Microsoft Reactor

The Conditional Access Policy (CAP) in Microsoft Entra ID is one of the most powerful enforcement layers in the identity protection stack.
It’s powerful, but imperfect—creating a playground for red teams.

This meetup will bridge the attacker mindset and defender best practices in a practical, real-world format. From offensive simulations to defensive hardening, we’ll uncover what’s happening behind the policies.

In a nutshell - Attacking & Defending Entra ID Conditional Access.

Why Attend?

This isn’t a typical 101 meetup. It’s a live and technical demo focused on how attackers think and how defenders can evolve. Whether you build or break policies, you’ll leave with new insights and practical takeaways.

The meetup will be part of the new cooperation with Workplace Ninja.

AGENDA

17:15 > Pizzas and Beers - Break the ice
18:00 > Entra ID CAP - Defender Mode by Ofir Gavish
18:45 > Entra ID CAP - Attacker Mode by Elli Shlomo
19:30 > Detection and Hunting with Kusto by Ofir and Elli
20:00 > Closing

What You’ll Learn

How attackers bypass Conditional Access using real-world techniques like Device Code Flow and Access token.
How to detect and respond to suspicious sign-ins and CA policy gaps.
Best practices for designing resilient and adaptive Conditional Access policies.
Red team demos + blue team playbooks = full-spectrum identity defense.
Audience: Red Teamers, Blue Teamers, SOC Analysts, Cloud Security Engineers, Identity Architects, and everyone who wants to improve IAM security - especially in Entra ID CAP.

Speakers

Elli Shlomo – Microsoft Security MVP, Head of Security Research | Guardz
Ofir Gavish - Microsoft Intune MVP | Cloud Infrastructure Team Lead | Essence Group
NOTES

Content Level - 300-400
​The event is physical at the Microsoft Reactor TLV
​​The event will not be streamed or recorded