*
en | de
Pro User
Timespan
explore our new search
Entra ID: Attack & Defense Playbook
Microsoft Entra
Nov 3, 2025 12:00 PM

Entra ID: Attack & Defense Playbook

by HubSite 365 about Merill Fernando

Product Manager @ Microsoft 👉 Sign up to Entra.News my weekly newsletter on all things Microsoft Entra | Creator of cmd.ms & idPowerToys.com

AdministratorMicrosoft EntraLearning SelectionM365 Admin

Microsoft expert examines Entra ID playbook, token and PRT attacks, TPM and device compliance, Entra Connect security

Key insights

  • Entra ID Attack and Defense Playbook: A five-year community project by Sami Lamppu and Thomas Naunheim that documents real attack scenarios against Microsoft Entra ID and practical defenses.
    It serves as a living guide for security teams and is updated with new research and fixes.

  • Complex token attacks: The authors detail advanced threats like the “black box” token work and token replay techniques that let attackers reuse or forge access tokens.
    They explain how these attacks bypass common checks and what to watch for in logs.

  • PRT, TPM and device compliance: Research exposed surprising weaknesses in PRT handling and some TPM attestation flows, plus gaps where device compliance alone did not stop access.
    The finding shows organizations must not rely only on device status to allow trust.

  • Application Based Authentication (ABA) and Entra Connect: The new chapter covers the ABA model and steps to secure directory sync, including hardening the sync account and limiting permissions.
    Authors stress immediate action to lock down the sync identity and monitor its use.

  • Detection and mitigation: The playbook gives clear actions: enforce conditional access, require MFA, disable or block legacy authentication, and secure service principals.
    It also maps attacks to MITRE tactics so teams can build focused detection rules and run targeted hunts.

  • Tools and community: The project highlights tools like the HSCAR posture analyzer and recommends Microsoft Sentinel and Defender for Identity for detection and response.
    The authors encourage community contributions to keep the playbook current and practical.

Overview of the Video and the Playbook

Overview of the Video and the Playbook

In a YouTube interview hosted by Merill Fernando, security experts Sami Lamppu and Thomas Naunheim discuss their long-running community project, the Entra ID Attack and Defense Playbook. The conversation traces five years of collaborative research that documents how attackers target Microsoft identity infrastructure and how defenders can respond. As a result, the video offers a clear window into both advanced attack techniques and practical mitigation steps for organizations running Microsoft cloud environments.

Playbook as a Living Resource

The hosts frame the playbook as a living resource that evolves with the threat landscape. They emphasize community contributions and rigorous mapping to frameworks like MITRE ATT&CK, which helps teams prioritize detection and response. Consequently, the interview balances technical depth with real-world recommendations for security teams of different sizes.

Complex Attacks and Surprising Discoveries

The interview highlights several advanced threats that the authors studied, including the so-called black box token and nuanced attacks on refresh tokens. Lamppu and Naunheim explain how attackers can abuse token handling to persist in environments, and they show concrete examples of exploitation paths they tested. Viewers gain insight into how seemingly routine flows can hide complex risks.

Moreover, the hosts reveal alarming findings around PRT (Primary Refresh Token) handling and device attestation using TPM. In particular, they discuss scenarios where device compliance signals and TPM attestations can be manipulated, which undermines conditional access assumptions. As a result, the playbook recommends layered controls and active monitoring rather than single-point trust in device signals.

The researchers caution that defending tokens requires tradeoffs between usability and security. For example, stricter token lifetimes and revocation rules reduce attack windows but increase friction and support overhead. Teams must weigh immediate risk reduction against operational impact and plan phased changes with clear rollback options.

New Entra Connect ABA Chapter and Tradeoffs

A major portion of the video focuses on the new chapter covering Entra Connect Application Based Authentication (ABA). The authors explain how ABA alters the authentication model for directory synchronization and why it introduces new attack surfaces when implemented incorrectly. Consequently, the playbook provides step-by-step guidance to secure the sync account and recommends hardening measures to reduce privilege misuse.

The hosts acknowledge that securing ABA introduces complexity for IT teams that manage legacy on-premises systems. Tightening permissions and changing authentication modes can disrupt sync operations or break integrations. The recommended approach balances staged deployments, extensive logging, and automated posture checks to avoid downtime while improving security.

Detection Tools and Operational Challenges

Lamppu and Naunheim discuss how to leverage Microsoft's defensive tooling, such as Defender for Identity and Microsoft Sentinel, to spot attack patterns early. They stress that detection is most effective when alerts align to known TTPs and when security teams tune signals to their environment. Organizations should invest in use-case driven detection rules and periodic review of false positives to keep monitoring effective.

The interview highlights tradeoffs between sensitivity and noise. Aggressive detection thresholds catch more incidents but create alert fatigue and operational drag. The playbook advocates for prioritized telemetry, automation for routine responses, and human review for high-impact events to maintain a sustainable security posture.

Finally, the speakers raise the persistent problem of service principal and application security. Attackers increasingly target misconfigured service identities in DevOps pipelines, so teams must inventory and rotate secrets, apply least privilege, and monitor application behavior. These steps improve resilience but also require coordination across development and security teams to avoid breaking deployments.

Community, Maintenance, and Practical Guidance

The interview closes by emphasizing the playbook’s community-driven nature and its iterative maintenance model. Lamppu and Naunheim describe how regular updates, peer review, and mapped examples keep the content practical and current. Security teams can adopt the playbook as a living reference and contribute their own findings back to the community.

In summary, the video hosted by Merill Fernando serves as both a technical briefing and an operational guide for defenders working with Entra ID. It underscores the importance of layered defenses, cautious adoption of new authentication models like ABA, and the careful balance between detection sensitivity and operational noise. Ultimately, viewers leave with actionable priorities and an understanding that securing identity platforms requires ongoing attention, collaboration, and measured tradeoffs between risk and usability.

Microsoft Entra - Entra ID: Attack & Defense Playbook

Keywords

Entra ID security, Azure AD attack techniques, Entra ID defense playbook, Microsoft Entra identity protection, Azure AD penetration testing guide, identity and access management best practices, Entra ID breach prevention, cloud identity security workshop