Tier Breakers: Blind Spots in Cloud-Managed PAWs

Microsoft Intune and Entra ID have become the default stack for cloud-managed Privileged Access Workstations (PAWs) - and with them, organizations assume they can achieve a strong and clear tier separation within a single tenant.

This session dissects the real-world failures and mistakes of tiered administration in cloud-managed PAW environments. We map concrete attack paths that breach tier boundaries: Intune RBAC scope misconfigurations that grant cross-tier device access, Entra ID role assignments with implicit permissions that span administrative tiers, and platform-level limitations that (currently) no configuration can fully compensate for.

Beyond exposing the gaps, we present tooling and methods to enumerate these attack paths within your own tenant - identifying tier boundary violations and quantifying blast radius before an attacker does. We then compare architectural mitigations, including the dedicated administration tenant (“Red Tenant”) model, against the single-tenant default most organizations live with.

Attendees leave with a clear model of where the tier boundary actually sits in a cloud-managed PAW deployment, specific detection and assessment techniques, and a realistic view of the architectural trade-offs involved.

Microsoft Intune and Entra ID have become the default stack for cloud-managed Privileged Access Workstations (PAWs) - and with them, organizations assume they can achieve a strong and clear tier separation within a single tenant.

This session dissects the real-world failures and mistakes of tiered administration in cloud-managed PAW environments. We map concrete attack paths that breach tier boundaries: Intune RBAC scope misconfigurations that grant cross-tier device access, Entra ID role assignments with implicit permissions that span administrative tiers, and platform-level limitations that (currently) no configuration can fully compensate for.

Beyond exposing the gaps, we present tooling and methods to enumerate these attack paths within your own tenant - identifying tier boundary violations and quantifying blast radius before an attacker does. We then compare architectural mitigations, including the dedicated administration tenant (“Red Tenant”) model, against the single-tenant default most organizations live with.

Attendees leave with a clear model of where the tier boundary actually sits in a cloud-managed PAW deployment, specific detection and assessment techniques, and a realistic view of the architectural trade-offs involved.