⚠ Authorised security testing only — always obtain written permission

Microsoft 365
External Pentest Playbook

A step-by-step offensive security guide for defenders. Walk through every phase of the M365 attack chain to understand, test, and harden your tenant against real-world threats.

Attack Chain Phases

How to Use This Guide

  1. Scope & authorise — Get written permission, define rules of engagement, and set up safe testing infrastructure.
  2. Follow the phases — Work through each phase sequentially. Use the interactive checklists to track progress.
  3. Run the commands — Code blocks can be copied to clipboard. Adapt parameters for your target environment.
  4. Document findings — Note every successful technique for your report. Screenshot evidence at each stage.
  5. Map defences — Use the Defence Mapping page to translate findings into actionable hardening recommendations.

Prerequisites & Tooling

AADInternals AzureAD / Microsoft.Graph ROADtools TokenTactics MSOLSpray GraphRunner Trevorspray Evilginx nuclei MFASweep AzureHound TeamFiltration