Security firm Varonis has launched Breach at the Beach, a free Capture the Flag (CTF) competition built around Microsoft Entra ID (formerly Azure Active Directory). The event offers hands-on training scenarios that simulate real-world identity attacks, helping defenders understand how threat actors move through cloud identity infrastructure.
What Is Breach at the Beach?
Breach at the Beach is a purpose-built CTF designed to close a significant gap in defender knowledge: most security professionals understand network and endpoint attacks well, but cloud identity exploitation — particularly in Microsoft Entra ID — remains a blind spot.
The CTF was created by Varonis's threat research team to let participants actively investigate Entra ID attack techniques in a safe, controlled environment. Rather than purely theoretical training, participants work through realistic attack scenarios mirroring techniques used by real threat groups targeting Microsoft 365 and Azure environments.
Why Entra ID Security Matters
Microsoft Entra ID is the identity backbone of millions of organizations globally. It governs access to Microsoft 365 apps (Outlook, Teams, SharePoint), Azure resources, and, increasingly, third-party SaaS applications through federated identity.
This makes it a top-priority target for attackers across every threat category:
| Threat Actor Type | Entra ID Abuse Technique |
|---|---|
| Ransomware groups | Compromise privileged accounts, disable MFA for persistence, deploy ransomware via Intune |
| APT / espionage | Steal OAuth tokens, maintain long-term covert access to email and documents |
| BEC actors | Hijack executive accounts for invoice fraud, business email compromise |
| Initial access brokers | Sell compromised Entra ID credentials and session tokens on underground forums |
| Insider threats | Abuse legitimate delegated permissions for data exfiltration |
The 2023 Storm-0558 campaign — where Chinese threat actors accessed email accounts of senior US government officials via forged Microsoft authentication tokens — and the 2024 Midnight Blizzard breach of Microsoft's own corporate environment via a non-production test tenant are stark reminders that Entra ID is both a crown jewel and an attack surface.
What Participants Learn
Breach at the Beach covers the attack lifecycle within Entra ID environments. Key scenario categories include:
1. Initial Access via Entra ID
- Credential stuffing and password spray attacks against Entra ID login endpoints
- Phishing and adversary-in-the-middle (AiTM) token theft bypassing MFA
- OAuth application consent phishing ("illicit consent grant" attacks)
2. Privilege Escalation
- Abusing Entra ID role assignments and delegation
- Exploiting misconfigured Privileged Identity Management (PIM) settings
- Leveraging service principal permissions for privilege escalation
- Guest account abuse and external identity exploitation
3. Lateral Movement
- Moving from Entra ID to on-premises Active Directory via hybrid join
- Abusing Azure AD Connect / Entra Connect Sync for cross-environment pivoting
- Exploiting federated trust relationships between tenants
4. Persistence
- Backdooring applications and service principals
- Adding rogue credentials (secrets/certificates) to existing app registrations
- Modifying Conditional Access policies to create authentication bypass
- Creating hidden admin accounts or role assignments
5. Data Exfiltration
- Abusing Microsoft Graph API for bulk data collection
- Accessing SharePoint, OneDrive, and Teams content via compromised tokens
- Exporting Entra ID directory data
How to Participate
The CTF is free to enter and hosted by Varonis. Participants receive access to a pre-configured Entra ID lab environment with realistic users, groups, applications, and misconfigured settings — the same types of configurations found in enterprise tenants.
Flags are hidden across the environment and can be captured by investigating suspicious app permissions, hunting for misconfigured roles, or following an attack chain through the tenant.
Access the CTF: Visit Varonis's Breach at the Beach event page via BleepingComputer's coverage or Varonis's official site.
Who Should Play
This CTF is particularly valuable for:
- SOC analysts and incident responders who need to recognize Entra ID attack patterns in real alert data
- Cloud security engineers tasked with hardening Microsoft 365 and Azure environments
- Red teamers and penetration testers learning cloud identity attack techniques
- Security students preparing for certifications like SC-200, AZ-500, or Microsoft Certified: Security Operations Analyst
Key Entra ID Security Concepts to Know Before You Start
Privileged Identity Management (PIM)
PIM provides just-in-time privileged access to Entra ID and Azure resources. Misconfigured PIM — such as overly long activation windows or missing approval requirements — is frequently abused in attacks.
Service Principals and App Registrations
Service principals are non-human identities in Entra ID. Attackers frequently add credentials to existing high-privilege app registrations to maintain persistence without creating obvious new admin accounts.
Conditional Access Policies
Conditional Access controls how users authenticate. Attackers with sufficient privileges can modify these policies to exclude themselves from MFA requirements or trusted location restrictions.
Microsoft Graph API
The Microsoft Graph API provides programmatic access to most Microsoft 365 data. Compromised tokens with Graph API scope can be used to bulk-export emails, calendar entries, and files without triggering traditional endpoint alerts.
Defensive Takeaways
Even if you don't participate in the CTF, the attack scenarios it covers point to concrete defensive actions:
- Audit service principal credentials — Regularly review app registrations for unexpected client secrets or certificates that may indicate backdooring
- Enable Entra ID Identity Protection — Detect risky sign-ins, leaked credentials, and anomalous token usage
- Review Conditional Access exclusions — Exclusions from Conditional Access policies are a common persistence mechanism
- Monitor Microsoft Graph API activity — Alert on bulk data exports via Graph; establish baselines for normal API usage
- Implement Privileged Identity Management — Eliminate standing privileged roles in favor of just-in-time access with approval workflows
- Deploy Microsoft Sentinel with Entra ID connectors — Purpose-built SIEM integration surfaces Entra ID-specific threat signals