The Identity Threat Landscape

0.1 What the identity threat landscape is

Identity is the primary attack surface in cloud environments. Not endpoints. Not networks. Not applications. Identity — the authentication event, the session token, the OAuth consent, the service principal credential — is where attackers concentrate because it is where access decisions are made.

The Microsoft Digital Defense Report 2025 quantified this at scale: identity-based attacks rose 32% in the first half of 2025 alone, with over 97% being password spray or brute-force attempts. Microsoft processes more than 100 trillion security signals daily and analyzes 38 million identity risk detections. Phishing-resistant MFA blocks over 99% of unauthorized access attempts — yet adoption gaps persist across organizations of every size, particularly for administrative and privileged accounts.

The attacks that bypass MFA are the ones this course focuses on. AiTM credential phishing captures the session token after MFA completes. Token theft replays stolen tokens from compromised devices. OAuth consent phishing grants persistent access that survives password resets. Device code flow abuse tricks users into authorizing attacker-controlled sessions. Service principal credential injection creates backdoors that most incident responders miss entirely. Each of these techniques exploits a specific weakness in the identity architecture — and each has a specific defense that this course teaches you to design, deploy, and verify.

This module establishes why identity became the dominant attack vector, how authentication actually works in Entra ID, what the identity security stack looks like, which attack patterns you will defend against, and how the Defense Design Method structures every module from EI2 onward. The module does not require a lab environment — it builds the conceptual foundation that makes the hands-on work in EI1 through EI18 meaningful.

0.2 What you will learn

Ten sections, each building the conceptual foundation for the hands-on modules that follow.

Section 0.1 — Why Identity Is the New Perimeter. The shift from network-centric to identity-centric security. Why an attacker who compromises a single identity gains access to every cloud service without touching the network. The evidence from Microsoft's threat intelligence and breach data that makes the case for identity as the highest-leverage security investment.

Section 0.2 — How Authentication Actually Works. The OAuth 2.0 and OpenID Connect flow in Entra ID — from browser redirect through credential validation, Conditional Access evaluation, MFA challenge, authorization code exchange, and token issuance. What each token type is, how long it lives, and why attackers target specific tokens at specific points in the flow.

Section 0.3 — The Entra ID Security Stack. The seven security capabilities that compose the identity defense — Conditional Access, Identity Protection, PIM, authentication methods, application governance, workload identity security, and identity governance. How they connect, where they overlap, and which gaps exist when any one is missing. Navigating the Entra admin center to locate each capability.

Section 0.4 — Attack Patterns You Will Defend Against. Seven identity attack techniques mapped to MITRE ATT&CK with the specific defense and the specific module that teaches it. AiTM credential phishing, token theft, OAuth consent phishing, password spray, MFA fatigue, service principal abuse, and federation attacks.

Section 0.5 — The Identity Kill Chain. The seven stages of a cloud identity attack — from reconnaissance through credential theft, initial access, persistence, privilege escalation, lateral movement, and data exfiltration. Each stage mapped to Entra ID telemetry and defensive controls. How the kill chain differs from network-centric models.

Section 0.6 — Zero Trust and Identity. Zero Trust as an architecture, not a product. Verify explicitly, least privilege, assume breach — how each principle maps to specific Entra ID controls. What Zero Trust means in practice for identity security design.

Section 0.7 — Real-World Identity Breaches. Midnight Blizzard, Storm-0558, Octo Tempest, and other identity-driven breaches dissected. What the attackers exploited, what the defenders missed, and which controls from this course would have changed the outcome.

Section 0.8 — The Defense Design Method. The six-step method that structures every module from EI2 onward — what attack does this stop, where is it configured, how should it be designed, how do you verify it works, what does failure look like, what do you do next. Why the method is the course's intellectual backbone.

Section 0.9 — Measuring Identity Security Posture. How to quantify identity risk — Microsoft Secure Score for Identity, Entra ID recommendations, the four metrics that matter for identity security programs. Running the baseline queries that tell you where your tenant stands today.

Section 0.10 — The Lab Environment. M365 E5 developer tenant setup, Azure subscription for Sentinel, test account configuration, browser setup for policy testing. What to set up now and what to defer until EI2.

0.3 Why the Microsoft stack is ideal for identity security

Entra ID is simultaneously the identity provider and the richest source of identity telemetry available on any cloud platform. Every authentication event — interactive, non-interactive, service principal, managed identity — is logged with the Conditional Access evaluation result, the risk assessment, the authentication method, the device state, and the network location. No third-party identity provider exposes this level of detail in a queryable format.

Conditional Access evaluates every sign-in against policy before granting access. This is not a monitoring layer — it is an inline enforcement point that can block, challenge, or constrain access in real time based on dozens of signal combinations. The policies you build in EI3 and EI4 operate at this enforcement point.

Identity Protection applies Microsoft's threat intelligence — trained on billions of daily authentications — to individual sign-ins and user risk profiles. The risk detections feed directly into Conditional Access, creating a feedback loop between threat intelligence and access enforcement that no bolt-on solution can replicate.

Defender XDR correlates identity signals with endpoint, email, and cloud alerts into unified incidents. An AiTM phishing campaign that starts with an email, compromises a credential, and triggers suspicious mailbox activity appears as a single correlated incident — not three separate alerts in three separate consoles. The SOC workflow you learn in this course operates against that unified view.

KQL gives you direct analytical access to the raw telemetry. Every verification query in this course runs against SigninLogs, AADNonInteractiveUserSignInLogs, AuditLogs, or IdentityInfo in Sentinel or Advanced Hunting. You are not dependent on pre-built reports or vendor dashboards — you query the data directly and see exactly what the platform sees.

0.4 How to get the best from this module

Work through the sections in order. Each builds on the previous — the perimeter shift (0.1) explains why identity matters, the authentication flow (0.2) shows how the system works, the security stack (0.3) maps the defenses, the attack patterns (0.4) and kill chain (0.5) define the threats, and the Defense Design Method (0.8) gives you the framework for every subsequent module.

Sections 0.4 (attack patterns) and 0.5 (kill chain) are the conceptual core. Every module from EI2 onward references these attack techniques — if you understand the AiTM flow, the token theft vector, and the consent phishing mechanism, the defenses in EI4, EI7, and EI9 will make immediate sense. If you skip these sections, the later modules will feel like arbitrary configuration steps rather than targeted countermeasures.

Section 0.9 (measuring posture) includes KQL queries you can run if you have a Sentinel workspace or access to Advanced Hunting. If you don't have a lab yet, read the section for the concepts — the queries will be waiting when you set up your environment in Section 0.10.

Estimated total time: 3 to 4 hours. Two to three sections per session produces consistent progress.

0.5 Module structure

• Section 0.1 — Why Identity Is the New Perimeter
• Section 0.2 — How Authentication Actually Works
• Section 0.3 — The Entra ID Security Stack
• Section 0.4 — Attack Patterns You Will Defend Against
• Section 0.5 — The Identity Kill Chain
• Section 0.6 — Zero Trust and Identity
• Section 0.7 — Real-World Identity Breaches
• Section 0.8 — The Defense Design Method
• Section 0.9 — Measuring Identity Security Posture
• Section 0.10 — The Lab Environment

No prerequisites. This is the first module of the course. Basic familiarity with Entra ID administration is helpful but not required — every concept is explained at first use.

Go to Section 0.1 — Why Identity Is the New Perimeter to begin.