Offensive Entra ID (Azure AD) and Hybrid AD security training

Dirk-jan Mollema

Dates

23-26 Sep. 2025

09:00 – 18:00

EARLY BIRD PRICE

~~€ 4,000.00~~

€ 3,600.00

Course objectives

In the last years, more and more companies adopted Entra ID (Azure AD) as an identity platform for their cloud services, often using their existing on-prem AD as a source for a hybrid setup.

As a red-teamer, penetration tester, or security architect, you are probably familiar with Active Directory security concepts. Entra ID is vastly different and is built around different concepts and protocols.
This training explains how organizations use Entra ID to manage modern cloud-based or hybrid environments and what security challenges this brings. It is the result of many years of research into the protocols and internals of Entra ID. It will give you the knowledge to analyze, attack, and secure Entra ID and hybrid setups from modern attacks.

The training is technical and deep-dives into core protocols such as OAuth2 and application concepts. It includes many hands-on exercises and labs, set up as challenges, to gain access to accounts and elevate privileges.

The training covers the following topics:

Introduction into Entra ID and its role in the broader Azure ecosystems
The Entra ID cloud-only way of working and managing endpoints
Entra ID identities – users, apps and devices
Entra ID roles, privileges and privileged security model
Entra ID data interfaces and tools
Entra ID application concepts, privilege model and OAuth2
Entra ID application abuse and vulnerabilities
Hybrid Entra ID environments, integration types and lateral movement
Conditional access – policy types, bypasses and best practices
Primary Refresh Tokens and how Windows handles them
Device identities and security enforcement
Entra ID joined Windows behaviour and security
Hardware enforced security with TPMs in Entra ID

The training focuses on Entra ID’s use as an identity platform. The training does not cover Azure Resource manager abuses, except the parts where it intersects with Entra ID. While a range of (open source) tools are used during the training, the goal is to provide understanding of the inner workings, not just on knowing how to run tools.

Training outcomes

Immersive learning of concepts and techniques to understand the inner workings of Entra ID, which can be applied during Entra ID pentests and red teams in hybrid environments.

About the trainer

Dirk-jan Mollema is a hacker and researcher of Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.

Required skills

The students should have some degree of existing knowledge of Windows, Active Directory, web based technologies such as REST API’s, and be familiar with command line based tools, virtual machines and HTTP inspection/crafting tools.

What to bring?

Laptop with a virtualization platform (such as VMWare) with a virtual machine that can be used for the labs in the training. The lab exercises can be done on both Windows and Linux virtual machines, having a x64 virtual machine is preferred.

The participants should prepare a virtual machine with their preferred platform and pre-install some tools, which will be indicated later by the trainer with a dedicated communication.

What will be provided?

Trainees will receive:

the training materials (slides) in PDF form
a lab guide with written walk-through of all the lab exercises
a certificate of completion for the course.

CLASS SYLLABUS¹

Outsider Security’s training consists of different topics and modules. Each of these is given as a combination of both theoretical and hands-on practical training, where the students apply the material in online labs.

This edition of the training consists of 4 days. The following topics will be discussed during the training:

Introduction
- What is Azure, differences between Azure, Entra, Azure AD and Microsoft 365
- Terminology, components and their connection
- The modern Microsoft workplace way of working
- Identities: users, groups and devices
Entra ID components – Administrator roles and privileges
- Different roles and role types
- Privilege separation per role
- Privilege escalation in Entra ID between different roles
Entra ID components – data interfaces
- Data gathering in Entra ID
- Portal, APIs, PowerShell modules and the differences
Entra ID components – applications
- Application concepts and how they are relevant in Entra ID
- Application privilege model
- Apps and Oauth2 principles
- OAuth2 flows, their security and consequences in case of misconfigurations
- Breaking and securing Entra ID connected applications
Identity security – Conditional Access
- Conditional Access policies and settings
- Conditional Access best practices and bypasses
Primary refresh tokens and device identity
- Device identities and security
- Windows registration / join internal flows
- PRT request internals
- Interacting with primary refresh tokens via SSO from the endpoint
- Stealing and using primary refresh tokens for lateral movement
- Using device identities to comply with conditional access policies
- PRTs and Windows Hello for Business authentication
Hybrid environments
- Different integration types with on-premises AD
- Access paths to the cloud from on-prem
- Entra ID connect abuse and privileges
- AD FS attacks

¹ Schedule of lectures on the specified days may be subject to changes