Dirk-jan
@_dirkjan
Followers
29K
Following
4K
Media
174
Statuses
2K
Hacker at @OutsiderSec. Researches AD and Azure (AD) security. Likes to play around with Python and write tools that make work easier.
Joined December 2017
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:
dirkjanm.io
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise...
141
905
3K
It appears this was inaccurate, the client still exists but Microsoft just disabled the service principal for no apparent reason in my tenant. Along with an Intune one and a few others which broke things that still work fine in other tenants. No clue why they'd do this 🤔.
Seems Microsoft is doing some app and permission cleanups and tenant restrictions lately. RIP Microsoft Planner FOCI client.
9
1
53
I finally came around and documented all the Conditional Access bypasses in a single blog post. It contains not only the documented bypasses, but also the results of new research. #Entra #ConditionalAccess #Security #Cheese
https://t.co/YWBfY0NhHl
cloudbrothers.info
In Microsoft Entra, Conditional Access is, after the Authentication itself, the most crucial part of defense against attackers. It’s referenced as “zero trust policy engine” and the idea behind is,...
9
153
469
Really great blog, very well explained 😀 Releasing actual data on how common certain attacks are in the wild is super useful! And even detections for the blue side. Worth reading if you haven't yet.
My gift for Thanksgiving 💜 I wrote for you the blog post I always wanted to read! Happy holiday!🦃 PLEASE READ IT!!! https://t.co/Pr3P3jOh8s
1
7
82
Not a drill, I repeat, this is not a drill. https://t.co/6TPpGcmLTi
zeropointsecurity.co.uk
Gain the knowledge and skills required to operate against advanced defences.
8
66
384
@_dirkjan and my joint talk at #TROOPERS25 is now available on YouTube. "Finding Entra ID CA Bypasses - the structured way" @WEareTROOPERS
https://t.co/fAQ0aCreKj
0
25
91
📢 CFP Closing Soon! Only one week left to submit your talk proposal for Insomni’hack 2026 (Thursday & Friday sessions)! 🎙️ Want to speak or share a case study? 🚀 Don’t miss your chance! 🔗 Submit: https://t.co/lSpoIHVifc
#INSO26 #CFP #Cybersecurity #Infosec #TechTalks
0
7
10
Ohh, I missed this. It was an ... experience dealing with MSRC, I won't do this ever again. https://t.co/7NbOIT8Snx
0
6
32
The @ThinkstCanary ThinkstScapes Q3 report is out. A great quarterly overview of interesting research shared in the security community. It made my day to see my ETW research highlighted in this edition. https://t.co/vtruyuPrYc
thinkst.com
Keeping up with security research is near impossible. ThinkstScapes helps with this. We scour through thousands of blog posts, tweets and conference proceedings to give you an overview of the work we...
1
8
37
@UK_Daniel_Card @Cloudflare Shameless adoption of the original sticker by @sannemaasakkers and @_dirkjan
0
4
35
AdminSDHolder is kinda my jam. I wrote the e-book on it. If you work with Activity Directory, I highly recommend you give this a skim, or at least check the spoilers in the blog.
AdminSDHolder: the AD security feature everyone thinks they understand but probably don't. 😬 @JimSycurity went to the source code to debunk decades of misconceptions — including ones in Microsoft's own docs. Read more ⤵️ https://t.co/Vo9XksEfmn
2
34
195
🎙️ @_sigil has done some amazing research on Entra recently. Here's a recent post she shared about the unique relationship between App Registrations and Service Principals. Here's the full blog post on her app research titled I SPy: Escalating to Entra ID's Global Admin with a
3
30
143
It appears the end is near(er) for the Azure AD Graph API with usage of the API now being blocked in one of my tenants with the AAD PowerShell module client ID. Found this out when trying to demo roadrecon 😬. Time to prioritize merging the MS Graph PR from @Thomasbyrne__
5
24
136
Seems Microsoft is doing some app and permission cleanups and tenant restrictions lately. RIP Microsoft Planner FOCI client.
3
5
66
Time is running out! Submit your workshop proposal by October 31st and join our Swiss cyber community. Ready to contribute? Find details & submit here: https://t.co/hPpJq7jHK5
#Insomnihack #CFP #Cybersecurity #Infosec #INSO2026
0
6
10
@_dirkjan found one of the most severe vulnerabilities ever discovered in Microsoft Entra ID. One that could have compromised every tenant in the cloud. In this episode, we unpack the story, the stress, and the mindset behind responsible disclosure. 🔥 We dive deep into his
4
43
157
How is AI reshaping the American family? (0:00) Framing the Technology Debate (4:35) Tech, AI & the American Family (14:45) Faith, Ethics & the Digital Age (26:40) Education, Human Skills & AI (44:40) Policy, Innovation & Global Competition (57:00) Family Policy, Fertility &
9
26
96
📢 Confirmed! The @compasssecurity team combined an arbitrary file write and cleartext transmission of sensitive data to exploit the @home_assistant Green. The unique bugs in their third round win earns them $20,000 and 4 Master of Pwn points. #Pwn2Own
0
3
29
Just wrapped up recording this week's https://t.co/v0cFtrPykt podcast with the LEGENDARY Dirk-jan Mollema!! Can't wait to share Dirk-jan's story on how he uncovered one of the biggest security findings of the year. Subscribe to the podcast and be the first to listen.
1
7
64
Check out my new blog post diving deeper into BroCI.
Microsoft introduced nested application auth (NAA) in 2024. Researchers spotted FOCI similarities & dubbed it brokered client IDs (BroCI). @Icemoonhsv documents NAA flows and BroCI—filling a gap for research on Microsoft identity protocols.
1
10
27
