Source Map
這份表把課綱技術點對到正式文件或可靠研究來源。Slide 內用 Source ID 簡短標記,完整 URL 放在這裡。
Microsoft Official Sources
| Source ID | Topic | Source | Course Use |
|---|---|---|---|
MS-TOKENS | Entra token types | Microsoft Learn: Understanding tokens in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/devices/concept-tokens-microsoft-entra-id | PRT / access token / refresh token 概念與差異 |
MS-PRT | Primary Refresh Token | Microsoft Learn: Understanding Primary Refresh Token in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token | PRT 發行、使用、保護方式;device-based SSO 脈絡 |
MS-TOKEN-PROTECTION | Token protection | Microsoft Learn: Protecting tokens in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/devices/protecting-tokens-microsoft-entra-id | Token replay / Conditional Access token protection 討論 |
MS-CA-AUTH-STRENGTH | Conditional Access auth strengths | Microsoft Learn: Conditional Access authentication strengths - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths | MFA 類型差異、phishing-resistant MFA 邊界 |
MS-CA-MFA-STRENGTH | Require MFA by auth strength | Microsoft Learn: Require MFA for all users with Conditional Access - https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-mfa-strength | 防禦章節示範 policy framing |
MS-CONSENT | Permissions and consent | Microsoft Learn: Overview of permissions and consent in the Microsoft identity platform - https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview | OAuth consent、delegated vs application permission、app roles |
MS-USER-CONSENT | User consent settings | Microsoft Learn: Configure how users consent to applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent | OAuth consent phishing 防禦設定與 consent policy framing |
MS-ADMIN-CONSENT-WORKFLOW | Admin consent workflow | Microsoft Learn: Configure the admin consent workflow - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow | 使用者無法自行 consent 時的審核流程與 reviewer 權限 |
MS-DEVICE-CODE-FLOW | OAuth device code flow | Microsoft Learn: Authentication flow support in MSAL - https://learn.microsoft.com/en-us/entra/identity-platform/msal-authentication-flows | Device code flow 的正常用途與 phishing 討論邊界 |
MS-ROLES | Entra built-in roles | Microsoft Learn: Microsoft Entra built-in roles - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference | Role / app permission / service principal 管理權限 |
MS-AZURE-RBAC | Azure RBAC overview | Microsoft Learn: What is Azure role-based access control? - https://learn.microsoft.com/en-us/azure/role-based-access-control/overview | Azure resource scope、role assignment、management plane 權限模型 |
MS-DEFAULT-PERMS | Default user and object owner permissions | Microsoft Learn: Default user permissions - https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions | Application owner / enterprise app owner 濫用討論 |
MS-GRAPH-APPROLE | Graph appRoleAssignments | Microsoft Graph: List appRoleAssignments granted for a service principal - https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignedto | Recon 查詢 app role assignment 與 Graph 權限 |
MS-DEVICE-REG | Entra registered devices | Microsoft Learn: What are Microsoft Entra registered devices? - https://learn.microsoft.com/en-us/entra/identity/devices/concept-device-registration | Device registration、BYOD、compliant device 前置觀念 |
MS-DEVICE-JOIN | Entra joined devices | Microsoft Learn: What is a Microsoft Entra joined device? - https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join | Entra joined device 與 hybrid / cloud-only device 差異 |
MS-DEVICE-REG-FLOW | Device registration internals | Microsoft Learn: How Microsoft Entra device registration works - https://learn.microsoft.com/en-us/entra/identity/devices/device-registration-how-it-works | Device registration persistence 技術背景 |
MS-DEVICE-MGMT | Manage device identities | Microsoft Learn: Manage devices in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/devices/manage-device-identities | Device settings、registration/join restrictions、防禦檢查 |
MS-SP-SECURITY | Service principal security | Microsoft Learn: Securing service principals in Microsoft Entra ID - https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-principal | Service principal least privilege、consent grants、secret hygiene |
