EntraGoat: Deliberately Vulnerable Microsoft Entra ID Lab for Privilege Escalation Training

by ddos · December 1, 2025

EntraGoat is a deliberately vulnerable Microsoft Entra ID infrastructure designed to simulate real-world identity security misconfigurations and attack vectors. EntraGoat introduces intentional vulnerabilities in your environment to provide a realistic learning platform for security professionals. It features multiple privilege escalation paths and focuses on black-box attack methodologies.

EntraGoat uses PowerShell scripts and Microsoft Graph APIs to deploy vulnerable configurations in your Entra ID tenant. This gives users complete control over the learning environment while maintaining isolation from production systems.

How does EntraGoat work?

EntraGoat is part CTF, part learning lab. Each challenge includes:

A unique attack scenario with hidden flags
Setup and cleanup PowerShell scripts (no leftovers in your tenant)
Step-by-step hints (or alternatively, go blind and earn the goat)
Optional walkthroughs (if you’re stuck or want some hints)
Blog post that covers the theoretical background (see the links below)

The interactive web interface lets you track your progress, review challenge details, and submit flags—all hosted locally via React. Under the hood, each challenge is powered by PowerShell and Microsoft Graph.

Challenge Structure

Each scenario includes:

Setup Script – Deploys vulnerable configuration
Cleanup Script – Removes all created objects
Solution Walkthrough – Step-by-step attack demonstration
Capture the Flag – Hidden flags to discover

Pricing

EntraGoat scenarios run entirely within your existing Entra ID tenant and do not incur additional Microsoft licensing costs. The vulnerabilities are created through configuration changes only.

Note: Use a dedicated test tenant to avoid impacting production environments.