OASEAdvancedAzure

Breaching Azure Advanced

17 Modules17 Labs35 Topics16 Video lessons

The advanced course for practitioners who have completed Breaching Azure. Covers multi-tenant attacks, PIM abuse, Conditional Access bypass, Azure DevOps pipeline compromise, and advanced persistence techniques.

17 hands-on labs
OASEOASE certification
1 exam attempt
16 video lessons
Discord community
Breaching Azure Advanced
OASE
OASE

Offensive Azure Security Expert

Labs17
Modules17
Exam attempts1
Course Material AccessLifetime
CommunityDiscord
Enroll Now← Back to all courses

What you'll be able to do

Abuse PIM and Conditional Access to bypass modern identity controls

Execute cross-tenant attacks and establish persistent cross-boundary access

Compromise Azure DevOps pipelines and exfiltrate pipeline secrets

Execute advanced lateral movement and persistence across complex enterprise Azure environments

Abuse the Microsoft Graph API for stealthy enumeration and persistence

Build multi-stage attack chains across complex enterprise Azure environments

Write expert-level reports documenting advanced compromise paths for OASE certification

Attack techniques covered

Each technique is taught through a dedicated lab with a real target environment, not a walkthrough video.

Abuse cross-tenant trust relationships to pivot between Azure AD tenants.

Course structure

17 modules · 35 topics · 16 video lessons · 1 certification exam

01Before You Start
4 topics

Get your lab environment ready, review the support channels, and understand how to approach the OASE certification exam.

02Rules of Engagement
2 topics

Ethical and legal boundaries for the course labs, plus Command & Control setup used throughout the attack chains.

03BAA 00 – Introduction to Azure
9 topics

Core Azure and Entra ID concepts: managed identities, delegated vs. application permissions, administrative units, Azure Lighthouse, Policy, and Cloud Shell.

04BAA 01 – Subdomain Takeover, Teams Phishing & ConsentFix
6 topics

Claim dangling Azure subdomains, deliver phishing payloads via Microsoft Teams, and exploit OAuth consent flows with the ConsentFix attack.

05BAA 02 – Azure VM Metadata Enumeration
3 topics

Query the Instance Metadata Service (IMDS) from a compromised VM to extract managed identity tokens and escalate access across the subscription.

06BAA 03 – Key Vault Access Policies and Secrets
3 topics

Abuse misconfigured Key Vault access policies to retrieve secrets, keys, and certificates stored for other workloads.

07BAA 04 – CosmosDB Data Decryption
3 topics

Chain Key Vault key access and a Function App to decrypt customer-at-rest data stored inside a CosmosDB instance.

08BAA 05 – Entra ID User Creation
3 topics

Exploit an over-permissioned Azure Function App to create rogue Entra ID users and establish persistence in the tenant.

09BAA 06 – Entra ID Enumeration
Sample3 topics

Map the tenant attack surface using the Microsoft Graph API: users, groups, roles, service principals, and application registrations.

10BAA 07 – Getting RCE on Azure Arc Machine
3 topics

Exploit Azure Arc-managed servers to achieve remote code execution and pivot from the cloud control plane into on-premises infrastructure.

11BAA 08 – RCE on AKS via Container Registry
3 topics

Push a malicious image to an Azure Container Registry, trigger its deployment in an AKS cluster, and achieve container escape.

12BAA 09 – Compromising Entra ID Joined Device
3 topics

Take over an Entra ID joined device to extract cached tokens, certificates, and credentials usable for lateral movement.

13BAA 10 – Exporting PRT and PIM Escalation
3 topics

Export a Primary Refresh Token (PRT) from a compromised device and abuse Privileged Identity Management (PIM) roles to escalate to Global Admin.

14BAA 11 – RCE on Self-Hosted DevOps Agent
3 topics

Compromise a self-hosted Azure DevOps pipeline agent to execute arbitrary code and exfiltrate secrets injected into pipeline runs.

15BAA 12 – ADFS Exploitation
3 topics

Attack Active Directory Federation Services to forge SAML tokens and authenticate as any federated user without their credentials.

16BAA 13 – Extracting Access Token from Browser
3 topics

Steal Azure access tokens directly from browser memory and session storage to silently impersonate authenticated users.

17BAA 14 – Exploiting JWT Assertions
3 topics

Forge signed JWT client assertions to authenticate as service principals, bypassing secret-based credential requirements entirely.

18BAA 15 – Private Endpoints & ARM Template Exposure
3 topics

Abuse exposed ARM deployment templates and private endpoint misconfigurations to access restricted resources and exfiltrate sensitive data.

19BAA 16 – Device Registration via ADFS Certificate
3 topics

Register a new device using an ADFS-issued certificate to obtain a compliant device identity and bypass Conditional Access policies.

20BAA 17 – Exploit Misconfigured Anonymous Storage
3 topics

Discover and exploit publicly accessible Azure Storage containers to retrieve sensitive data and capture the final lab flag.

OASE

Offensive Azure Security Expert (OASE)

The OASE exam requires you to compromise a live cloud environment and submit a professional attack path report. There is no multiple-choice component.

Exam format

Report submission

Attempts included

1

Validity

Lifetime

Pricing

Choose your plan

All plans include lifetime access to course material and a certification exam attempt.

Limited offerUse code CB25OFF for 25% off — applied automatically at checkout

Breaching Azure Advanced

Essential

$599

$449

  • 30 Days Cloud Labs Access
  • Lifetime Access to Course Material
  • Digital Content
  • 1x OASE Exam Attempt
  • Certificate of Completion
  • PDF Training Guide
  • 2x OASE Exam Attempts
  • Video Lessons
Enroll Now

Breaching Azure Advanced

Extended

$999

$749

  • 60 Days Cloud Labs Access
  • Lifetime Access to Course Material
  • Digital Content
  • 1x OASE Exam Attempt
  • Certificate of Completion
  • PDF Training Guide
  • 2x OASE Exam Attempts
  • Video Lessons
Enroll Now
Most Complete

Breaching Azure Advanced+

$1,199

$899

  • 90 Days Cloud Labs Access
  • Lifetime Access to Course Material
  • Digital Content
  • PDF Training Guide
  • 2x OASE Exam Attempts
  • Video Lessons (Coming Soon)
  • Certificate of Completion
Enroll Now

Teams & Enterprise

All Plus features · Dynamic group discount · Custom onboarding

Contact us →

FAQ

Frequently asked questions

The exam is practical and based on the advanced course material. You are given access to a live Azure environment for 24 hours and must compromise the target and capture the final flag. You then have 24 hours to submit a high-level report. Passing earns your OASE digital badge.

At least one year of Microsoft Azure infrastructure experience is recommended. Completing Breaching Azure first is strongly advised. Labs include hints and CloudBreach administrators are available to help.

No. You only need a standard web browser. The training environments are fully hosted on Microsoft Azure cloud and remote access is provided through the browser.

Yes. You can purchase the course today and schedule your lab start date for whenever works best for you.

Pausing is not currently possible. The lab runs continuously from your scheduled start date for 30, 60, or 90 days depending on your plan.

Yes. Lab access can be extended at any time through the CloudBreach portal at cloudbreach.io/addons. Contact an administrator if you need assistance.

We do not offer refunds for digital training courses. Please review the course description, objectives, and prerequisites carefully before purchasing.

Join Discord

Active community of students, certified practitioners, and course authors. Get unstuck, share techniques, and discuss findings without spoilers.

Join Discord
Certification badge

Earn your OASE.

Complete Breaching Azure Advanced and prove your offensive cloud security skills with a report-based certification exam.

Enroll NowView all courses