Azure AD assessments require a fundamentally different mindset than on-premises Active Directory. The attack surface is distributed across identity, applications, roles, conditional access policies, and the Microsoft Graph API. Here are the techniques that consistently yield impact in our Azure AD engagements.
Conditional Access Policy Gaps
Conditional access policies are almost universally under-applied. Common gaps include:
- Legacy authentication protocols (SMTP, IMAP, POP3) that bypass modern authentication entirely
- Exclusions for break-glass accounts with weak passwords
- User or location exclusions broader than intended
- Policies that apply to "All Users" but exclude guests — leaving guest accounts as a bypass path
PIM Role Activation Abuse
Privileged Identity Management is correctly positioned as a security control. In misconfigured deployments, it becomes an escalation path. Weak activation requirements — no MFA, no justification, auto-approval — combined with an account eligible for Global Administrator creates a trivial escalation from standard user to tenant admin.
Service Principal Credential Extraction
Service principals with application permissions — rather than delegated permissions — act as independent identities in the tenant. Client secrets stored in key vaults, app registrations, or code repositories with insufficient access controls are high-value targets. A service principal with Mail.ReadWrite application permission on Exchange Online can read every mailbox in the tenant.
Conditional Access Named Location Abuse
Named locations defined by IP range can be abused if an attacker can source traffic from those ranges — via a compromised machine on the corporate network, a VPN, or cloud infrastructure in the same IP space. Trust in named locations should always be combined with device compliance requirements.