https://daniyalahmed.dev/tags/entraid/Recent content in Entraid on Daniyal Ahmed | Red Team & Cloud SecurityHugo -- gohugo.ioen-usdaniyal.ahmed@microtechx.com (Daniyal Ahmed)daniyal.ahmed@microtechx.com (Daniyal Ahmed)Wed, 29 Apr 2026 00:00:00 +0000https://daniyalahmed.dev/posts/hybrid-identity-penetration-testing-laboratory-attack-guide/Wed, 29 Apr 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/hybrid-identity-penetration-testing-laboratory-attack-guide/This is my most ambitious lab yet. Multiple attack techniques, a complete initial access methodology, attack and defense, AD setup in Azure, hybrid identity setup and full compromise from zero credentials to cloud persistence. Before we touch a single command I want to walk through every concept that underpins what happens in the lab. This series rewards people who understand why a technique works, not just people who can copy and paste commands.https://daniyalahmed.dev/posts/the-federated-domain-backdoor-tenant-persistence/Mon, 27 Apr 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/the-federated-domain-backdoor-tenant-persistence/This attack was used by APT29 in 2020 to backdoor dozens of US government agencies. In 2025, a ransomware group used the same technique to exfiltrate and destroy data at multiple enterprises. It survives password resets, MFA resets, Conditional Access policy changes, and account deletion. And most organizations have zero detection coverage for it. In the previous article we looked at SyncJacking an attack that abuses the synchronization layer between on-premises Active Directory and Entra ID to hijack cloud identities.https://daniyalahmed.dev/posts/syncjacking-from-on-prem-foothold-to-cloud-global-admin/Sun, 26 Apr 2026 00:00:00 +0000daniyal.ahmed@microtechx.com (Daniyal Ahmed)https://daniyalahmed.dev/posts/syncjacking-from-on-prem-foothold-to-cloud-global-admin/SyncJacking How a Domain User Became Your Cloud Global Administrator On January 13, 2026, Microsoft confirmed that an attacker with a standard domain user account can become your cloud Global Administrator in under three minutes, with no alert fired. They first reported this attack in 2022. For three years the answer was: “by design”. Many of you are already familiar with attack techniques like session hijacking or clickjacking methods that exploit trust in established mechanisms to take over user interactions and identities.