At the Black Hat USA 2025 conference in Las Vegas, security researcher Dirk-jan Mollema presented findings on authentication bypass techniques that could allow low-privilege cloud accounts to gain elevated access in hybrid Active Directory and Entra ID environments. His presentation, titled “Advanced Active Directory to Entra ID Lateral Movement Techniques,” demonstrated how attackers might exploit trust relationships between on-premises Active Directory and Microsoft’s cloud identity platform to move laterally without triggering standard API controls.
Mollema, a well-known security researcher from The Hague, Netherlands and founder of Outsider Security, has previously disclosed multiple vulnerabilities in Active Directory and Entra ID systems through tools like mitm6, ldapdomaindump, and adidnsdump. His work focuses on protocol-level weaknesses in Microsoft identity infrastructures, particularly those involving hybrid deployments where organizations maintain both on-premises domain controllers and cloud-based Entra ID tenants.
The core of his Black Hat 2025 presentation centered on manipulating authentication tokens and session mechanisms to bypass conditional access policies and multi-factor authentication requirements. Rather than exploiting software bugs, the techniques described leverage legitimate authentication flows in unintended ways, allowing attackers to inherit elevated privileges through seemingly normal user actions.
These methods build upon earlier research Mollema presented at DEF CON 33 and Troopers 25, where he demonstrated similar attack paths involving Primary Refresh Tokens (PRTs) and federated credentials. In those presentations, he showed how abuse of Windows Hello for Business or external identity providers could lead to persistent access in Entra ID without detection by conventional monitoring tools.
Understanding the Hybrid Identity Attack Surface
Organizations using Microsoft Entra ID Connect (formerly Azure AD Connect) synchronize user accounts and password hashes from on-premises Active Directory to the cloud, creating a trust boundary that attackers seek to exploit. When properly configured, this synchronization allows seamless single sign-on experiences but can introduce risks if cloud accounts are over-privileged or if on-premises credentials are compromised.
Mollema’s research highlights how a low-privilege user in Entra ID—such as one with only standard application access—might be leveraged to gain hybrid administrator privileges by manipulating authentication requests between the cloud and domain controllers. This could occur without modifying directory objects or triggering typical anomaly detection alerts, making the activity difficult to distinguish from legitimate administrative behavior.
The attack chain often begins with credential theft or phishing to obtain a standard cloud user token, followed by techniques to exchange or elevate that token through unintended trust paths. Because these methods utilize valid authentication protocols, they may bypass controls designed to block malicious API calls or suspicious sign-in locations.
Technical Details of the Bypass Techniques
During his Black Hat presentation, Mollema demonstrated specific techniques involving actor tokens and SharePoint access abuse, as well as manipulation of Microsoft Graph API permissions through compromised service principals. These approaches allow attackers to request tokens with elevated scopes by presenting seemingly legitimate authentication requests that exploit misconfigurations in application permissions or consent grants.
One method detailed in his DEF CON 33 talk involved stealing Primary Refresh Tokens from Windows 10 or 11 devices and replaying them in different contexts to gain access to cloud resources. Another approach, shown at Troopers 25 with Fabian Bader, focused on bypassing Conditional Access policies by manipulating the authentication flow to present device states that appear compliant while actually being uncontrolled.
These techniques do not rely on zero-day vulnerabilities in Microsoft software but instead exploit how identity protocols are implemented and configured in real-world hybrid environments. As such, mitigation requires careful review of authentication policies, application permissions, and token handling practices rather than patching specific software flaws.
Implications for Enterprise Security
For organizations running hybrid Active Directory and Entra ID deployments, these findings underscore the importance of treating cloud identities with the same rigor as on-premises accounts. A low-privilege user in Entra ID should not be assumed to pose limited risk if their account can be used as a pivot point to gain domain-level privileges through authentication manipulation.
Security teams are advised to monitor for unusual token requests, unexpected service principal usage, and anomalies in authentication patterns that may indicate abuse of legitimate protocols. Regular review of application permissions, consent grants, and conditional access policies can help reduce the attack surface available for such lateral movement techniques.
Microsoft has not issued any public advisories directly addressing Mollema’s Black Hat 2025 presentation as of the date of this article. However, the company regularly updates its identity protection features and provides guidance on securing hybrid environments through documents like the Microsoft Secure Score recommendations and Entra ID protection best practices.
About the Researcher
Dirk-jan Mollema is a security researcher and trainer based in the Netherlands, known for his work on Active Directory and Entra ID security. He regularly presents at major security conferences including Black Hat, DEF CON, and Troopers, and maintains a public blog at dirkjanm.io where he shares research findings, tool releases, and technical deep dives on Microsoft identity systems.
His contributions to the security community include open-source tools that help administrators assess and harden their Active Directory and Entra ID configurations against credential theft and lateral movement techniques. These tools are frequently used by red teams and security auditors to identify potential weaknesses before attackers can exploit them.
Mollema’s approach emphasizes understanding the underlying protocols and trust mechanisms rather than focusing solely on exploitable bugs, providing defenders with insights into how legitimate functionality can be abused in complex identity architectures.