Azure penetration testing

Entra ID actor tokens, PRT replay, managed-identity over-privilege.

Entra ID actor-token impersonation (CVE-2025-55241), Primary Refresh Token replay via roadtx, device-code phishing through phantom device registration, managed-identity over-scope chained from IMDS SSRF, workload-identity federation issuer tampering, and Azure Monitor SSRF to token theft (CVE-2025-62207), tested by hand. Every finding ships with a working proof-of-exploit, code-level fix guidance, and a re-test.

See the Entra ID attack paths
Entra tenant graph, actor token, PRT replay, managed identity, KeyVault, subscription Owner pivots labelled.

Entra-first

Actor tokens, PRT replay, device-code phishing, tested against your tenant by hand.

Identity to Owner

Managed-identity over-scope and federation tampering chained to subscription Owner.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • AICPA SOC 2 Type II
  • CREST accredited
  • ISO/IEC 27001

What we test

Six surfaces. Six named bug classes.

These are not generic categories, they are the primitives our Azure pentesters chain into engagement findings.

Entra ID actor tokens
Undocumented service-to-service actor tokens accepted by legacy AAD Graph without source-tenant validation, cross-tenant Global Admin (CVE-2025-55241).
Primary Refresh Token replay
Extract CloudAP-protected PRTs from a joined host, replay via roadtx to mint MSGraph tokens that satisfy MFA and conditional access.
Device-code & CA bypass
Device-code phishing chained with phantom-device DRS registration marks the attacker workstation compliant, conditional-access policy waved through.
Managed identity over-privilege
Workload SSRF reaches IMDS, lifts a system-assigned identity with Contributor at subscription scope, then pivots tenant-wide (CVE-2025-62207).
Workload identity federation
Swap the federated-credential issuer URL on an Entra app, persistent service-principal access without a stored secret, no rotation signal.
Subscription & KeyVault RBAC
Owner or User Access Administrator at subscription scope plus permissive KeyVault access policies, reveals secrets, cert private keys, AKV-stored SAS tokens.

Beyond config

One phish becomes tenant Owner.

Most Azure security tooling stops at the config-audit layer, checks IAM bindings, surfaces misconfigurations, emits a CSV. That's where a real pentest begins. A phished employee gives up a Primary Refresh Token; using roadtx and CloudAP, the pentester mints a fresh access token that satisfies MFA and conditional access because a phantom DRS registration makes the device look compliant. From an internal workload SSRF (the same primitive that produced CVE-2025-62207 in Azure Monitor), the team reaches IMDS and lifts a system-assigned Managed Identity scoped Contributor at the subscription. That identity rotates a KeyVault access policy, swaps the issuer on a privileged Entra app's Workload Identity Federation credential, and the chain closes at subscription Owner, the same class of trust abuse behind CVE-2025-55241. One starting credential, four primitives, tenant-wide compromise. Config audits don't catch chains; pentests do.

See BugDazz, SecureLayer7's autonomous pentest →
Four-step chain diagram, phished PRT, conditional-access bypass via phantom DRS device, Managed Identity pivot through IMDS SSRF, and Workload Identity Federation issuer swap closing at subscription Owner.
Four-step chain diagram, phished PRT, conditional-access bypass via phantom DRS device, Managed Identity pivot through IMDS SSRF, and Workload Identity Federation issuer swap closing at subscription Owner.

Meet your Azure lead

Hands on every Azure engagement.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John scopes Azure engagements against your Entra tenant, subscription topology, and hybrid-identity boundary. He sits in the room from kick-off through findings review and re-test.

  • Scopes Entra ID, conditional access, and managed-identity paths against your real risk model.
  • Walks every AKS, Key Vault, and workload-identity finding live with your team.
  • Drives remediation review and re-test until every tenant-wide path is closed.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope an Azure pentest? Book 30 minutes with John to walk through your Entra tenant, subscription layout, and timeline.

Book a 30-min call

AZURE PENTEST ENGAGEMENT.

How we run an Azure pentest. Tenant-wide, closed-loop.

Threat-modelled to your tenant, Entra graph, and subscription topology. Aligned with Microsoft's pentest rules-of-engagement, not a template we run against every cloud.

  1. 01
    Scope & rules-of-engagement
  2. 02
    Read-only access provisioning
  3. 03
    Tenant reconnaissance
  4. 04
    RBAC review
  5. 05
    Active exploitation
  6. 06
    Post-exploitation & blast-radius
  7. 07
    Reporting & remediation
  8. 08
    Re-test & closure

Insights

Azure security Resources.

Field notes on Entra ID abuse paths, Storage blob exposure, and managed-identity privilege drift, written by the reviewers who run Azure pentests.

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Multi-tenant SaaS on Azure, Entra ID drift, conditional-access bypasses.

See Tech SaaS pentest

FinTech

Banking workloads on Azure, Key Vault boundaries, M365 + Defender attack paths.

See FinTech pentest

HealthTech

HIPAA-aligned Azure tenants, PHI in Storage, Healthcare APIs on Azure.

See HealthTech pentest

Built for United States engagements

What changes when we deliver here.

  • Compliance scoping

    Azure Gov FedRAMP High mapping on every finding.

  • Regulatory framework

    CIS Microsoft Azure Foundations Benchmark v2 IDs cited per misconfig.

  • Local engagements

    Defense supplier closed CMMC L2 IA.L2-3.5.3 gap on Entra ID.

  • Local pricing

    USD per-tenant pricing, no surcharge for Azure Gov scope.

  • Compliance scoping

    Entra ID FOCI / device-code / refresh-token replay tested by default.

Questions Azure-shop US security leads ask first.

  • Do you test Conditional Access bypass paths?

    Yes. Device-code, refresh-token replay, FOCI client abuse and broken named-location policies are part of every Entra ID engagement.

  • Can you cover Azure Government workloads?

    Yes. Operators are US persons and the test plane uses Azure Gov US Virginia / US Arizona. FedRAMP High control mapping is the default.

  • How do you handle managed identities and service principals?

    Every managed-identity assignment, federated credential and service-principal owner is checked for over-permissive role assignments at sub and MG scope.

  • Do you need Microsoft pentest authorization?

    No. Microsoft lifted the notification form for in-scope services. We follow the Microsoft Cloud Unified Penetration Testing Rules of Engagement.

Delivery in United States

Entra ID. Conditional Access. Azure Gov FedRAMP High.

We attack Entra ID app registrations, Conditional Access bypasses and managed-identity scoping. Findings map to Azure Government FedRAMP High and CIS Microsoft Azure Foundations v2.

Direct line
+1-512-643-7291
Office
Austin, TX, United States

Frameworks scoped: SOC 2 · HIPAA · PCI DSS · NIST CSF · FedRAMP · CMMC.

Sample Azure pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted Azure engagement sample: full vulnerability narrative, working proof-of-exploit traces, and Bicep, ARM, or Terraform fix guidance you can hand to your platform team. Sent on request after a 5-minute scoping call.