Wij zijn |
Offensive Entra ID (Azure AD) and Hybrid AD review
With the growing adoption of Microsoft 365, Entra ID, and hybrid identity (Azure) setups, understanding how attackers target these environments has become essential. I recently followed the “Offensive Entra ID (Azure AD) and Hybrid AD Security Review” course by Outsider Security to sharpen my knowledge of identity-based attacks and defenses in hybrid and cloud-native environments.
This four day training was the first classroom course I had taken in quite a while. I am used to self study, spending a few hours in the evening or on weekends rather than several eight hour days in a row. Sitting in a room for eight hours a day with other people and a single laptop screen took some getting used to, but that is just my personal preference.
Offensive Entra ID (Azure AD) and Hybrid AD security – Outsider Security review
Course overview
The course follows a structured approach that combines theory, demos, and hands-on labs, similar to advanced training programs like those from Altered Security. Each topic is introduced with a short explanation using slides or video, followed by a live demonstration of the technique, and then directly applied in a lab environment. This format keeps the training practical and engaging.
We start with identity basics and OAuth 2, then move step by step into hybrid trust paths and deep token internals. Each new concept is tested right away in a lab portal that tracks your flags and progress. The syllabus for the training can be found here.
The trainer, Dirk-Jan Mollema, explains every topic clearly and answers all questions. His knowledge of Entra ID is outstanding. The venue, New Babylon in The Hague, was easy for me to reach and the facilities were good, although noise from the other rooms was sometimes distracting. That issue was outside Outsider Security’s control.
Key lessons that stood out for me
I already had basic to intermediate knowledge of Entra ID, so what caught my attention may differ from what stands out for you. The points I found most interesting were:
✅ How attackers can bypass device compliance checks and bypass Conditional Access
✅ The misconfigurations that can appear in a hybrid Active Directory to Entra ID setup and the attack paths they open (lateral movement)
✅ Gaining in-depth experience with Roadtools to interact with Entra ID from an attacker’s perspective, especially for enumeration and token-based access workflows
Classroom dynamics and pace
Since I already had some background knowledge of Entra ID and related topics, the pace sometimes felt a bit slow for me. The variation in participants’ experience levels meant the tempo wasn’t always consistent. While I felt the material could have been covered in three days, others may have needed the full four to keep up.
On the plus side we kept access to the lab environment for an extra week, which was perfect for revisiting tricky sections, and Outsider Security even organised an informal drink after the course.
Conclusion
The course is aimed at security professionals who already know the basics of Entra ID and other basic application knowledge like how to use REST APIs. Pentesters, red teamers, blue team staff and SOC analysts will all benefit from the realistic attack chains and deeper theory. The overall value is high thanks to strong content, expert instruction and well designed and stable challenges. If you need to sharpen offensive or defensive skills in Entra ID, this training is an excellent choice and I highly recommend it to everyone. Given the depth and quality of the material, it’s more than worth the price.
Finally, a huge shout-out to Dirk-Jan from Outsider Security for developing such an informative course!
Hoe kunnen wij u helpen?
The WiFi Pineapple: Basic Usage
The Wi-Fi Pineapple, developed by Hak5, is a powerful tool designed for wireless network auditing. Its versatility makes it ideal for red teamers and physical pentesters who need to assess wireless environments quickly and efficiently. In this blog post, we’ll go through the basic usage of the Wi-Fi Pineapple, explain how it works, and demonstrate its potential in a controlled test scenario.
TPM‑sniffing with Saleae logic analyzer [2025]
Learn how to use a Saleae logic analyzer to intercept TPM-chip SPI communication and extract the Volume Master Key (VMK) in this practical, step‑by‑step guide. Essential for cybersecurity professionals aiming to strengthen hardware defenses.
KeyCroc (Hak5) tutorial: wat is het en hoe werkt het?
De KeyCroc van Hak5 is een fysieke aanvalstool die toetsaanslagen onderschept en zelfstandig commando’s kan uitvoeren via HID-simulatie, ook wel fysieke keylogger genoemd. In deze blog wordt toegelicht hoe de KeyCroc werkt en hoe hij geconfigureerd wordt.