Microsoft Entra ID (formerly Azure Active Directory) is the identity backbone for Microsoft 365 and Azure cloud β and increasingly for SaaS apps via SSO. Compromise of Entra ID is the modern equivalent of compromising Active Directory: the attacker can become any user, access any tenant resource, and pivot to other clouds via federated trust. This module covers Entra ID security, the attack patterns, and the controls that matter.
Entra ID 101
- Cloud-native identity provider; SaaS multi-tenant
- Holds users, groups, applications, devices, conditional-access policies
- Issues tokens for OAuth 2.0, OpenID Connect, SAML
- Differs from on-prem AD: no Kerberos, no NTLM, no domain controllers (you connect to graph.microsoft.com)
- Hybrid mode common: Entra Connect synchronizes from on-prem AD; same identity used both places
Roles that matter
- Global Administrator β root of the tenant; can do anything; should be 2-5 people max
- Privileged Role Administrator β assigns roles to others; effectively also root
- Application Administrator β manages all apps; can grant consent
- Cloud Application Administrator β similar but only for cloud apps
- Authentication Administrator β resets MFA; powerful
- Sixty other built-in roles β least-privilege candidates
Audit Global Admins quarterly. Move admin work to least-privilege roles + Privileged Identity Management (PIM) for time-bounded elevation.
Common attack patterns
Password spray
Attackers try a single password across many accounts. Without smart lockout / Conditional Access protection, hundreds of accounts can be tested per hour without lockouts. Tools: MSOLSpray, MailSniper.
Continue reading with Basic tier (βΉ499/month)
You've read 23% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.