MS-STORAGE-BLOB-RBAC | Blob data access roles | Microsoft Learn: Assign an Azure role for access to blob data - https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access | Storage Blob data plane role 與 management plane role 差異 |
MS-STORAGE-BLOB-AUTHZ | Blob authorization with Entra ID | Microsoft Learn: Authorize access to blobs using Microsoft Entra ID - https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory | Azure Storage data access flow |
MS-KEYVAULT-RBAC | Key Vault RBAC | Microsoft Learn: Provide access to Key Vault keys, certificates, and secrets with Azure RBAC - https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide | Key Vault control plane / data plane 與 secrets access |
MS-MANAGED-IDENTITY-VM | Managed identity on VM | Microsoft Learn: How managed identities for Azure resources work with Azure virtual machines - https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm | Managed Identity token flow and resource access |
MS-ARM-DEPLOYMENT-HISTORY | Deployment history | Microsoft Learn: View deployment history with Azure Resource Manager - https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-history | Deployment operations inspection and credential hunting boundary |
MS-STORM-2372 | Device code phishing campaign | Microsoft Security Blog: Storm-2372 conducts device code phishing campaign - https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/ | Threat context and detection framing for device code phishing |
MS-IDP-RISK | Identity Protection risk detections | Microsoft Learn: What are risk detections? - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks | Password spray detection framing and limitations |
MS-PASSWORD-PROTECTION | Password protection | Microsoft Learn: Eliminate bad passwords using Microsoft Entra Password Protection - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad | Password spraying risk and weak password prevention framing |
Research and Tool Sources
| Source ID | Topic | Source | Course Use |
|---|---|---|---|
ROADTOOLS | ROADtools / ROADrecon | GitHub Wiki: Getting started with ROADrecon - https://github.com/dirkjanm/ROADtools/wiki/Getting-started-with-ROADrecon | Recon lab tool flow: auth, gather, explore |
ROADTOOLS-HOME | ROADtools docs | GitHub Wiki: ROADtools home - https://github.com/dirkjanm/ROADtools/wiki | Tool family reference |
AADINTERNALS | AADInternals | AADInternals documentation - https://aadinternals.com/aadinternals/ | Tool purpose and module boundary |
MITRE-AADINTERNALS | AADInternals in ATT&CK | MITRE ATT&CK S0677 - https://attack.mitre.org/software/S0677/ | ATT&CK mapping for enumeration and cloud account discovery |
AZUREHOUND-DOCS | AzureHound collection | SpecterOps BloodHound docs: AzureHound Community Edition flags - https://bloodhound.specterops.io/collect-data/ce-collection/azurehound-flags | AzureHound role in Entra / Azure attack path collection and visibility limits |
DIRKJAN-BACKDOORING | Azure AD account backdooring | Black Hat USA 2022 paper/slides by Dirk-jan Mollema - https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf | Persistence and token/device abuse background |
Need Source Before Slide Inclusion
| Candidate Topic | Current Status | Required Next Step |
|---|---|---|
| Cross-tenant sync abuse | Lecture-only candidate | Need official docs and a reliable public attack writeup before making claims |
| Azure Lighthouse abuse | Lecture-only candidate | Need official docs and a safe lab path |
| CAPTure tool | Candidate only | Need upstream repo/documentation and current compatibility check |
| AzureHound low-privilege limits | Lecture-only until lab validation | Source mapped as AZUREHOUND-DOCS; still needs training-tenant validation before hands-on |
| Evilginx Entra token theft lab | Candidate only | Need John approval, ethical constraints, and controlled tenant-only lab design |
| Entra Connect / ADFS credential theft | Optional advanced | Need source set and time-box decision |
Original Markdown source
# Source Map
這份表把課綱技術點對到正式文件或可靠研究來源。Slide 內用 `Source ID` 簡短標記,完整 URL 放在這裡。
