Microsoft Entra ID (formerly Azure AD) is now the de facto standard for managing corporate identities. It's a powerful Identity and Access Management (IAM) service, but its widespread use and hybrid nature, that connects on-premise and cloud environments, create a massive attack surface. A Cobalt penetration test for Entra ID goes beyond basic network security to assess the entire ecosystem, from human-centric vulnerabilities to system-level misconfigurations.
While the top five attack vectors below are a great starting point, they're just a small portion of the Entra/Azure's full attack surface. A deep, comprehensive Cobalt Labs Entra ID penetration test goes beyond these common flaws to uncover systemic risks across the entire cloud and hybrid infrastructure. Follow along as we dive deep into the complete methods to "pwn" an Entra ID environment.
Top 5 Attack Vectors to Test
- Phishing & Illicit Consent Grant Attacks: These are social engineering attacks that are highly effective due to human error. Instead of just stealing credentials, a nefarious actor might trick a user into granting a malicious application broad permissions to their data. This bypasses Multi-Factor Authentication (MFA) and provides a persistent backdoor.
- Password Spraying: A "low-and-slow" attack where an attacker tries a few common passwords against a large number of usernames using tools that are near passive in execution. This avoids account lockouts and can be very effective, especially if MFA is not universally enforced.
- Attacking the Hybrid Infrastructure: The connection between an on-premise Active Directory and the cloud-based Entra ID is a common weak point. An attacker can compromise the Entra ID Connect server to perform a DCSync attack or steal credentials, allowing them to move laterally between the on-premise and cloud environments.
- Unsecured Admin Sessions: If an administrator fails to properly log out of a session with tools like Az CLI or Az PowerShell, their access token can be left in a local file. An attacker who compromises the administrator's machine can steal this token, gaining a persistent session and bypassing security controls.
- Managed Identity Misuse: Many Azure services use a Managed Identity to authenticate to other resources. If a web application has a vulnerability like Remote Code Execution (RCE), an attacker can exploit it to steal the application's access token and use its privileges to access other resources, leading to a much larger compromise.
Top 5 Attack Vectors to Test
- Phishing & Illicit Consent Grant Attacks: These are social engineering attacks that are highly effective due to human error. Instead of just stealing credentials, a nefarious actor might trick a user into granting a malicious application broad permissions to their data. This bypasses Multi-Factor Authentication (MFA) and provides a persistent backdoor.
- Password Spraying: A "low-and-slow" attack where an attacker tries a few common passwords against a large number of usernames using tools that are near passive in execution. This avoids account lockouts and can be very effective, especially if MFA is not universally enforced.
- Attacking the Hybrid Infrastructure: The connection between an on-premise Active Directory and the cloud-based Entra ID is a common weak point. An attacker can compromise the Entra ID Connect server to perform a DCSync attack or steal credentials, allowing them to move laterally between the on-premise and cloud environments.
- Unsecured Admin Sessions: If an administrator fails to properly log out of a session with tools like Az CLI or Az PowerShell, their access token can be left in a local file. An attacker who compromises the administrator's machine can steal this token, gaining a persistent session and bypassing security controls.
- Managed Identity Misuse: Many Azure services use a Managed Identity to authenticate to other resources. If a web application has a vulnerability like Remote Code Execution (RCE), an attacker can exploit it to steal the application's access token and use its privileges to access other resources, leading to a much larger compromise.
Why is Azure Cloud Pentesting Necessary?
The need for a penetration test on an Azure environment stems from a core principle known as the Shared Responsibility Model. While Microsoft secures the underlying cloud infrastructure—including physical hardware and data centers—the customer is responsible for the security of everything they deploy or configure within their cloud environment. Because of the widespread use of Entra ID in hybrid environments, vulnerabilities can allow attackers to move between on-premise and cloud resources. Therefore, even a seemingly small misconfiguration can create a critical attack path.
The Entra ID attack surface can be broken down into two main areas:
- External Network: This attack surface includes anything exposed to the public internet. Common targets are web applications, APIs, and public-facing storage accounts. An attacker can exploit a vulnerability in a web application to gain a foothold, potentially leveraging a Managed Identity to access other cloud resources.
- Internal Network (Resources & APIs): The connectors are the key to the lateral movement risks in hybrid environments. Within an internal hybrid environment, several specialized connectors and agents are used to synchronize data and facilitate communication between the on-premise Active Directory and the cloud-based Entra ID. An attacker can target and exploit these components to move laterally between the two environments.
- Microsoft Entra Connect Sync: This is the primary synchronization tool. It's a critical component for hybrid identity, as it replicates user, group, and password data from on-premise Active Directory to Entra ID. If an attacker compromises the server where this tool is running, they can potentially manipulate synchronized data, conduct password hash synchronization (PHS) attacks, or use the server as a pivot point.
- Active Directory Federation Services (AD FS): For organizations that don't use PHS, AD FS provides single sign-on (SSO) and handles authentication for Entra ID. Compromising the AD FS server can allow an attacker to forge security tokens, granting them access to cloud resources without ever needing a valid password.
- Microsoft Entra Password Protection Agents: These agents run on the on-premise domain controllers and help enforce the same password policies as in Entra ID. An attacker who compromises a domain controller could potentially interfere with this service or use it to gather information about password policies.
- Microsoft Entra Application Proxy: This service publishes on-premise web applications to the cloud, allowing remote users to access them. An attacker who compromises a server running the Application Proxy agent could gain a foothold in the internal network and move laterally to other systems.
The risks associated with these connectors underscore the importance of securing the entire hybrid environment as a single, interconnected system. A vulnerability in one part, whether on-premise or in the cloud, can quickly compromise the other.
Entra ID: Reconnaissance
The initial phase of any penetration test is reconnaissance, or information gathering. Using only the company's domain name, a tester can use publicly available information to discover key details about the Entra ID tenant. This process helps to build an attack plan and map out the environment.
- Tenant Name and ID: An Entra ID tenant represents a dedicated instance of Microsoft Entra ID for an organization. Every tenant has a unique identifier, known as the Tenant ID.
- When you enter a username or email address on a Microsoft login page, the browser or application sends a request to a specific endpoint on login.microsoftonline.com with the username as a parameter. The response from this endpoint provides critical information, including:
- NameSpaceType: This indicates if the user's domain is managed by Microsoft Entra ID or federated with an on-premise identity provider like AD FS.
- TenantId: For managed domains, the response often includes the unique tenant ID.
- Redirection information: The response tells the browser where to send the user next for authentication.
- This process, known as Home Realm Discovery (HRD), is a key step in Microsoft's authentication flow and a valuable target for reconnaissance.
- Domains and Subdomains: Testers use a combination of DNS queries and specialized tools to detect subdomains that point to Azure services.
- Email IDs and User Accounts: An attacker needs a list of valid usernames to perform a password spraying attack. Testers can use tools that perform user enumeration by leveraging subtle differences in API responses to login attempts, confirming which email addresses or usernames are valid.
- Public Azure Services: A significant security finding is when publicly accessible Azure services expose sensitive data. This is particularly true for Azure Blob storage, where a misconfigured container can allow anyone on the internet to view or list all the contents within it.
Entra ID: Initial Access
Accessing an Entra ID environment can be done in several ways, often by exploiting common misconfigurations or by targeting human behavior. The main attack vectors involve credential theft, abusing application permissions, and exploiting vulnerabilities in associated services.
Microsoft Graph’s API is a key part of this attack surface. It provides a single entry point for applications to access data and services, and attackers can exploit it to enumerate users, steal data, or create backdoors by abusing delegated permissions.
The Microsoft Graph API is the backbone of Microsoft 365, powering everything from Outlook to Teams. While you don't see it, it's constantly working in the background and is a powerful tool for administrators.
