In this episode, I sit down with security researcher Katie Knowles to unpack the hidden layers of identity systems inside Microsoft Entra. We get into real-world attack paths like backdooring service principals, restricted administrative units that can accidentally create unstoppable accounts, and OAuth phishing in Copilot Studio.

Katie also shares how she approaches deep technical research, what defenders often overlook, and why identity security is only becoming more complex. This is one of those conversations where you walk away thinking differently.

Subscribe with your favorite podcast player or watch on YouTube 👇

About Katie Knowles

Katie Knowles is a Senior Security Researcher at Datadog specializing in Microsoft Azure and Entra ID security. She has extensive experience across security engineering, penetration testing, and incident response. Katie is known for her thorough research that connects complex technical vulnerabilities to practical defensive guidance, publishing regularly on Datadog Security Labs and speaking at major security conferences.

LinkedIn - https://www.linkedin.com/in/kaknowles/

🔗 Related Links

* Katie’s Datadog security posts - https://securitylabs.datadoghq.com/articles/?author=Katie_Knowles

* Katie’s personal blog - https://kknowl.es

* Katie’s conference talks - https://kknowl.es/external-content/

* Creating immutable users through a bug in Entra ID restricted administrative units - https://securitylabs.datadoghq.com/articles/creating-immutable-users-entra-id-administrative-units/

* I SPy: Escalating to Entra ID’s Global Admin with a first-party app - https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/

* CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing - https://securitylabs.datadoghq.com/articles/cophish-using-microsoft-copilot-studio-as-a-wrapper/

📗 Chapters

02:08 The Immortal User Bug in Restricted Admin Units

04:23 Attacker Impact: The Un-deletable Malicious Account

05:59 Hacking First-Party Apps & Bypassing AppLock

09:29 How She Found the AppLock Bypass

11:16 A Day in the Life of a Security Researcher

14:20 Phishing with Copilot Studio & OAuth

17:00 Top Tips for App Governance & Security

21:45 The Hidden Risk of Azure Key Vault Access Policies

28:55 App Registrations vs. Service Principals Explained

41:48 The Future: Agent IDs & The New Trust Model

Podcast Apps

🎙️ Entra.Chat - https://entra.chat

🎧 Apple Podcast → https://entra.chat/apple

📺 YouTube → https://entra.chat/youtube

📺 Spotify → https://entra.chat/spotify

🎧 Overcast → https://entra.chat/overcast

🎧 Pocketcast → https://entra.chat/pocketcast

🎧 Others → https://entra.chat/rss

Merill’s socials

📺 YouTube → youtube.com/@merillx

👔 LinkedIn → linkedin.com/in/merill

🐤 Twitter → twitter.com/merill

🕺 TikTok → tiktok.com/@merillf

🦋 Bluesky → bsky.app/profile/merill.net

🐘 Mastodon → infosec.exchange/@merill

🧵 Threads → threads.net/@merillf

🤖 GitHub → github.com/merill

Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe