Abusing AUs, Confusing the SOC: Entra Administrative Unit Attack Paths

Curious about Entra ID's Administrative Units (AUs)? This session will cover how AUs work, and their unexpected attack paths! We'll start with an overview of how AUs function. From there, we'll take an attacker's perspective into AUs for offense: Escalating privileges with scoped roles, concealing permissions in hidden AUs, and protecting access with restricted AUs. Next, we'll review how a bug we reported to MSRC could have allowed an attacker to create immutable users. We'll close off our review of AUs by covering detection and investigation of AU attacks.