← Back to services // Offensive

Azure / Entra ID Assessment

Misconfigs, identity risks and privilege paths in your Microsoft cloud

€175 /hour CCV certified

An in-depth whitebox investigation of your Azure and Entra ID environment. We analyse RBAC configurations, conditional access policies, privileged identity management, service principal permissions and attack paths toward tenant admin.

What is an Azure / Entra ID Assessment?

An Azure / Entra ID Assessment is an in-depth whitebox investigation of your Microsoft cloud environment. We assess the configuration, architecture and identity management of your Azure and Entra ID tenant. The goal: find misconfigurations, excessive permissions and attack paths before an attacker finds them.

Microsoft Azure and Entra ID (formerly Azure AD) form the heart of most Dutch organisations' IT environments. But the default configuration of an Azure tenant is not secure. And the complexity of RBAC, conditional access, PIM and app registrations makes it easy to make mistakes. We know where those mistakes are - because we exploit them daily as pentesters.

What do we investigate?

  • Entra ID configuration - conditional access policies, MFA enforcement, legacy authentication, password policies, SSPR configuration.
  • Privileged Access - Global Admin accounts, PIM configuration, standing vs. just-in-time access, break-glass accounts.
  • RBAC & permissions - excessive role assignments, custom roles, subscription vs. resource group permissions.
  • App registrations & service principals - application vs. delegated permissions, secret management, multi-tenant apps.
  • Attack paths - concrete paths from regular user to Global Admin via misconfigurations, consent grants and overprivileged apps.
  • Azure resources - storage accounts, NSG rules, Key Vault access, managed identity misconfigurations.

Why should you get an Azure / Entra ID Assessment?

The cloud is not secure by default. Microsoft offers powerful security features, but only when correctly configured. We see in virtually every client:

  • Conditional access with gaps - legacy authentication not blocked, insufficient MFA coverage, overly broad exceptions.
  • Excessive permissions - users or service principals with Global Admin they do not need.
  • Forgotten app registrations - test apps from months ago with broad API permissions, still active.
  • No PIM - all admin rights permanent, without just-in-time activation.
A successful attack on your Azure environment can lead to full tenant takeover, data exfiltration from SharePoint/OneDrive/Teams, and lateral movement to on-premises via Azure AD Connect.

Our approach

We built Attic Security - our own M365 monitoring platform. That experience is in every assessment we perform:

  • Tenant inventory - automated and manual inventory of all identities, groups, roles, apps and resources.
  • Configuration review - conditional access, MFA, password policies, PIM, security defaults.
  • Permission analysis - RBAC assignments, app permissions, OAuth consent grants, delegation configurations.
  • Attack path mapping - concrete attack paths toward Global Admin with AzureHound, ROADtools and manual analysis.
  • Azure resource review - storage accounts, networking, Key Vault, compute resources.
  • Reporting - report with risk classification, visualised attack paths and concrete hardening steps. Not vague recommendations, but specific configuration changes.
Questions after the report? Call us. We do not disappear after delivery.

What does an Azure / Entra ID Assessment cost?

Our hourly rate is €175 per hour. Indications:

  • Tenant size: number of users, groups, apps and subscriptions.
  • Complexity: multi-tenant, B2B/B2C, hybrid AD.
  • Scope: Entra ID only, or also Azure resources.
A typical Entra ID tenant (500-2,000 users): €7,000 - €15,000. Including Azure resources up to €20,000. We regularly combine this with a Microsoft 365 Review for a complete picture.

Methodology

1

Tenant Inventory

In kaart brengen van alle identiteiten, rollen en applicaties in de tenant.

2

Configuration Review

Analyse van conditional access, MFA-policies en privileged roles.

3

Attack Path Analysis

Identificeren van aanvalspaden richting Global Admin via misconfiguraties.

4

Rapportage

Rapport met risico-ranking, aanvalspaden en concrete hardening-stappen.

Frequently asked questions

What is the difference between an Azure pentest and an Entra ID Assessment?

An Azure pentest focuses on actively exploiting vulnerabilities in Azure resources. An Entra ID Assessment is a whitebox configuration review of identity and access management. We often combine both - that gives the most complete picture.

Do you need Global Admin rights?

No. We work with a read-only account - Security Reader or Global Reader. No changes to your tenant. We only ask for the rights we need, nothing more.

How does this relate to Microsoft Secure Score?

Secure Score is a useful starting point but provides a limited view. It misses organisation-specific risks: attack paths via app registrations, excessive delegations, custom RBAC. Our assessment goes significantly deeper. We look from an attacker's perspective, not from a checklist.

Can you also assess hybrid AD environments?

Yes. Most of our clients have hybrid environments with Azure AD Connect. We assess the synchronisation configuration, the risks of password hash sync vs. pass-through authentication, and the attack paths between on-premises and cloud.

Related services

// Offensive

Active Directory Pentest

Kerberoasting, delegation abuse and privilege escalation in AD

 // Defensive

Microsoft 365 Review

Complete M365 security assessment

 // Offensive

Cloud Security (AWS & GCP)

IAM misconfigs, storage exposure and privilege escalation in AWS and GCP

Ready to test your security?

Get in touch with our team for a no-obligation conversation about your security challenges.

Get in touch