## Microsoft Official Sources
| Source ID | Topic | Source | Course Use |
| --- | --- | --- | --- |
| `MS-TOKENS` | Entra token types | Microsoft Learn: Understanding tokens in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/devices/concept-tokens-microsoft-entra-id | PRT / access token / refresh token 概念與差異 |
| `MS-PRT` | Primary Refresh Token | Microsoft Learn: Understanding Primary Refresh Token in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token | PRT 發行、使用、保護方式;device-based SSO 脈絡 |
| `MS-TOKEN-PROTECTION` | Token protection | Microsoft Learn: Protecting tokens in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/devices/protecting-tokens-microsoft-entra-id | Token replay / Conditional Access token protection 討論 |
| `MS-CA-AUTH-STRENGTH` | Conditional Access auth strengths | Microsoft Learn: Conditional Access authentication strengths - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths | MFA 類型差異、phishing-resistant MFA 邊界 |
| `MS-CA-MFA-STRENGTH` | Require MFA by auth strength | Microsoft Learn: Require MFA for all users with Conditional Access - https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-mfa-strength | 防禦章節示範 policy framing |
| `MS-CONSENT` | Permissions and consent | Microsoft Learn: Overview of permissions and consent in the Microsoft identity platform - https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview | OAuth consent、delegated vs application permission、app roles |
| `MS-USER-CONSENT` | User consent settings | Microsoft Learn: Configure how users consent to applications - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent | OAuth consent phishing 防禦設定與 consent policy framing |
| `MS-ADMIN-CONSENT-WORKFLOW` | Admin consent workflow | Microsoft Learn: Configure the admin consent workflow - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow | 使用者無法自行 consent 時的審核流程與 reviewer 權限 |
| `MS-DEVICE-CODE-FLOW` | OAuth device code flow | Microsoft Learn: Authentication flow support in MSAL - https://learn.microsoft.com/en-us/entra/identity-platform/msal-authentication-flows | Device code flow 的正常用途與 phishing 討論邊界 |
| `MS-ROLES` | Entra built-in roles | Microsoft Learn: Microsoft Entra built-in roles - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference | Role / app permission / service principal 管理權限 |
| `MS-AZURE-RBAC` | Azure RBAC overview | Microsoft Learn: What is Azure role-based access control? - https://learn.microsoft.com/en-us/azure/role-based-access-control/overview | Azure resource scope、role assignment、management plane 權限模型 |
| `MS-DEFAULT-PERMS` | Default user and object owner permissions | Microsoft Learn: Default user permissions - https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions | Application owner / enterprise app owner 濫用討論 |
| `MS-GRAPH-APPROLE` | Graph appRoleAssignments | Microsoft Graph: List appRoleAssignments granted for a service principal - https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignedto | Recon 查詢 app role assignment 與 Graph 權限 |
| `MS-DEVICE-REG` | Entra registered devices | Microsoft Learn: What are Microsoft Entra registered devices? - https://learn.microsoft.com/en-us/entra/identity/devices/concept-device-registration | Device registration、BYOD、compliant device 前置觀念 |
| `MS-DEVICE-JOIN` | Entra joined devices | Microsoft Learn: What is a Microsoft Entra joined device? - https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join | Entra joined device 與 hybrid / cloud-only device 差異 |
| `MS-DEVICE-REG-FLOW` | Device registration internals | Microsoft Learn: How Microsoft Entra device registration works - https://learn.microsoft.com/en-us/entra/identity/devices/device-registration-how-it-works | Device registration persistence 技術背景 |
| `MS-DEVICE-MGMT` | Manage device identities | Microsoft Learn: Manage devices in Microsoft Entra ID - https://learn.microsoft.com/en-us/entra/identity/devices/manage-device-identities | Device settings、registration/join restrictions、防禦檢查 |
| `MS-SP-SECURITY` | Service principal security | Microsoft Learn: Securing service principals in Microsoft Entra ID - https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-principal | Service principal least privilege、consent grants、secret hygiene |
