Jun 01, 2026
Azure Beginner Path
Phase 5 notes: Azure Blob Storage exposure, Key Vault abuse, Storage Tables, Entra ID recon, AzureHound, BloodHound, Microsoft Graph, and M365 post-exploitation.
research
Phase 5 — Azure Beginner Path
Phase Summary
Completed 4 Red Team labs focused on Azure initial access, secret discovery, Entra ID reconnaissance, and Microsoft 365 post-exploitation.
Do Azure after AWS. The concepts are similar, but names and identity models are different.
Learning Objectives
- Understand Azure Blob Storage exposure and how leaked files can create initial access.
- Practice lateral movement through Azure Key Vault and Storage Tables.
- Map Azure and Entra ID relationships with AzureHound and BloodHound.
- Learn Microsoft Graph abuse paths across Microsoft 365 services.
- Compare Azure identity patterns against the AWS IAM model from earlier phases.
Lab Path
| Order | Lab | Type | Summary |
|---|---|---|---|
| 24 | Azure Blob Container to Initial Access | 🔴 Red | Azure Blob Storage exposure → secrets → initial foothold. |
| 25 | Unlock Access with Azure Key Vault | 🔴 Red | Use Azure Key Vault and Storage Tables for lateral movement. |
| 26 | Intro to Azure Recon with BloodHound | 🔴 Red | Use AzureHound and BloodHound to map Azure/Entra attack paths. |
| 27 | Loot Exchange, Teams and SharePoint with GraphRunner | 🔴 Red | Microsoft 365 post-exploitation with GraphRunner, PowerShell, Exchange, Teams, SharePoint, and OneDrive. |
Key Knowledge After Phase 5
- Azure Blob Storage is a common exposure point, similar to S3, but with Azure-specific container permissions and versioning behavior.
- Key Vault access can become a major pivot, because secrets, certificates, and connection strings often unlock additional resources.
- Storage Tables can hold operational data and secrets that support lateral movement once initial Azure access exists.
- Entra ID is central to Azure attack paths, and understanding users, groups, roles, apps, and service principals is mandatory.
- AzureHound and BloodHound turn identity relationships into attack graphs, making privilege paths easier to reason about.
- Microsoft Graph is the M365 control and data plane, so post-exploitation often crosses Exchange, Teams, SharePoint, and OneDrive.