Entra Id

detecting-azure-service-principal-abuse helps detect, investigate, and document suspicious Microsoft Entra ID service principal activity in Azure. Use it for Security Audit, cloud incident response, and threat hunting to review credential changes, admin consent abuse, role assignments, ownership paths, and sign-in anomalies.

detecting-azure-lateral-movement helps security analysts hunt lateral movement in Azure AD/Entra ID and Microsoft Sentinel using Microsoft Graph audit logs, sign-in telemetry, and KQL correlation. Use it for incident triage, detection engineering, and security audit workflows covering consent abuse, service principal misuse, token theft, and cross-tenant pivoting.

The configuring-active-directory-tiered-model skill helps design and audit Microsoft ESAE-style Active Directory tier separation. Use this configuring-active-directory-tiered-model guide to review Tier 0/1/2 access, PAWs, admin boundaries, credential exposure, and security-audit findings with clearer implementation context.

detecting-oauth-token-theft helps investigate OAuth token theft, replay, and session hijacking in Microsoft Entra ID and M365. Use this detecting-oauth-token-theft skill for Security Audit, incident response, and hardening reviews. It focuses on sign-in anomalies, suspicious scopes, new devices, and containment steps.

building-identity-governance-lifecycle-process helps design identity governance and lifecycle management for joiner-mover-leaver automation, access reviews, role-based provisioning, and orphaned account cleanup. It fits cross-system Access Control programs that need practical workflow guidance, not a generic policy draft.

The auditing-azure-active-directory-configuration skill helps review Microsoft Entra ID tenant security for risky authentication settings, admin role sprawl, stale accounts, Conditional Access gaps, guest exposure, and MFA coverage. It is designed for Security Audit workflows with Graph-based evidence and practical guidance.