During the last month, I have worked with Thomas Naunheim (@Thomas_live) & Joosua Santasalo (@SantasaloJoosua) on the community project: ‘Azure AD Attack and Defense playbook’. In the last year, we published the first chapter ‘Password spray’ and now it was time to publish the second chapter called ‘Consent grant’.


Nowadays, the protection of identities is an essential part of the security architecture and strategy today. At the times we are living in now, the COVID-19 pandemic has changed IT-environments drastically compared to the past. Microsoft statistics show clearly that attack against the cloud environment has increased a lot in COVID-19 times. Some insights were shared during Ignite 2020 by Microsoft.

There are over 80 million identity attacks every single day with 98 percent precision.

 Password Spray type of attacks have increased 230% in this year.

Chapter 1 – Password Spray

Microsoft has announced earlier this year new detections for “Password Spray Attacks” in August 20220. Together with Thomas, we thought that it would be interesting to understand the differentiation, purpose of use, or interaction of those detection methods.

After many hours of investigation in our labs and very interesting discussions over Teams, the project and the first chapter were published on 19.11.2020. More information on the project can be found in Thomas’s tweet & blog posts.

Chapter 2 – Illicit Consent Grant

The idea originally born in 2018 when we noticed this kind of attack patter in some environments. My colleague, Joosua Santasalo has written the first blog about the attack back in those days. But as we all know, the cloud environment development phase is staggering and lot of development activities has been done in couple of years. For that reason, we decided to focus on this type of attack on chapter 2.

Community-driven project

The results from our first use case are available from the following GitHub repository:


We’ve decided to publish the document as “markdown” in GitHub to allow common use and contributions from others.

We would be very pleased if other community members are also interested in research of further attack/defense scenarios in Azure AD and join us to work on this playbook.

Everyone is invited to contribute in various ways:

  • Update or new content (Pull Request): As already mentioned, we like to have a living document which is driven by the Azure AD community! Share your results and insights as part of the project! Send a pull request to add your content to this project.
  • Issues/Outdated content: Protection features or tools changes continually. Update the out-dated content (as part of pull request) or create an issue to point out
  • Reviewer: We also look for experts who want to review or discuss the existing or new content before publishing!
  • Feedback: Feel free to suggest attack/defense scenarios that could be interesting for the community. We will add them to the backlog and idea collection!

The current content is just a beginning, we hope this project will also grow by others that participate in this initiative.

Hopefully, everyone will have as much fun, valuable insights, and discussions as Thomas & Joosua as I had during our work on attack scenarios.