerly Azure AD) as an identity platform for their cloud services, often using their existing on-prem Active Directory as a source for a hybrid setup. As a red teamer, pentester, or security architect, you are probably familiar with Active Directory security concepts. Entra ID is vastly different and is built around different concepts and protocols.
This training explains how organizations use Entra ID to manage modern cloud-based or hybrid environments and what security challenges this brings. It is the result of many years of research into the protocols and internals of Entra ID. It will give you the knowledge to analyze, attack, and secure Entra ID and hybrid setups from modern threats. The training is technical and deep-dives into core protocols such as OAuth2 and application concepts. It includes many labs and hands-on exercises, set up as challenges to gain access to accounts and elevate privileges.
Agenda
- Introduction
- What is Azure, differences between Azure, Entra, Azure AD and Microsoft 365
- Terminology, components and their connection
- The modern Microsoft workplace way of working
- Identities: users, groups and devices
- Entra ID components – Administrator roles and privileges
- Different roles and role types
- Privilege separation per role
- Privilege escalation in Entra ID between different roles
- Entra ID components – data interfaces
- Data gathering in Entra ID
- Portal, APIs, PowerShell modules and the differences
- Entra ID components – applications
- Application concepts and how they are relevant in Entra ID
- Application privilege model
- Apps and Oauth2 principles
- OAuth2 flows, their security and consequences in case of misconfigurations
- Breaking and securing Entra ID connected applications
- Identity security – Conditional Access
- Conditional Access policies and settings
- Conditional Access best practices and bypasses
- Primary refresh tokens and device identity
- Device identities and security
- Windows registration / join internal flows
- PRT request internals
- Interacting with primary refresh tokens via SSO from the endpoint
- Stealing and using primary refresh tokens for lateral movement
- Using device identities to comply with conditional access policies
- PRTs and Windows Hello for Business authentication
- Hybrid environments
- Different integration types with on-premises AD
- Access paths to the cloud from on-prem
- Entra ID connect abuse and privileges
Attendee requirements – skills
This course is meant for people with existing experience in Windows and AD security. While the course explains Azure AD concepts without requiring prior knowledge, general knowledge of HTTP protocols, REST APIs, command line tools and other basic offensive techniques are required for the labs. The hybrid labs assume prior knowledge of common Active Directory attack techniques, since the focus is on Azure AD and not on the on-premises Active Directory.
Attendee requirements – technical
For the training you will need to bring a laptop, ideally one that can run virtual machines. The recommended setup involves installing VMWare Workstation (free trial available) or VMWare Player (free) and creating a Windows or Linux based virtual machine. If you are unsure which to choose, I recommend going with a Windows virtual machine.
If you are using your corporate machine, make sure that you have admin rights to install tools and that you have unrestricted internet access to set up a VPN to the lab and access the training portals.