Black Hills GraphRunner
When a standard user's M365 account is compromised, this tool allows access to data beyond just email and files, even when the Azure Portal is locked down. The toolset helps identify security vulnerabilities in Microsoft cloud environments, providing value for both offensive security operators and defenders looking to find and fix issues.
"The first known instance of Microsoft Graph API abuse prior to its wider adoption dates back to June 2021 in connection with an activity cluster dubbed Harvester that was found using a custom implant known as Graphon that utilized the API to communicate with Microsoft infrastructure."
A recent, critical vulnerability this year, highlighted the risks of legacy systems. As discovered by researcher Dirk-jan Mollema, undocumented "Actor tokens" used by Microsoft for internal communication could be combined with a flaw in the legacy Azure AD Graph API. This allowed an attacker to use a token from their own tenant to impersonate any user, including Global Admins, in any other tenant without leaving a trace in the victim's logs. This vulnerability, now patched and assigned CVE-2025-55241, demonstrated the immense security risks posed by older, less-monitored APIs.
When decoded, the Actor token (a JSON Web Token, or JWT) appears as follows: -
Credit to Dirk-jan Mollema for the sample below
{
"alg": "RS256",
"kid": "_jNwjeSnvTTK8XEdr5QUPkBRLLo",
"typ": "JWT",
"x5t": "_jNwjeSnvTTK8XEdr5QUPkBRLLo"
}
{
"aud": "00000002-0000-0000-c000-000000000000/graph.windows.net@6287f28f-4f7f-4322-9651-a8697d8fe1bc",
"exp": 1752593816,
"iat": 1752507116,
"identityprovider": "00000001-0000-0000-c000-000000000000@6287f28f-4f7f-4322-9651-a8697d8fe1bc",
"iss": "00000001-0000-0000-c000-000000000000@6287f28f-4f7f-4322-9651-a8697d8fe1bc",
"nameid": "00000002-0000-0ff1-ce00-000000000000@6287f28f-4f7f-4322-9651-a8697d8fe1bc",
"nbf": 1752507116,
"oid": "a761cbb2-fbb6-4c80-aa50-504962316eb2",
"rh": "1.AXQAj_KHYn9PIkOWUahpfY_hvAIAAAAAAAAAwAAAAAAAAACtAQB0AA.",
"sub": "a761cbb2-fbb6-4c80-aa50-504962316eb2",
"trustedfordelegation": "true",
"xms_spcu": "true"
}.[signature from Entra ID] -
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
- Password Spraying & Brute Force: Password Spraying is a "low-and-slow" approach that avoids account lockouts by trying common passwords against a large number of user accounts. Brute Force is a more targeted attack on a single user.
- Phishing Attacks: The most common attack vector, where a user is directed to a fake login page that looks identical to a Microsoft login. The Illicit Consent Grant Attack is a more sophisticated form of phishing that bypasses MFA.
- Web Application Vulnerabilities: An attacker who gains Remote Code Execution (RCE) on a web service can leverage its Managed Identity to obtain an access token and expand their access to other resources.
Entra ID: Lateral Movement & Persistence
After an attacker gains an initial foothold, their next goal is lateral movement. This is the process of moving from a compromised account to other, more valuable systems. The objective is to expand access, escalate privileges, and ultimately reach high-value targets.
1. Extending the Attack Surface with Intune Certificates
As highlighted by security researcher Dirk-jan Mollema, a new attack vector extends the traditional Active Directory Certificate Services (AD CS) attack surface to the cloud via Microsoft Intune certificates. In misconfigured hybrid environments, an attacker can leverage privileged roles in the Entra ID tenant—and in some cases, even a regular user—to request a certificate with an arbitrary subject from the on-premise AD CS server.
This can lead to a direct privilege escalation from a cloud-managed endpoint to a Domain Admin in Active Directory. By abusing the Intune Certificate Connector, an attacker can bypass traditional security controls and use tools like scepreq to obtain a malicious certificate, which can then be used to request a Ticket-Granting Ticket (TGT) for a Domain Controller.
