Workshop

Offensive Entra ID And Hybrid AD Security

March 10th, 11th & 12th, 2025

3 days training, by Dirk-Jan Mollema
This training will be given in ENGLISH

Normal price: CHF 3000.-
Student price: CHF 2250.- (limited availability)

Description

In the past few years, many companies have adopted Azure AD as an identity platform for their cloud services, often using their existing on-prem AD in a hybrid setup. Azure AD is vastly different from on-premises AD and requires a different security approach to either attack or defend.
This training explains how organizations use Azure AD to manage modern cloud-based or hybrid environments and what security challenges this brings. It is the result of many years of research into the protocols and internals of Azure AD. The training will give you the knowledge to analyze, attack, and secure Azure AD and hybrid setups from modern attacks.
The training is technical and deep-dives into core protocols such as OAuth2 and application concepts. It includes many hands-on exercises and labs, set up as challenges, to gain access to accounts and elevate privileges.

About the trainer

Dirk-jan Mollema is a hacker and researcher of Active Directory and Azure AD security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented talks at TROOPERSDEF CON, Black Hat, BlueHat and Insomni’hack and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.

Course outline

Introduction

  • What is Azure, differences between Azure IaaS, Azure AD and Microsoft 365
  • Terminology, components and their connection
  • The modern Microsoft workplace way of working
  • Identities: users, groups and devices

Azure AD components – Administrator roles and privileges

  • Different roles and role types
  • Privilege separation per role
  • Privilege escalation in Azure AD

Azure AD components – data interfaces

  • Data gathering in Azure AD
  • Portal, API, PowerShell modules and the differences

Azure AD components – applications

  • Apps and how they work
  • Privilege model
  • Apps and Oauth2 principles
  • Breaking and securing applications

Hybrid environments

  • Different integration types with on-premises AD
  • Access paths to the cloud from on-prem
  • Azure AD connect abuse

Identity security – Conditional Access

  • CA policies and settings
  • CA best practices and bypasses

Primary refresh tokens and device identity

  • Interacting with primary refresh tokens via SSO
  • Stealing and using primary refresh tokens for lateral movement
  • Using device identities to comply with conditional access policies

Course requirements

Attendee requirements – skills

This course is meant for people with existing experience in Windows and AD security. While the course explains Azure AD concepts without requiring prior knowledge, general knowledge of HTTP protocols, REST APIs, command line tools and other basic offensive techniques are required for the labs. The hybrid labs assume prior knowledge of common Active Directory attack techniques, since the focus is on Azure AD and not on the on-premises Active Directory.

Attendee requirements – technical

For the training you will need to bring a laptop, ideally one that can run virtual machines. The recommended setup involves installing VMWare Workstation (free trial available) or VMWare Player (free) and creating a Windows or Linux based virtual machine. If you are unsure which to choose, I recommend going with a Windows virtual machine.
If you are using your corporate machine, make sure that you have admin rights to install tools and that you have unrestricted internet access to set up a VPN to the lab and access the training portals.

Organized by

Technology partners

Partner events

Scroll to Top