Azure AD - Attack and Defense Playbook

This publication is a collection of various common attack scenarios on Azure Active Directory and how they can be mitigated or detected. All of the included scenarios, insights and comments are based on experiences from the contributors during their attack simulations, hands-on or real-world scenarios.

It should be considered a living document, which has to be updated as practices progress and changes in attack and defense techniques. We invite identity or security experts from the community to work together on this publication and contribute updates, feedbacks, comments or further additions.

Background

The initial idea for creating the ‘Azure AD Attack & Defense Playbook’ came from Thomas Naunheim. Our first Teams call was somewhere in Autumn 2020 where Thomas presented the idea and it was sold immediately. The first chapter was about the ‘Password Spray’ attack where we focused heavily on the AAD Identity Protection detection mechanism to detect ‘password spray’ type of attacks.

For the next chapters (Consent Grant & Azure DevOps) we had lucky to have Joosua Santasalo part of the project as an author and reviewer.

Attack Scenarios

Typically, one chapter has taken approximately 1-2 months of calendar time so it has been quite an effort to put all four (4) chapters & appendix together. During the last 1,5 years we have published the following chapters:

Scenarios:

• Password Spray
• Consent Grant
• Service Principals in Azure DevOps Pipelines
• Overview of Identity Security Monitoring in Microsoft Cloud
• Azure AD Connect Sync Service Account
• Replay of Primary Refresh (PRT) and other issued tokens

In all chapters, we follow the same guideline. You can expect to find:

• Description of the common attack scenarios
• Detection of the attacks
• Mitigation for the attack and instructions how to enhance your environment security posture based on document scope

The following sections in this introduction contain a short description of each chapter you can find from the playbook.

Contributors

Joosua Santasalo 💬 📖

Sami Lamppu 💬 📖

Thomas Naunheim 💬 📖

How to become part of the project and contribute?

• Update or new content (Pull Request): As already mentioned, we like to have a living document which is driven by the Azure AD community! Share your results and insights as part of this project! Send a pull request to add your content to this project.

• Issues/Outdated content: Protection features or tools changes continually. Update the out-dated content (as part of pull request) or create an issue to point out

• Reviewer: We also look for experts who want to review or discuss the existing or new content before publishing!

• Feedback: Feel free to suggest attack/defense scenarios that could be interesting for the community. We will add them to the backlog and idea collection!