Merill Fernando 
Thomas Naunheim and Sami Lamppu quietly built one of the most useful open projects for Entra ID defenders.
The Entra ID Attack & Defense Playbook
It’s free, community-driven, and packed with real detection logic and KQL queries.
🧵👇
It started during COVID.
Thomas and Sami began simulating attacks like password spray and token theft - not for red teaming, but to teach defenders how to detect them.
Each chapter follows a simple formula:
1️⃣ Attack simulation (how it works)
2️⃣ Detection (how to spot it)
3️⃣ Mitigation (how to stop it)
All validated in real Entra ID and Sentinel environments.
They’ve covered everything from:
🔑 Password spray
🎟️ Consent grant & token replay
🕵️ Adversary-in-the-middle
🤖 Workload identities & pipelines
🔄 Entra Connect app-based auth
One of my favorite parts — they created EIDSCA (Entra Security Config Analyzer).
It maps your tenant’s settings to MITRE ATT&CK, detects risky configs, and even integrates with Sentinel for posture alerts.
Their biggest challenge?
Keeping up with Microsoft’s constant changes.
Entra evolves fast - so detection logic that worked last month might break tomorrow.
That’s why the Playbook is open-source - community keeps it alive.
If you work with Microsoft Entra or Sentinel, bookmark this project and follow their work.
It’ll make you better at both offense and defense.
🎧 Listen to the full discussion: https://entra.chat
⭐️ GitHub: https://github.com/Cloud-Architekt/AzureAD-Attack-Defense
Claus Cramon Houmann@merill drop a few links too please. Did you (they) consider releasing the work also in #OpenTide format to increase actionability? OpenTide recently released the OpenTide version of the ATRM -> threat vectors only for now. Having this alongside would be huge.
Also have been praising your newsletter to regional MS folks, don’t know if any of that filtered back to you. If not, thank you!
@claushoumann Links here
Good questions for @thomasnaunheim
Merill Fernando :verified: :donor: (@[email protected])
Attached: 1 image 🎧 Listen to the full discussion: https://entra.chat ⭐️ GitHub: https://github.com/Cloud-Architekt/AzureAD-Attack-Defense
@claushoumann Cheers Claus! Thanks a lot, much appreciated