BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//talk//8CBZWS BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-tr26-cfp-8CBZWS@cfp.troopers.de DTSTART;TZID=CET:20260624T120000 DTEND;TZID=CET:20260624T130000 DESCRIPTION:Microsoft Intune and Entra ID have become the default stack for cloud-managed Privileged Access Workstations (PAWs) - and with them\, org anizations assume they can achieve a strong and clear tier separation with in a single tenant.\n\nThis session dissects the real-world failures and m istakes of tiered administration in cloud-managed PAW environments. We map concrete attack paths that breach tier boundaries: Intune RBAC scope misc onfigurations that grant cross-tier device access\, Entra ID role assignme nts with implicit permissions that span administrative tiers\, and platfor m-level limitations that (currently) no configuration can fully compensate for.\n\nBeyond exposing the gaps\, we present tooling and methods to enum erate these attack paths within your own tenant - identifying tier boundar y violations and quantifying blast radius before an attacker does. We then compare architectural mitigations\, including the dedicated administratio n tenant ("Red Tenant") model\, against the single-tenant default most org anizations live with.\n\nAttendees leave with a clear model of where the t ier boundary actually sits in a cloud-managed PAW deployment\, specific de tection and assessment techniques\, and a realistic view of the architectu ral trade-offs involved. DTSTAMP:20260510T030649Z LOCATION:Track 2 SUMMARY:Tier Breakers: Blind Spots in Cloud-Managed PAWs - Thomas Naunheim\ , Martin Sohn Christensen URL:https://cfp.troopers.de/tr26-cfp/talk/8CBZWS/ END:VEVENT END:VCALENDAR