AuthSuite
Conditional Access Pen Testing Toolkit
Simulate every signal. Test every policy. Trust nothing.
Purpose-built for purple teams who need to validate what happens when identity, authentication, network, and device controls are pushed to their limits.
Built by researchers with a proven track record of finding critical flaws in Microsoft Entra ID — including MFA bypass and device compliance bypass vulnerabilities.
Your local Conditional Access
pen testing toolkit.
Device Registration
Session: 4a2e8f91-bc47-4d3a-9e12-7f6c8d5a0b34
Timeline
Metadata
Your Conditional Access policies are untested.
You've spent months building layered Conditional Access policies. But have you actually tested what happens when an attacker simulates a compliant device? Registers their own MFA? Spoofs a trusted network? Most organisations can't answer that.
Blind Trust in Policy Logic
Policies are configured based on documentation, not adversarial testing. Edge cases are invisible until exploited.
No Visibility Into Gaps
External dependencies like Intune compliance, VPN detection, and PRT validation create hidden attack surfaces you can't see in the portal.
Manual Testing Doesn't Scale
Manually testing every combination of identity, device, network, and auth method is impossible. You need automation.
Four pillars of total simulation.
AuthSuite simulates the four signal categories that Conditional Access evaluates -giving purple teams full control over every variable in the authentication decision.
Identity Simulation
Become anyone.
Simulate any user or service principal in your tenant. Test how policies respond to different identity types, roles, and group memberships without compromising real credentials.
Authentication Simulation
Bypass every factor.
Simulate the full spectrum of authentication methods -from passkeys and FIDO2 to Microsoft Authenticator push, OTP, and mobile app protections. Auto-register MFA factors programmatically.
Network Simulation
Spoof any location.
Simulate VPN connections and trusted network locations. Test whether your Named Locations and network-based CA policies actually enforce what you think they do.
Device Simulation
Trust nothing.
Simulate mobile and desktop devices with full Intune MDM enrolment, PRT v3/v4 token acquisition, and device compliance. Register real devices programmatically and achieve compliance state.
Intelligent session & request management.
AuthSuite doesn't just simulate signals -it manages the full lifecycle. From active Intune device registration to automated MFA factor enrolment, every request is tracked, every token is managed, and every session is persistent.
Active Device Registration
Register devices to Intune MDM programmatically and achieve compliance state in real-time.
Automated MFA Enrolment
Register for MFA factors automatically -no manual intervention required.
Persistent Session Store
All tokens, sessions, and state are stored in a local database for full auditability.
Token Lifecycle Management
Automatic token refresh, expiry tracking, and re-authentication when needed.
┌─────────────────────────────────────┐
│ SESSION MANAGER │
├─────────────────────────────────────┤
│ Active Sessions: 3 │
│ Tokens Managed: 12 │
│ Devices Enrolled: 2 │
│ MFA Factors: 4 │
│ Compliance Status: ACHIEVED │
└─────────────────────────────────────┘
---
labs@m42:~$ authsuite enrol --device "WIN-PENTEST01" --mdm intune
[*] Initiating MDM enrolment...
[✓] Device registered: WIN-PENTEST01
[✓] Compliance policies evaluated: 6/6 pass
[✓] PRT v4 acquired -token cached
labs@m42:~$
Playbooks: end-to-end attack chains.
Define repeatable, automated attack sequences that chain together device enrolment, authentication, policy testing, and exploitation -all in a single YAML playbook.
Register Device
Enrol a simulated device into Intune MDM, configure compliance policies, and acquire a PRT.
Authenticate
Register MFA factors, simulate auth methods, and obtain access tokens with the desired claims.
Validate Policy
Test which CA policies grant or block access across every combination of signals.
Exploit & Report
Execute post-exploitation actions, enumerate accessible resources, and generate findings.
name: "Full CA Policy Assessment"
version: 1.0
phases:
- name: "device_registration"
action: enrol_device
mdm: intune
compliance: true
- name: "authenticate"
action: acquire_token
methods: [passkey, authenticator]
- name: "exploit"
action: post_exploit
targets: [mail, teams, sharepoint]See what an attacker sees. After the bypass.
Once AuthSuite achieves access, it demonstrates the real-world impact by interacting with Microsoft 365 services -proving the business risk of policy gaps to stakeholders who need to see it to believe it.
Email Access
Read, search, and send emails from compromised mailboxes. Full Graph API mailbox enumeration.
Full MailboxTeams Messages
Read and send messages across Teams channels and chats. Enumerate team memberships and files.
All ChannelsSharePoint & OneDrive
Upload and download files from SharePoint sites and OneDrive. Enumerate site structures and permissions.
File AccessResource Enumeration
Map accessible resources, permissions, and lateral movement paths from the compromised identity.
Full ScopeAuthSuite
Playbooks
Local DB
Entra ID
Intune
Identity
VPN
MFA
Portable. Self-contained. No cloud required.
AuthSuite runs entirely on your machine. All sessions, tokens, device registrations, and findings are stored in a local encrypted database. Take it anywhere -client sites, your home lab, or on the road. Nothing phones home.
Local Database
Encrypted SQLite store for all state
Playbook Engine
YAML-defined automation chains
Zero Dependencies
Single binary, no external services
Cross-Platform
Windows, macOS, and Linux support
Get early access.
AuthSuite is currently in closed beta with select purple teams and security consultancies. Join the waitlist to be notified when we open the next cohort.
Built by the researchers who found MFA & device compliance bypasses in Microsoft Entra ID.
54 52 55 53 54 5f 4e 4f 54 48 49 4e 47