EntraGoat: A deliberately vulnerable Microsoft Entra ID environment. Learn identity security through hands-on, realistic attack challenges

GitHub: https://github.com/Semperis/EntraGoat

EntraGoat is a deliberately vulnerable Microsoft Entra ID infrastructure designed to simulate real-world identity security misconfigurations and attack vectors. EntraGoat introduces intentional vulnerabilities in your environment to provide a realistic learning platform for security professionals. It features multiple privilege escalation paths and focuses on black-box attack methodologies.

EntraGoat uses PowerShell scripts and Microsoft Graph APIs to deploy vulnerable configurations in your Entra ID tenant. This gives users complete control over the learning environment while maintaining isolation from production systems.

🐐 Getting Started 🐐

Prerequisites

• A Microsoft Entra ID tenant (Use a test/trial tenant)
• Global Administrator privileges
• Microsoft Graph PowerShell SDK
• Node.js, npm

⚙️ Installation

EntraGoat provides an interactive web interface for challenge management and PowerShell scripts for infrastructure deployment.

Method 1: Quick Setup

1. Clone the repositorygit clone https://github.com/Semperis/EntraGoat
   cd EntraGoat
2. Install Microsoft Graph PowerShell SDKInstall-Module Microsoft.Graph -Scope CurrentUser -Force
3. Run the web interfacecd .\frontend
   npm install
   npm start
4. Access EntraGoat at http://localhost:3000
5. Run the Setup Script for each given scenario

Method 2: Manual PowerShell Setup (Recommended)

For individual scenarios, navigate to the specific challenge directory:

cd scenarios
.\EntraGoat-Scenario1-Setup.ps1

🎯 Challenge Structure

Each scenario includes:

• Setup Script - Deploys vulnerable configuration
• Cleanup Script - Removes all created objects
• Solution Walkthrough - Step-by-step attack demonstration
• Capture the Flag - Hidden flags to discover

💰 Pricing

EntraGoat scenarios run entirely within your existing Entra ID tenant and do not incur additional Microsoft licensing costs. The vulnerabilities are created through configuration changes only.

Note: Use a dedicated test tenant to avoid impacting production environments.

👥 Contributors

• Jonathan Elkabas - Security Researcher @Semperis
• Tomer Nahum - Security Research Team Lead @Semperis

Presented at

• Black Hat USA 2025 - Arsenal
• DEF CON 33 - Demo Labs
• BSides Frankfurt 2025 - Main hall
• SEC-T 0x11 - Main hall
• Black Hat SecTor 2025 - Arsenal

Solutions

⚠️ Spoiler Alert! Solution files contain complete attack walkthroughs.

Solution guides are available in the solutions/ directory for each scenario:

• Detailed step-by-step attack procedures
• PowerShell automation scripts

Resources

• What Is EntraGoat?
• Getting started with EntraGoat
• Scenario 1 Solution: Service Principal Ownership Abuse in Entra ID
• Scenario 2 Solution: Exploiting App-Only Graph Permissions in Entra ID
• Scenario 6 Solution: Exploiting Certificate-Based Authentication to Impersonate Global Admin in Entra ID

Screenshots

Main Dashboard

Challenge Interface

PowerShell Setup

🤝 Contribution Guidelines

We welcome contributions from the security community:

• New Scenarios - Additional attack vectors and privilege escalation chains
• Code Improvements - PowerShell script optimization and error handling
• Documentation - Enhanced learning materials and walkthroughs
• Bug Reports - Issue identification and resolution
• Feature Requests - New functionality and improvements

⚠️ Disclaimer

For Educational Purposes Only

EntraGoat is designed exclusively for educational and authorized security testing purposes. Users are responsible for:

• Obtaining proper authorization before testing
• Using dedicated test environments only
• Complying with applicable laws and regulations
• Following responsible disclosure practices

The authors assume no liability for misuse of this tool.

This project is licensed under the terms of the MIT license, and is provided for educational and informational purposes only. It is intended to promote awareness and educate on misconfigurations and attack paths, that may exist on systems you own or are authorized to test. Unauthorized use of this information for malicious purposes, exploitation, or unlawful access is strictly prohibited. Semperis does not endorse or condone any illegal activity and disclaims any liability arising from misuse of the material. Additionally, Semperis does not guarantee the accuracy or completeness of the content and assumes no liability for any damages resulting from its use.