Demystifying Microsoft Entra ID: Navigating Cloud Attacks with the MITRE Framework

Oct 13, 2025

I’d like this to be more informative rather than a rant, so let’s focus on the main topic — Microsoft Entra ID (formerly known as Azure Active Directory (Azure AD)) can be confusing.

We won’t harp on the name change, but mainly, the name change was intended to highlight the distinction between on-premises Active Directory and its cloud counterpart.

As cloud becomes increasingly significant, it adds another layer of abstraction for our analysts investigating potential threats — new terms and an increase in attack vectors. So, how can we gain a foothold to navigating this new territory?

What is MITRE Cloud Matrix

The Cloud Matrix provides an overview and insight into cloud-focused attacks by outlining the tactics and techniques adversaries may use—many of which are based on real-world attack observations. So, think of your big three cloud providers: Azure, AWS, and GCP.

Exploring the MITRE Cloud Matrix (Post-Compromise Behavior)

To gain an understanding of how an attack is typically performed, we can utilize this cloud attack framework.

One of the annoying things I’ve noticed is that there aren't many attack frameworks for cloud environments, unlike those for on-premises environments (such as Lockheed Kill Chain & MITRE ATT&CK). However, one can perhaps assume that the methodology remains similar, while the tools change.

Let’s take a quick overview of some of the behaviors seen in MITRE Cloud Matrix:

  • Initial Access

  • Persistence

  • Privilege Escalation

  • Defense Evasion

  • Credential Access

  • Discovery

  • Lateral Movement

  • Exfiltration

Note: this framework covers techniques adversaries use after gaining access to a cloud environment.

For pre-compromise behavior, there was a deprecated (as of 2011) PRE-ATT&CK framework that has now been integrated into the Enterprise ATT&CK Framework.

So now, we have the PRE-MATRIX framework.

Exploring Pre-Compromise Behavior

We can break it down into two sections:

  • Reconnaissance and Resource Development.

Out of scope, but reconnaissance is also covered in the Cyber Kill Chain.

Understanding reconnaissance requires an attacker to build out a map or landscape of how their victim’s environment works.

Here are some questions I may ask myself as an attacker prior to scanning and probing the environment:

  • How can I determine if the company uses Azure?

  • What public indicators can help me identify such?  

  • What does Azure architecture look like (users, resources, network design, etc.)?

  • What documentation on Azure is already available?

  • Are there any naming conventions commonly used with users and resources within Azure?

‹ How to View EVTX Logs on MacOS

Exploring DLL Injection ›

Create a free website with Framer, the website builder loved by startups, designers and agencies.