Identity has become the new perimeter and in Microsoft Entra ID (formerly Azure Active Directory), it’s also the easiest one to break. Misconfigured apps, over-scoped permissions, and weak conditional access open the door to attackers who know where to look.

In this talk, we’ll walk through real-world Entra ID misconfigurations that led to privilege escalation and domain-wide compromise all of which have been reproduced in EntraGoat, a new open-source lab that simulates these attack paths in a CTF-style environment.

You’ll see step-by-step demos of how attackers exploit these flaws, how defenders can detect them, and how you can use the lab to train, teach, or test in your own environment. Whether you’re red team, blue team, or just Entra-curious, you’ll walk away with practical techniques and a tool to keep practicing.