RBAC: The Shady Place Behind Basic Entra ID Security

There are auditing tools that focus on the fundamentals of Entra ID security—like MFA, Conditional Access Policies, role assignments and best-practice configurations. While many organizations still struggle to address these basics (and thus remain prime targets for threat actors), we must also consider the adversary’s next move after these foundational security gaps are closed.

That’s where RBAC (Role-Based Access Control) comes in. RBAC appears in a wide range of Microsoft 365 services, yet it often slips under the radar—leaving critical gaps in your security posture. In this talk, we’ll dive into how attackers exploit these RBAC pitfalls and demonstrate the chain reactions that can arise from seemingly benign role assignments.

Join us to uncover what truly lies in this “shady place” of Entra ID security and learn how to harden your defenses against these advanced, often underestimated threats.

In this talk, I’ll begin with a primer on why Entra ID security is so critical—and why RBAC, in particular, deserves our close attention. Next, I’ll showcase the outputs of common auditing and security scanning tools (PingCastle, Purple Knight, BloodHound, and ScubaGear) to illustrate both the strengths and blind spots of their assessments. This will reveal exactly why RBAC is a natural avenue for attackers: it’s a complex mechanism that these tools rarely cover in depth.

From there, we’ll explore how RBAC is implemented across core Microsoft 365 services—including Intune, Defender, Exchange, Azure, Purview, and Power Platform—and look at real-world misconfigurations that can lead to privilege escalation, lateral movement, data leakage, and persistence. I’ll share concrete demonstrations of these attacks and reference real incidents where RBAC misconfigurations were exploited.

Finally, I’ll conclude with key takeaways on how to defend against RBAC-based threats, offering practical strategies and best practices to secure your Entra ID environment—and the broader Microsoft 365 estate—from these advanced attack vectors.

About the Speaker

Martin Haller

Martin Haller, co-founder of PATRON-IT, a managed security services provider (MSSP) based in the Czech Republic, is an ethical hacker and cybersecurity expert. He is deeply committed to understanding the attacker’s mindset to develop effective defense strategies, focusing on identifying and addressing critical vulnerabilities in information security. A frequent speaker at conferences, Martin shares insights from real-world audits and security incidents to help organizations strengthen their defenses. He actively engages with others, exchanging ideas and collaborating to develop better solutions for building a safer and more secure digital world. Martin holds multiple certifications, including OSCP, CHFI, ECSA, and MCSE. digital world. Martin holds multiple certifications, including OSCP, CHFI, ECSA, and MCSE.