Thomas Naunheim
Thomas Naunheim is a Cyber Security Architect at glueckkanja AG and a Microsoft MVP from Koblenz, Germany, specializing in cloud-native identity and security solutions in Microsoft Azure and Microsoft Entra. With a deep focus on privileged identity management, identity security, and Zero Trust architecture, he designs and implements security solutions for real-world enterprise environments.
Thomas actively gives back to the community as a blogger at cloud-architekt.net, where he publishes in-depth research and practical insights on Microsoft Security. He is a speaker at international conferences and meetups, co-author of the open-source Entra ID Attack & Defense Playbook, and the creator of EntraOps - a community tool for privilege classification based on the Enterprise Access Model.
Beyond content creation, Thomas co-hosts the podcast Cloud Inspires and is actively involved in community organization as a member of the Azure Meetup Bonn and Cloud Identity Summit organizing teams. His long-standing contributions across blogging, speaking, and open-source development earned him the Microsoft MVP award in the Identity & Access and Cloud Security category.
Session
Microsoft Intune and Entra ID have become the default stack for cloud-managed Privileged Access Workstations (PAWs) - and with them, organizations assume they can achieve a strong and clear tier separation within a single tenant.
This session dissects the real-world failures and mistakes of tiered administration in cloud-managed PAW environments. We map concrete attack paths that breach tier boundaries: Intune RBAC scope misconfigurations that grant cross-tier device access, Entra ID role assignments with implicit permissions that span administrative tiers, and platform-level limitations that (currently) no configuration can fully compensate for.
Beyond exposing the gaps, we present tooling and methods to enumerate these attack paths within your own tenant - identifying tier boundary violations and quantifying blast radius before an attacker does. We then compare architectural mitigations, including the dedicated administration tenant ("Red Tenant") model, against the single-tenant default most organizations live with.
Attendees leave with a clear model of where the tier boundary actually sits in a cloud-managed PAW deployment, specific detection and assessment techniques, and a realistic view of the architectural trade-offs involved.