Microsoft Entra ID Attacks and Defense
RCCE students will learn the security landscape of Microsoft Entra ID (formerly Azure AD) and hybrid identity environments. RCCE students will learn to identify misconfigurations in cloud identity settings, exploit OAuth and OpenID Connect flows, and detect illicit consent grants. The course covers attacks such as token replay, device code phishing, and lateral movement from on-prem to cloud. RCCE students will learn to analyze complex systems and think like an attacker to better defend the organization. This comprehensive course delivers practical knowledge applicable to real-world cybersecurity operations. Starting from foundational concepts, RCCE students will learn through a combination of concept explanation, practical demonstration, and hands-on exercises.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Microsoft Entra ID Attacks and Defense
- Explain Course Overview fundamentals
- Execute hands-on tasks for focus area — covering Microsoft Entra ID (formerly Azure AD).
- Execute hands-on tasks for learning approach — covering Concept explanation and threat modeling.
- Execute hands-on tasks for topic map: 18 core subtopics
- Integrate privilege controls with identity providers and SIEM telemetry
- Integrate privilege controls with identity providers and SIEM telemetry, including Entra ID architecture, and Azure AD Connect / Cloud Sync.
- Execute hands-on tasks for oauth & oidc flows — covering Entra ID architecture.
- Execute hands-on tasks for conditional access — covering JWT structure and validation.
- Execute hands-on tasks for topic map: core subtopics (continued)
- Execute hands-on tasks for device code phishing
- Execute hands-on tasks for privilege escalation
- Execute hands-on tasks for application security — covering Device code flow mechanics, Role abuse in Entra ID, App registration misconfigs.
| Module 01 | Course Overview |
| Module 02 | Focus Area |
| Module 03 | Learning Approach |
| Module 04 | Topic Map: 18 Core Subtopics |
| Module 05 | Identity Fundamentals |
| Module 06 | Hybrid Identity |
| Module 07 | OAuth & OIDC Flows |
| Module 08 | Conditional Access |
| Module 09 | Topic Map: Core Subtopics (Continued) |
| Module 10 | Device Code Phishing |
| Module 11 | Privilege Escalation |
| Module 12 | Application Security |
| Module 13 | Incident Response |
| Module 14 | AD FS exploitation |
All hands-on labs run on Rocheston Rose X OS. Students practice microsoft entra id attacks and defense by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Explain Course Overview fundamentals
- Lab 2: Execute hands-on tasks for focus area
- Lab 3: Execute hands-on tasks for learning approach
- Lab 4: Execute hands-on tasks for topic map: 18 core subtopics
- Lab 5: Integrate privilege controls with identity providers and SIEM telemetry
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Microsoft Entra ID Attacks and Defense, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI