Teaching Flow Draft
這份文件先規劃 6 小時課程節奏。實驗細節由 John 後續建 training tenant 時再落地;目前只固定教材主線、投影片深度與取捨。
Time Budget
| Block | Time | Purpose | Output |
|---|---|---|---|
| Opening and mental model | 20 min | 課程定位、攻擊鏈地圖、identity/resource plane | 學員知道今天不是 Azure 管理課 |
| Foundations | 45 min | Tenant、app/SP、Azure RBAC、token boundary | 能讀懂後續 tool output |
| Initial Access | 45 min | Password spraying context、device code、OAuth consent | 能判斷可控實驗與真實攻擊差異 |
| Recon and Discovery | 55 min | ROADtools / AADInternals / AzureHound 角色與輸出 | 能把「看得到什麼」轉成 attack-path questions |
| Lateral Movement | 55 min | Roles、app roles、ownership、service principals | 能判斷哪個 identity 可以改什麼 |
| Persistence | 35 min | SP persistence、OAuth consent persistence、device persistence | 知道哪些主題做 hands-on、哪些只講 |
| Azure Resource Abuse | 55 min | Storage、Key Vault、Managed Identity、deployment history | 能分辨 management plane / data plane |
| Security Boundary | 35 min | CA、MFA type、device compliance、token protection | 能把控制對回攻擊鏈步驟 |
| Buffer / recap | 20 min | Q&A、fallback、重點回收 | 完成標準與後續延伸 |
Current Material Decisions
- Hands-on lab implementation is deferred until John builds the training tenant.
- Student material uses checkpoint questions and learning observations, not flags, scoring, or required submissions.
- When the word evidence appears, it means "what defenders or students should be able to observe and explain", not something students must upload.
- OAuth consent remains the preferred initial-access teaching bridge because it connects cleanly to app/SP abuse.
- Device code is kept as threat context or instructor-demo candidate.
- Evilginx / AitM remains lecture-only unless John explicitly approves a controlled advanced path.
- Password spraying remains risk and detection context only.
Module Depth
Foundations
- Goal: establish vocabulary.
- Avoid: OAuth protocol deep dive.
- Must return later: delegated vs app-only, identity plane vs resource plane.
Recon and Discovery
- Goal: make students ask what their current token can see.
- ROADtools is the primary narrative tool.
- AADInternals is useful as a toolkit reference, not the main UI.
- AzureHound is lecture-only until tenant validation proves the collection path and permissions are suitable.
Lateral Movement and Persistence
- Goal: turn objects into decisions.
- Focus on role overreach, app/SP ownership, app role assignment, and credential addition risk.
- Persistence candidates should be narrowed to two practical tracks after lab infra is known.
Azure Resource Abuse
- Goal: show why Azure RBAC does not automatically equal data access.
- Storage and Key Vault are the first-class examples.
- Managed Identity is kept as a strong demo / optional lab depending on environment readiness.
Security Boundary
- Goal: avoid slogan defenses.
- Every control should answer: which attack-chain step changes, what assumptions are required, and what bypass or residual path remains?
Next Planning Tasks
- [x] Create diagram backlog for identity plane, resource plane, consent flow, and app/SP abuse path.
- [x] Create screenshot backlog for portal views and sanitized tool output as instructor teaching aids, not student submission requirements.
- [x] Decide which modules need student handouts separate from slides: start with one consolidated student learning guide; split per module only if it becomes too long during review.
- [x] Draft first-batch diagrams for identity/resource plane, OAuth consent, app/SP relationships, and Azure management/data plane.
- Review first-batch diagrams before embedding them into the student deck.
- Convert the current single student deck into module-specific decks if OpenSlide navigation becomes too dense.
Original Markdown source
# Teaching Flow Draft
這份文件先規劃 6 小時課程節奏。實驗細節由 John 後續建 training tenant 時再落地;目前只固定教材主線、投影片深度與取捨。
## Time Budget
| Block | Time | Purpose | Output |
| --- | ---: | --- | --- |
| Opening and mental model | 20 min | 課程定位、攻擊鏈地圖、identity/resource plane | 學員知道今天不是 Azure 管理課 |
| Foundations | 45 min | Tenant、app/SP、Azure RBAC、token boundary | 能讀懂後續 tool output |
| Initial Access | 45 min | Password spraying context、device code、OAuth consent | 能判斷可控實驗與真實攻擊差異 |
| Recon and Discovery | 55 min | ROADtools / AADInternals / AzureHound 角色與輸出 | 能把「看得到什麼」轉成 attack-path questions |
| Lateral Movement | 55 min | Roles、app roles、ownership、service principals | 能判斷哪個 identity 可以改什麼 |
| Persistence | 35 min | SP persistence、OAuth consent persistence、device persistence | 知道哪些主題做 hands-on、哪些只講 |
| Azure Resource Abuse | 55 min | Storage、Key Vault、Managed Identity、deployment history | 能分辨 management plane / data plane |
| Security Boundary | 35 min | CA、MFA type、device compliance、token protection | 能把控制對回攻擊鏈步驟 |
| Buffer / recap | 20 min | Q&A、fallback、重點回收 | 完成標準與後續延伸 |
## Current Material Decisions
- Hands-on lab implementation is deferred until John builds the training tenant.
- Student material uses checkpoint questions and learning observations, not flags, scoring, or required submissions.
- When the word evidence appears, it means "what defenders or students should be able to observe and explain", not something students must upload.
- OAuth consent remains the preferred initial-access teaching bridge because it connects cleanly to app/SP abuse.
- Device code is kept as threat context or instructor-demo candidate.
- Evilginx / AitM remains lecture-only unless John explicitly approves a controlled advanced path.
- Password spraying remains risk and detection context only.
## Module Depth
### Foundations
- Goal: establish vocabulary.
- Avoid: OAuth protocol deep dive.
- Must return later: delegated vs app-only, identity plane vs resource plane.
### Recon and Discovery
- Goal: make students ask what their current token can see.
- ROADtools is the primary narrative tool.
- AADInternals is useful as a toolkit reference, not the main UI.
- AzureHound is lecture-only until tenant validation proves the collection path and permissions are suitable.
### Lateral Movement and Persistence
- Goal: turn objects into decisions.
- Focus on role overreach, app/SP ownership, app role assignment, and credential addition risk.
- Persistence candidates should be narrowed to two practical tracks after lab infra is known.
### Azure Resource Abuse
- Goal: show why Azure RBAC does not automatically equal data access.
- Storage and Key Vault are the first-class examples.
- Managed Identity is kept as a strong demo / optional lab depending on environment readiness.
### Security Boundary
- Goal: avoid slogan defenses.
- Every control should answer: which attack-chain step changes, what assumptions are required, and what bypass or residual path remains?
## Next Planning Tasks
- [x] Create diagram backlog for identity plane, resource plane, consent flow, and app/SP abuse path.
- [x] Create screenshot backlog for portal views and sanitized tool output as instructor teaching aids, not student submission requirements.
- [x] Decide which modules need student handouts separate from slides: start with one consolidated student learning guide; split per module only if it becomes too long during review.
- [x] Draft first-batch diagrams for identity/resource plane, OAuth consent, app/SP relationships, and Azure management/data plane.
- Review first-batch diagrams before embedding them into the student deck.
- Convert the current single student deck into module-specific decks if OpenSlide navigation becomes too dense.