In the last years, more and more companies adopted Azure AD as an identity platform for their cloud
services, often using their existing on-prem AD as a source for a hybrid setup. As a red teamer,
penetration tester, or security architect, you are probably familiar with Active Directory security
concepts. Azure AD is vastly different and is built around different concepts and protocols.

This training explains how organizations use Azure AD to manage modern cloud-based or hybrid
environments and what security challenges this brings. It is the result of many years of research into
the protocols and internals of Azure AD. It will give you the knowledge to analyze, attack, and secure
Azure AD and hybrid setups from modern attacks. The training is technical and deep-dives into core
protocols such as OAuth2 and application concepts. It includes many hands-on exercises and labs,
set up as challenges, to gain access to accounts and elevate privileges.

The training covers the following topics:

• Introduction into Azure AD and its role in the broader Azure ecosystems
• The Azure AD cloud-only way of working and managing endpoints
• Azure AD identities - users, apps and devices
• Azure AD roles, privileges and privileged security model
• Azure AD data interfaces and tools
• Azure AD application concepts, privilege model and OAuth2
• Azure AD application abuse and vulnerabilities
• Hybrid Azure AD environments, integration types and lateral movement
• Conditional access - policy types, bypasses and best practices
• Primary Refresh Tokens and their abuse
• Azure AD device internals and security

The training focuses on Azure AD’s use as an identity platform. The training does not cover Azure
Resource manager abuses, except the parts where it intersects with Azure AD. While a range of
(open source) tools are used during the training, the goal is to provide understanding of the inner
workings, not just on knowing how to run tools.

Outline

• Introduction

  • What is Azure, differences between Azure IaaS, Azure AD and Microsoft 365
  • Terminology, components and their connection
  • The modern Microsoft workplace way of working
  • Identities: users, groups and devices

• Azure AD components – Administrator roles and privileges

  • Different roles and role types
  • Privilege separation per role
  • Privilege escalation in Azure AD

• Azure AD components – data interfaces

  • Data gathering in Azure AD
  • Portal, API, PowerShell modules and the differences

• Azure AD components – applications

  • Apps and how they work
  • Privilege model
  • Apps and Oauth2 principles
  • Breaking and securing applications

• Hybrid environments

  • Different integration types with on-premises AD
  • Access paths to the cloud from on-prem
  • Azure AD connect abuse

• Identity security – Conditional Access

  • CA policies and settings
  • CA best practices and bypasses

• Primary refresh tokens and device identity

  • Interacting with primary refresh tokens via SSO
  • Stealing and using primary refresh tokens for lateral movement
  • Using device identities to comply with conditional access policies

Student Requirements

This course is meant for people with existing experience in Windows and AD security. While the
course explains Azure AD concepts without requiring prior knowledge, general knowledge of HTTP
protocols, REST APIs, command line tools and other basic offensive techniques are required for the
labs. The hybrid labs assume prior knowledge of common Active Directory attack techniques, since
the focus is on Azure AD and not on the on-premises Active Directory attack techniques.

What Students Should Bring

Students will need a laptop with either a Windows or Linux based Virtual Machine on which they can
install tools and programs. A VPN connection to an online lab will be provided, this requires
unfiltered internet access from the VM and/or laptop. Note that some tools run only on Windows,
and do not function on Windows on ARM, bringing a laptop with an x64 processor and a Windows
VM is recommended.