Diagram Backlog
These diagrams are teaching aids for the student deck and instructor narration. They should make relationships easier to see; they should not become challenge artifacts or hidden flag material.
Production Rules
- Use clean labels that match the slide vocabulary.
- Keep one teaching point per diagram.
- Prefer editable source files plus exported images.
- Avoid tenant-specific names, IDs, or real organization details.
- Mark every diagram with its target phase and slide anchor before adding it to the deck.
Completed Drafts
01-identity-resource-plane.html: first draft for Phase 1.02-controlled-oauth-consent-flow.html: first draft for Phase 2.03-app-service-principal-relationships.html: first draft for Phase 4.04-azure-management-data-plane.html: first draft for Phase 5.
Priority Diagrams
Identity Plane vs Resource Plane
- Phase: 1 / Foundations
- Teaching job: show why Entra objects, Azure subscriptions, and resource providers are related but not the same boundary.
- Include: tenant, user/group, app registration, service principal, subscription, resource group, resource.
- Avoid: protocol details and too many Azure service icons.
- Slide target: Foundations section before Azure RBAC.
Token and Permission Boundary
- Phase: 1 / Foundations
- Teaching job: separate "what token do I have" from "what API/resource will accept it".
- Include: user sign-in, access token audience, delegated permission, app-only permission, Azure role.
- Avoid: turning this into OAuth spec detail.
- Slide target: token boundary recap.
Controlled OAuth Consent Flow
- Phase: 2 / Initial Access
- Teaching job: show the bridge from user consent to delegated Graph access in a controlled training scenario.
- Include: user, consent prompt, app registration, service principal, delegated permission, Graph API.
- Avoid: phishing infrastructure and collection mechanics.
- Slide target: OAuth consent checkpoint.
Device Code Flow Threat Context
- Phase: 2 / Initial Access
- Teaching job: explain why device code is a threat pattern without making it the primary student lab.
- Include: device login URL, user code, attacker-controlled session, token result.
- Avoid: real lure text or operational phishing instructions.
- Slide target: device code vs OAuth consent comparison.
Recon Flow to Questions
- Phase: 3 / Recon and Discovery
- Teaching job: connect ROADtools / ROADrecon output to questions students can ask.
- Include: token, collection, tenant objects, role/app/SP relationships, candidate abuse questions.
- Avoid: requiring students to submit exported data.
- Slide target: recon output interpretation.
App, Service Principal, and App Role Assignment
- Phase: 4 / Lateral Movement and Persistence
- Teaching job: make app registration, service principal, app role, and assignment relationships visible.
- Include: application object, service principal, appRole, appRoleAssignment, owner/credential relationship.
- Avoid: every Graph property; show only the decision-making path.
- Slide target: app/SP abuse path.
Persistence Candidate Map
- Phase: 4 / Lateral Movement and Persistence
- Teaching job: compare persistence candidates without implying all are hands-on.
- Include: SP credential, OAuth consent, device registration, malicious device join.
- Avoid: implementation steps for high-risk or lecture-only paths.
- Slide target: persistence narrowing slide.
Azure Management Plane vs Data Plane
- Phase: 5 / Azure Resource Abuse
- Teaching job: show why management permissions do not always equal data access.
- Include: ARM, role assignment, resource provider, Storage data plane, Key Vault data plane.
- Avoid: service-specific edge cases.
- Slide target: resource abuse opening.
Managed Identity Boundary
- Phase: 5 / Azure Resource Abuse
- Teaching job: explain the difference between "can access VM/app" and "can use its managed identity".
- Include: compute resource, managed identity, token endpoint, target resource/API.
- Avoid: token dumping details in the diagram.
- Slide target: Managed Identity section.
Attack Chain to Control Map
- Phase: 6 / Security Boundary
- Teaching job: map each defense to the attack-chain step it changes.
- Include: initial access, consent, recon, app/SP abuse, resource access, observation points.
- Avoid: presenting controls as absolute blockers.
- Slide target: final security boundary recap.
Later Candidates
- Cross-tenant sync abuse overview, if promoted from parking lot.
- Azure Lighthouse relationship diagram, if promoted from parking lot.
- Entra Connect / ADFS trust boundary, if promoted from parking lot.
- Intune / device management boundary, if promoted from parking lot.