- Authenticated Enumeration: With a valid credential or access token, a tester can perform authenticated enumeration to understand the environment. This is where a tester, now operating from within the tenant, gathers detailed information about the environment's structure, permissions, and potential attack paths.
- Lateral Movement Techniques: Lateral movement is a series of steps an attacker takes to expand their foothold.
- Azure Resources & Role Assignment: An attacker can gain access to the Azure Resource Manager (ARM) and look for misconfigured Role Assignments. A low-privilege user might have a highly privileged role, like Contributor or Owner, on a sensitive resource.
- Azure Automation & Runbooks: An attacker can target Azure Automation Accounts, which often run scripts called Runbooks for administrative tasks. These accounts have highly privileged identities.
- Compromising Hybrid-Joined VMs: In a hybrid environment, an attacker can move from a compromised cloud VM to the on-premise network by abusing the trust relationship between the cloud VM and the on-premise domain.
- Unsecured PowerShell Sessions: When administrators use tools like Az PowerShell or Az CLI, they store session tokens and other authentication data in a local cache. If a session is not properly terminated, this sensitive data can be a major security risk.
2. Abusing Temporary Access Passes (TAPs) for Lateral Movement
Temporary Access Passes (TAPs) are a legitimate method for administrators to provide a temporary, MFA-compliant password to a user. However, a malicious actor can exploit them for lateral movement and persistence without disrupting the user.
An attacker with sufficient privileges can create a TAP on a victim's account. While the TAP is temporary, it can be used to acquire a Primary Refresh Token (PRT) that contains a Kerberos Ticket-Granting Ticket (TGT) for the on-premises Active Directory. This is possible in hybrid environments that use the Cloud Kerberos Trust feature.
By using tools like ROADtools, an attacker can extract the TGT and use it to recover the victim's NT hash from an on-premises domain controller. The NT hash is a long-term credential that provides a persistent form of access, even after the original TAP has expired. This non-disruptive method allows attackers to establish a long-term foothold in the hybrid environment without the victim being alerted by a password change.
This is a list of modern tools and resources used by security professionals to perform cloud penetration testing and identify vulnerabilities in Microsoft's cloud ecosystem.
- AADInternals: A comprehensive PowerShell module for auditing and attacking Entra ID.
- ROADtools: A Python-based framework that includes ROADrecon for collecting data from the Microsoft Graph API.
- MicroBurst: A PowerShell toolkit for assessing Azure security and enumerating services.
- MSOLSpray: A specialized password spraying tool that also performs reconnaissance on user accounts.
- Evilginx: A sophisticated phishing framework that bypasses MFA by stealing session cookies.
- CloudBrute: A tool for discovering publicly exposed cloud assets by brute-forcing cloud resources.
- GraphRunner: A post-exploitation toolset for interacting with the Microsoft Graph API.
- ScoutSuite: An open-source multi-cloud security-auditing tool that can detect misconfigurations and security issues in an Azure environment.
- Azucar: A post-exploitation framework for Azure AD, providing a variety of functions for enumerating and exploiting an environment.
- CloudFox: A command-line tool designed to find exploitable attack paths in cloud environments like Azure.
- Stormspotter: A tool that visualizes a Microsoft cloud tenant's attack surface by mapping user and object relationships.
Post-Exploitation & Lateral Movement Tools
- BloodHound with AzureHound: A powerful attack path visualizer that maps relationships in cloud and hybrid environments.
- BlackCat: A newer PowerShell toolkit for Azure penetration testing.
- PowerZure: A PowerShell-based script for post-exploitation activities in Azure.
- TeamFiltration: A framework for automating account takeover attacks and data exfiltration in Microsoft 365 environments.
- o365-attack-toolkit: Contains scripts for various attacks against Microsoft 365.
Core CLI & Documentation
- Az PowerShell: A PowerShell module for managing Azure resources.
- Az CLI: A command-line interface for managing Azure resources.
- Microsoft Graph PowerShell SDK: The modern and supported method for interacting with Entra ID.