White-Box Penetration Test of Azure and Entra ID Environment for a CRITIS Energy Provider

Background

A CRITIS-regulated energy provider with approximately 600 employees wanted to have the security of its Azure and Entra ID environment verified through an independent penetration test. The infrastructure comprised multiple Azure Landing Zones, a role and permission concept in Entra ID, and Azure RBAC (role-based access control). As a critical infrastructure operator, the company is subject to heightened IT security requirements and needed a reliable assessment of the actual resilience of its cloud environment.

Measures

Wenske Cyber Solutions was commissioned to conduct a white-box penetration test. In the preparation phase, we jointly defined the test scope with the client, reviewed architecture and permission concepts, and specified the components to be tested. In the white-box approach, our testers received documented access and architecture information to enable targeted identification of vulnerabilities that an attacker with insider knowledge could exploit. We examined role and permission structures in Entra ID and Azure RBAC, analysed potential privilege escalation scenarios, and assessed the segregation and security of Landing Zones. Starting from regular user and service accounts, we simulated realistic attack scenarios and reviewed security-relevant configurations and policies.

Results

The penetration test uncovered several vulnerabilities, including privilege escalation paths that, under certain conditions, would have allowed escalation from a regular user account to higher permission levels. All findings were documented with an assessment of exploitability and risk, and compiled into a structured final report with a management summary. The prioritised recommendations enabled the client to address the most critical vulnerabilities first. The results were presented in a closing meeting and form the basis for further hardening of the cloud environment.