Identity, Entra, Okta and SSO Abuse

Domain overview

This domain focuses on Entra ID, Okta, SSO and SaaS-connected trust. It covers token theft, refresh-token replay, OAuth consent abuse, SCIM and provisioning drift, federation trust, tenant misconfigurations, conditional access bypass paths, application registrations and the awkward edges between workforce identity and workload identity.

How to approach this surface

• Identity abuse often starts with normal-looking tokens, consents or app registrations. The trick is understanding what those artifacts can later mint or reach.
• Federation reduces friction, but it also creates delegated trust that attackers can inherit if validation or administrative boundaries are weak.
• Provisioning systems deserve offensive attention. SCIM and lifecycle automation can accidentally create persistence, role drift and quiet access revival.
• Conditional access is only as good as the signals it trusts. Device claims, network location, browser state and session age all become assumptions to test.
• Treat workforce identity, workload identity and SaaS trust as one graph. That is where modern real-world escalation often happens.

Related certification and framework context

• MITRE ATT&CK · Identity ProviderIdentity-provider-centric adversary techniques and defensive thinking.
• Microsoft Learn · Entra IDPlatform context for policy, app registrations, federation and identity operations.
• Okta Developer DocsIdentity and SSO protocol context in Okta-backed estates.

Curated public references

• OAuth 2.0 Security Best Current PracticeProtocol abuse and hardening guidance.
• OpenID Connect CoreOIDC identity and token semantics.
• SCIM Protocol SpecificationProvisioning and identity lifecycle protocol behaviour.
• Microsoft Learn · Conditional AccessPolicy context for conditional access design and bypass reasoning.
• Google Cloud Workload Identity FederationWorkload federation trust as an operational identity issue.

Brief index