| `MS-STORAGE-BLOB-RBAC` | Blob data access roles | Microsoft Learn: Assign an Azure role for access to blob data - https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access | Storage Blob data plane role 與 management plane role 差異 |
| `MS-STORAGE-BLOB-AUTHZ` | Blob authorization with Entra ID | Microsoft Learn: Authorize access to blobs using Microsoft Entra ID - https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory | Azure Storage data access flow |
| `MS-KEYVAULT-RBAC` | Key Vault RBAC | Microsoft Learn: Provide access to Key Vault keys, certificates, and secrets with Azure RBAC - https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide | Key Vault control plane / data plane 與 secrets access |
| `MS-MANAGED-IDENTITY-VM` | Managed identity on VM | Microsoft Learn: How managed identities for Azure resources work with Azure virtual machines - https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm | Managed Identity token flow and resource access |
| `MS-ARM-DEPLOYMENT-HISTORY` | Deployment history | Microsoft Learn: View deployment history with Azure Resource Manager - https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-history | Deployment operations inspection and credential hunting boundary |
| `MS-STORM-2372` | Device code phishing campaign | Microsoft Security Blog: Storm-2372 conducts device code phishing campaign - https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/ | Threat context and detection framing for device code phishing |
| `MS-IDP-RISK` | Identity Protection risk detections | Microsoft Learn: What are risk detections? - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks | Password spray detection framing and limitations |
| `MS-PASSWORD-PROTECTION` | Password protection | Microsoft Learn: Eliminate bad passwords using Microsoft Entra Password Protection - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad | Password spraying risk and weak password prevention framing |
## Research and Tool Sources
| Source ID | Topic | Source | Course Use |
| --- | --- | --- | --- |
| `ROADTOOLS` | ROADtools / ROADrecon | GitHub Wiki: Getting started with ROADrecon - https://github.com/dirkjanm/ROADtools/wiki/Getting-started-with-ROADrecon | Recon lab tool flow: auth, gather, explore |
| `ROADTOOLS-HOME` | ROADtools docs | GitHub Wiki: ROADtools home - https://github.com/dirkjanm/ROADtools/wiki | Tool family reference |
| `AADINTERNALS` | AADInternals | AADInternals documentation - https://aadinternals.com/aadinternals/ | Tool purpose and module boundary |
| `MITRE-AADINTERNALS` | AADInternals in ATT&CK | MITRE ATT&CK S0677 - https://attack.mitre.org/software/S0677/ | ATT&CK mapping for enumeration and cloud account discovery |
| `AZUREHOUND-DOCS` | AzureHound collection | SpecterOps BloodHound docs: AzureHound Community Edition flags - https://bloodhound.specterops.io/collect-data/ce-collection/azurehound-flags | AzureHound role in Entra / Azure attack path collection and visibility limits |
| `DIRKJAN-BACKDOORING` | Azure AD account backdooring | Black Hat USA 2022 paper/slides by Dirk-jan Mollema - https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf | Persistence and token/device abuse background |
## Need Source Before Slide Inclusion
| Candidate Topic | Current Status | Required Next Step |
| --- | --- | --- |
| Cross-tenant sync abuse | Lecture-only candidate | Need official docs and a reliable public attack writeup before making claims |
| Azure Lighthouse abuse | Lecture-only candidate | Need official docs and a safe lab path |
| CAPTure tool | Candidate only | Need upstream repo/documentation and current compatibility check |
| AzureHound low-privilege limits | Lecture-only until lab validation | Source mapped as `AZUREHOUND-DOCS`; still needs training-tenant validation before hands-on |
| Evilginx Entra token theft lab | Candidate only | Need John approval, ethical constraints, and controlled tenant-only lab design |
| Entra Connect / ADFS credential theft | Optional advanced | Need source set and time-box decision |