EntraGoat: Vulnerable Microsoft Entra ID infrastructure to simulate identity security misconfigurations

EntraGoat is a purpose-built tool that sets up a vulnerable Microsoft Entra ID environment to mimic real-world identity security issues. It’s designed to help security professionals practice spotting and exploiting common misconfigurations.

The tool creates a range of privilege escalation paths and supports black-box testing methods. It uses PowerShell scripts and Microsoft Graph APIs to set up the environment, keeping it separate from production systems so users can experiment safely.

Each scenario comes with everything needed to run and reset the environment. A setup script deploys the vulnerable configuration, while a cleanup script removes all changes afterward. There’s also a step-by-step walkthrough that shows how the attack works, along with hidden flags for users to find as part of a capture-the-flag challenge.

Prerequisites:

• Microsoft Entra ID tenant (Use a test/trial tenant)
• Global Administrator privileges
• Microsoft Graph PowerShell SDK
• Node.js, npm

EntraGoat is available for free on GitHub.

Must read:

• 35 open-source security tools to power your red team, SOC, and cloud security
• GitHub CISO on security strategy and collaborating with the open-source community

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!