In this episode, I sit down with security researcher Katie Knowles to unpack the hidden layers of identity systems inside Microsoft Entra. We get into real-world attack paths like backdooring service principals, restricted administrative units that can accidentally create unstoppable accounts, and OAuth phishing in Copilot Studio.
Katie also shares how she approaches deep technical research, what defenders often overlook, and why identity security is only becoming more complex. This is one of those conversations where you walk away thinking differently.
Subscribe with your favorite podcast player or watch on YouTube 👇
About Katie Knowles
Katie Knowles is a Senior Security Researcher at Datadog specializing in Microsoft Azure and Entra ID security. She has extensive experience across security engineering, penetration testing, and incident response. Katie is known for her thorough research that connects complex technical vulnerabilities to practical defensive guidance, publishing regularly on Datadog Security Labs and speaking at major security conferences.
LinkedIn - https://www.linkedin.com/in/kaknowles/
🔗 Related Links
Katie’s Datadog security posts - https://securitylabs.datadoghq.com/articles/?author=Katie_Knowles
Katie’s personal blog - https://kknowl.es
Katie’s conference talks - https://kknowl.es/external-content/
Creating immutable users through a bug in Entra ID restricted administrative units - https://securitylabs.datadoghq.com/articles/creating-immutable-users-entra-id-administrative-units/
I SPy: Escalating to Entra ID’s Global Admin with a first-party app - https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing - https://securitylabs.datadoghq.com/articles/cophish-using-microsoft-copilot-studio-as-a-wrapper/
📗 Chapters
02:08 The Immortal User Bug in Restricted Admin Units
04:23 Attacker Impact: The Un-deletable Malicious Account
05:59 Hacking First-Party Apps & Bypassing AppLock
09:29 How She Found the AppLock Bypass
11:16 A Day in the Life of a Security Researcher
14:20 Phishing with Copilot Studio & OAuth
17:00 Top Tips for App Governance & Security
21:45 The Hidden Risk of Azure Key Vault Access Policies
28:55 App Registrations vs. Service Principals Explained
41:48 The Future: Agent IDs & The New Trust Model
Podcast Apps
🎙️ Entra.Chat - https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill
