OASPIntermediateAzure

Breaching Azure

17 Modules30 Labs32 Topics9 Video lessons

A hands-on lab course covering real-world Azure attack paths. Learn how attackers enumerate Entra ID, abuse OAuth flows, exploit Managed Identities, and escalate privileges across Azure tenants.

30 hands-on labs
OASPOASP certification
1 exam attempt
9 video lessons
Discord community
Breaching Azure
OASP
OASP

Offensive Azure Security Professional

Labs30
Modules17
Exam attempts1
Course Material AccessLifetime
CommunityDiscord
Enroll Now← Back to all courses

What you'll be able to do

Enumerate Azure environments without generating high-fidelity alerts

Abuse Entra ID identities and OAuth flows to obtain persistent access

Exploit Managed Identities to pivot across Azure resources

Extract secrets from Key Vaults and Storage Accounts

Escalate privileges by abusing RBAC misconfigurations

Complete end-to-end Azure compromise chains

Write professional attack path reports for OASP certification

Attack techniques covered

Each technique is taught through a dedicated lab with a real target environment, not a walkthrough video.

Enumerate users, groups, applications, and service principals without triggering alerts.

Course structure

17 modules · 32 topics · 9 video lessons · 1 certification exam

01Breaching Azure – Introduction
2 topics

Course overview, lab environment setup, and introduction to the Azure attack methodology used throughout the course.

02BA 01 – Getting Started with Azure
2 topics

Set up your attack workstation, install the required tooling, and get familiar with the Azure CLI and portal navigation.

03BA 02 – Azure Portal
1 topic

Use the Azure Portal to enumerate resources, review IAM assignments, and identify initial attack surface across a subscription.

04BA 03 – Azure Cloud Shell
1 topic

Leverage Azure Cloud Shell as an attack platform with pre-authenticated access to Azure APIs and built-in tooling.

05BA 04 – Anonymous Azure Services Enumeration
Sample3 topics

Enumerate publicly exposed Azure services without credentials — storage accounts, web apps, and metadata endpoints.

06BA 05 – Phishing Attacks
6 topics

Execute device code phishing and OAuth consent attacks to harvest access tokens from Entra ID users without their passwords.

07BA 06 – Abusing Azure Management and Azure Graph APIs
2 topics

Use the Azure Management and Microsoft Graph APIs to enumerate subscriptions, resources, role assignments, and escalate access.

08BA 07 – Password Spraying Entra ID
2 topics

Conduct stealthy password spray attacks against Entra ID tenants while evading lockout and Smart Lockout protections.

09BA 08 – Azure Access Token
4 topics

Extract, manipulate, and replay Azure access tokens to authenticate as users and service principals across Azure services.

10BA 09 – Entra Conditional Access Policy
2 topics

Enumerate and bypass Conditional Access Policies to access protected resources from untrusted devices and locations.

11BA 10 – Azure Logic App
2 topics

Abuse misconfigured Logic Apps to exfiltrate data, trigger automated actions, and pivot within the Azure environment.

12BA 11 – Azure Storage Account
2 topics

Enumerate and exploit misconfigured Azure Storage Accounts to access blobs, tables, file shares, and queues.

13BA 12 – Azure Automation Account
2 topics

Abuse Azure Automation Accounts and Runbooks to execute arbitrary code under managed identity privileges.

14BA 13 – Microsoft Entra Connect & MSOL
4 topics

Exploit Entra Connect sync accounts and MSOL service accounts to escalate privileges and compromise on-premises Active Directory.

15BA 14 – B2B Collaboration with Entra ID
4 topics

Exploit cross-tenant B2B guest access to enumerate resources and pivot laterally between Azure tenants.

16BA 15 – Azure and Microsoft 365 REST APIs
2 topics

Use Azure and Microsoft 365 REST APIs to stealthily enumerate mailboxes, SharePoint sites, and Teams data.

17BA 16 – DevSecOps Fundamentals
12 topics

Attack Azure DevOps pipelines, extract secrets from pipeline variables and Key Vault, and compromise service connections to escalate across environments.

OASP

Offensive Azure Security Professional (OASP)

The OASP exam requires you to compromise a live cloud environment and submit a professional attack path report. There is no multiple-choice component.

Exam format

Report submission

Attempts included

1

Validity

Lifetime

Pricing

Choose your plan

All plans include lifetime access to course material and a certification exam attempt.

Limited offerUse code CB25OFF for 25% off — applied automatically at checkout

Breaching Azure

Essential

$499

$374

  • 30 Days Cloud Labs Access
  • Lifetime Access to Course Material
  • Digital Content
  • 1x OASP Exam Attempt
  • Certificate of Completion
  • PDF Training Guide
  • 2x OASP Exam Attempts
  • Video Lessons
  • BA+ Standalone Challenges
Enroll Now

Breaching Azure

Extended

$699

$524

  • 60 Days Cloud Labs Access
  • Lifetime Access to Course Material
  • Digital Content
  • 1x OASP Exam Attempt
  • Certificate of Completion
  • PDF Training Guide
  • 2x OASP Exam Attempts
  • Video Lessons
  • BA+ Standalone Challenges
Enroll Now
Most Complete

Breaching Azure+

$1,000

$750

  • 60 Days Cloud Labs Access
  • Lifetime Access to Course Material
  • Digital Content
  • PDF Training Guide
  • 2x OASP Exam Attempts
  • Video Lessons
  • BA+ Standalone Challenges
  • Certificate of Completion
Enroll Now

Teams & Enterprise

All Plus features · Dynamic group discount · Custom onboarding

Contact us →

FAQ

Frequently asked questions

The exam is practical and based on the material taught during the course. You are given access to a live Azure environment for 24 hours. The goal is to compromise the target environment and capture the final exam flag. You then have an additional 24 hours to submit a report detailing your methodology. Successfully completing the exam earns your OASP digital badge.

Around one year of Azure infrastructure experience is recommended. The labs include hints throughout, and CloudBreach administrators are available to guide you if you get stuck.

No. To start the CloudBreach labs you only need a standard web browser. The training environments are fully hosted on Microsoft Azure cloud and remote access is provided through the browser.

Yes. You can purchase the course today and schedule your lab start date for whenever works best for you.

Pausing is not currently possible. The lab is deployed on your scheduled start date and runs continuously for 30 or 60 days depending on your plan.

Yes. Lab access can be extended at any time through the CloudBreach portal at cloudbreach.io/addons. Contact an administrator if you run into any issues.

We do not offer refunds for digital training courses. We encourage you to review the course description, objectives, and available previews before purchasing to make sure it fits your needs.

Join Discord

Active community of students, certified practitioners, and course authors. Get unstuck, share techniques, and discuss findings without spoilers.

Join Discord
Certification badge

Earn your OASP.

Complete Breaching Azure and prove your offensive cloud security skills with a report-based certification exam.

Enroll NowView all courses