Lab 01 - Permission Model Checkpoint
Goal
Build a shared vocabulary for the rest of the course by mapping identity-plane objects, resource-plane objects, and token types to attacker and defender questions.
Preconditions
- No live tenant access is required.
- Students should have the course slides open.
Exercise A - Classify the Object
For each item, mark whether it belongs primarily to the identity plane, resource plane, or both:
| Item | Identity Plane | Resource Plane | Notes |
|---|---|---|---|
| User | |||
| Group | |||
| Application registration | |||
| Service principal / enterprise app | |||
| Subscription | |||
| Resource group | |||
| Storage account | |||
| Key Vault secret | |||
| Managed identity |
Exercise B - Read the Authorization Path
Given this scenario:
- A user signs in to a tenant-registered application.
- The application requests delegated Microsoft Graph permissions.
- The user is a member of a group assigned to an Entra role.
- The same user also has an Azure role assignment on a resource group.
Answer:
- Which decisions happen in Entra ID?
- Which decisions happen in Azure Resource Manager?
- Which access would be represented by delegated permissions?
- Which access would require Azure RBAC?
- What would you need to observe before claiming the user can read Key Vault
secrets?
Exercise C - Token Boundary Questions
For each token type, write one attacker question and one defender question:
| Token Type | Attacker Question | Defender Question |
|---|---|---|
| Access token | ||
| Refresh token | ||
| Primary Refresh Token |
Learning Observations
Students should be able to explain:
- Why an Entra role and Azure RBAC role are not the same thing.
- Why application permissions are more dangerous than delegated permissions in
some scenarios.
- Why management-plane access does not always imply data-plane access.
- Which source IDs support the answer.
No submission is required. The instructor can confirm understanding through discussion.
Cleanup
No cleanup is required.
Sources
MS-TOKENSMS-PRTMS-CONSENTMS-ROLESMS-AZURE-RBACMS-STORAGE-BLOB-RBACMS-KEYVAULT-RBAC
Original Markdown source
# Lab 01 - Permission Model Checkpoint
## Goal
Build a shared vocabulary for the rest of the course by mapping identity-plane
objects, resource-plane objects, and token types to attacker and defender
questions.
## Preconditions
- No live tenant access is required.
- Students should have the course slides open.
## Exercise A - Classify the Object
For each item, mark whether it belongs primarily to the identity plane, resource
plane, or both:
| Item | Identity Plane | Resource Plane | Notes |
| --- | --- | --- | --- |
| User | | | |
| Group | | | |
| Application registration | | | |
| Service principal / enterprise app | | | |
| Subscription | | | |
| Resource group | | | |
| Storage account | | | |
| Key Vault secret | | | |
| Managed identity | | | |
## Exercise B - Read the Authorization Path
Given this scenario:
1. A user signs in to a tenant-registered application.
2. The application requests delegated Microsoft Graph permissions.
3. The user is a member of a group assigned to an Entra role.
4. The same user also has an Azure role assignment on a resource group.
Answer:
- Which decisions happen in Entra ID?
- Which decisions happen in Azure Resource Manager?
- Which access would be represented by delegated permissions?
- Which access would require Azure RBAC?
- What would you need to observe before claiming the user can read Key Vault
secrets?
## Exercise C - Token Boundary Questions
For each token type, write one attacker question and one defender question:
| Token Type | Attacker Question | Defender Question |
| --- | --- | --- |
| Access token | | |
| Refresh token | | |
| Primary Refresh Token | | |
## Learning Observations
Students should be able to explain:
- Why an Entra role and Azure RBAC role are not the same thing.
- Why application permissions are more dangerous than delegated permissions in
some scenarios.
- Why management-plane access does not always imply data-plane access.
- Which source IDs support the answer.
No submission is required. The instructor can confirm understanding through
discussion.
## Cleanup
No cleanup is required.
## Sources
- `MS-TOKENS`
- `MS-PRT`
- `MS-CONSENT`
- `MS-ROLES`
- `MS-AZURE-RBAC`
- `MS-STORAGE-BLOB-RBAC`
- `MS-KEYVAULT-RBAC`