astronaut
Logbook
Web Security • Research • CTF
Menu
Jun 01, 2026

Azure Beginner Path

Phase 5 notes: Azure Blob Storage exposure, Key Vault abuse, Storage Tables, Entra ID recon, AzureHound, BloodHound, Microsoft Graph, and M365 post-exploitation.

research

Phase 5 — Azure Beginner Path

Phase Summary

Completed 4 Red Team labs focused on Azure initial access, secret discovery, Entra ID reconnaissance, and Microsoft 365 post-exploitation.

Do Azure after AWS. The concepts are similar, but names and identity models are different.

Learning Objectives

  • Understand Azure Blob Storage exposure and how leaked files can create initial access.
  • Practice lateral movement through Azure Key Vault and Storage Tables.
  • Map Azure and Entra ID relationships with AzureHound and BloodHound.
  • Learn Microsoft Graph abuse paths across Microsoft 365 services.
  • Compare Azure identity patterns against the AWS IAM model from earlier phases.

Lab Path

OrderLabTypeSummary
24Azure Blob Container to Initial Access🔴 RedAzure Blob Storage exposure → secrets → initial foothold.
25Unlock Access with Azure Key Vault🔴 RedUse Azure Key Vault and Storage Tables for lateral movement.
26Intro to Azure Recon with BloodHound🔴 RedUse AzureHound and BloodHound to map Azure/Entra attack paths.
27Loot Exchange, Teams and SharePoint with GraphRunner🔴 RedMicrosoft 365 post-exploitation with GraphRunner, PowerShell, Exchange, Teams, SharePoint, and OneDrive.

Key Knowledge After Phase 5

  1. Azure Blob Storage is a common exposure point, similar to S3, but with Azure-specific container permissions and versioning behavior.
  2. Key Vault access can become a major pivot, because secrets, certificates, and connection strings often unlock additional resources.
  3. Storage Tables can hold operational data and secrets that support lateral movement once initial Azure access exists.
  4. Entra ID is central to Azure attack paths, and understanding users, groups, roles, apps, and service principals is mandatory.
  5. AzureHound and BloodHound turn identity relationships into attack graphs, making privilege paths easier to reason about.
  6. Microsoft Graph is the M365 control and data plane, so post-exploitation often crosses Exchange, Teams, SharePoint, and OneDrive.