Original Markdown source
# Diagram Backlog
These diagrams are teaching aids for the student deck and instructor narration. They should make relationships easier to see; they should not become challenge artifacts or hidden flag material.
## Production Rules
- Use clean labels that match the slide vocabulary.
- Keep one teaching point per diagram.
- Prefer editable source files plus exported images.
- Avoid tenant-specific names, IDs, or real organization details.
- Mark every diagram with its target phase and slide anchor before adding it to the deck.
## Completed Drafts
- `01-identity-resource-plane.html`: first draft for Phase 1.
- `02-controlled-oauth-consent-flow.html`: first draft for Phase 2.
- `03-app-service-principal-relationships.html`: first draft for Phase 4.
- `04-azure-management-data-plane.html`: first draft for Phase 5.
## Priority Diagrams
### Identity Plane vs Resource Plane
- Phase: 1 / Foundations
- Teaching job: show why Entra objects, Azure subscriptions, and resource providers are related but not the same boundary.
- Include: tenant, user/group, app registration, service principal, subscription, resource group, resource.
- Avoid: protocol details and too many Azure service icons.
- Slide target: Foundations section before Azure RBAC.
### Token and Permission Boundary
- Phase: 1 / Foundations
- Teaching job: separate "what token do I have" from "what API/resource will accept it".
- Include: user sign-in, access token audience, delegated permission, app-only permission, Azure role.
- Avoid: turning this into OAuth spec detail.
- Slide target: token boundary recap.
### Controlled OAuth Consent Flow
- Phase: 2 / Initial Access
- Teaching job: show the bridge from user consent to delegated Graph access in a controlled training scenario.
- Include: user, consent prompt, app registration, service principal, delegated permission, Graph API.
- Avoid: phishing infrastructure and collection mechanics.
- Slide target: OAuth consent checkpoint.
### Device Code Flow Threat Context
- Phase: 2 / Initial Access
- Teaching job: explain why device code is a threat pattern without making it the primary student lab.
- Include: device login URL, user code, attacker-controlled session, token result.
- Avoid: real lure text or operational phishing instructions.
- Slide target: device code vs OAuth consent comparison.
### Recon Flow to Questions
- Phase: 3 / Recon and Discovery
- Teaching job: connect ROADtools / ROADrecon output to questions students can ask.
- Include: token, collection, tenant objects, role/app/SP relationships, candidate abuse questions.
- Avoid: requiring students to submit exported data.
- Slide target: recon output interpretation.
### App, Service Principal, and App Role Assignment
- Phase: 4 / Lateral Movement and Persistence
- Teaching job: make app registration, service principal, app role, and assignment relationships visible.
- Include: application object, service principal, appRole, appRoleAssignment, owner/credential relationship.
- Avoid: every Graph property; show only the decision-making path.
- Slide target: app/SP abuse path.
### Persistence Candidate Map
- Phase: 4 / Lateral Movement and Persistence
- Teaching job: compare persistence candidates without implying all are hands-on.
- Include: SP credential, OAuth consent, device registration, malicious device join.
- Avoid: implementation steps for high-risk or lecture-only paths.
- Slide target: persistence narrowing slide.
### Azure Management Plane vs Data Plane
- Phase: 5 / Azure Resource Abuse
- Teaching job: show why management permissions do not always equal data access.
- Include: ARM, role assignment, resource provider, Storage data plane, Key Vault data plane.
- Avoid: service-specific edge cases.
- Slide target: resource abuse opening.
### Managed Identity Boundary
- Phase: 5 / Azure Resource Abuse
- Teaching job: explain the difference between "can access VM/app" and "can use its managed identity".
- Include: compute resource, managed identity, token endpoint, target resource/API.
- Avoid: token dumping details in the diagram.
- Slide target: Managed Identity section.
### Attack Chain to Control Map
- Phase: 6 / Security Boundary
- Teaching job: map each defense to the attack-chain step it changes.
- Include: initial access, consent, recon, app/SP abuse, resource access, observation points.
- Avoid: presenting controls as absolute blockers.
- Slide target: final security boundary recap.
## Later Candidates
- Cross-tenant sync abuse overview, if promoted from parking lot.
- Azure Lighthouse relationship diagram, if promoted from parking lot.
- Entra Connect / ADFS trust boundary, if promoted from parking lot.
- Intune / device management boundary, if promoted from parking lot.