Unpacking Authentication Between Entra ID Joined Workstations

In enterprise environments, increasingly built on Microsoft Entra ID (formerly Azure Active Directory), assumptions from traditional domain-joined networks no longer hold in many cases. During a recent engagement, I encountered an unexpected twist: Entra ID joined machines on the same LAN were able to authenticate with each other — but not using NTLM or Kerberos in any familiar form.

Worse, my usual tools (like CrackMapExec, NXC, and Responder) broke down entirely when targeting these machines, and all authentications had to be performed natively from a Windows machine. This blog post aims to dissect why this happened.

⚠️ Note:  Microsoft Entra ID used to be known as Azure AD. It can be confusing because authentication still refers to users as AzureAD\user, and much of the Microsoft documentation around this topic still calls it Azure AD. Just know that anywhere you see Microsoft Entra ID, you can think Azure AD, and vice versa. 

This post walks through the authentication quirks I observed between two Entra ID joined Windows 10 machines. Specifically, this article answers:

• What auth protocol is actually in use?
• Why do traditional tools fail?
• Can you relay or capture hashes?
• Do PINs behave differently than passwords?
• Can you dump creds remotely?
• Can you use Nessus for a remote, authenticated scan?

• Entra ID Users are not stored in the software asset management (SAM). Therefore, Net-NTLMv2 authentication breaks.
• NTLM and Kerberos do not function as expected — even NTLM relay does not work.
• Authentication over Server Message Block (SMB) prefers PKU2U certificates after going through the process of SPNEGO → NEGOEX → PKU2U. NTLM authentication is not possible for accounts that are only joined via Entra ID.
• Linux tools like smbclient or impacket tools fail because they cannot participate in this flow (they do not have a PKU2U certificate option).
• Passwords entered by Entra ID users during poisoning attacks may still trigger Net-NTLMv2 handshakes, but not if the user signs in via PIN (Windows Hello), because then it is attempting authentication via PKU2U. So they are useful to crack but not to relay.
• Relaying Entra ID creds does not work across Entra ID joined machines even if you get a NetNLTMv2 handshake because of the aforementioned NTLM failing.

To reproduce the behavior:

• Domain: Custom Entra ID tenant.
• Devices: Two Windows 10 machines, both Entra ID joined using the same Entra ID account and tenant.
• Networking (SMB sharing is enabled on both):
  • Windows 10 (Commando): 192.168.2.3
  • Windows 10 (Clean, vanilla): 192.168.2.1
  • Kali Linux: 192.168.2.4

⚠️ Note: PIN login was enforced by default via Windows Hello for Business (WHfB).

I expected NTLM or Kerberos over SMB, but authentication failed when using the Entra ID account from anything but another Windows box.

The three tests that were conducted to force Net-NTLMv2 handshakes are below.

There are two scenarios to consider when we talk about dumping credentials:

1. Dumping credentials from a workstation with an Entra ID account
2. Dumping credentials from a workstation to acquire Entra ID account credentials.

In the first scenario, you will need to use a tool that is able to authenticate with a PKU2U certificate. So realistically, you are limited to something that you can get a session on the machine with, like Mimikatz or a beacon running in the context of a user. For the same reason that none of the other Linux tools work, secretsdump and similar tools will not work.

In the second scenario, as obvious as it may sound, you will need to use a tool that is looking in the right place. Secretsdump, lsassy and things that rely on those tools under the hood are not going to pull any credential material for you because the accounts that are being used by Azure are not stored in the SAM like a cached credential. And, they are not stored in LSASS like other interactive logon credential material. Mimikatz can dump a Primary Refresh Token (PRT) locally.

Because they speak the same auth dialect. When a Windows box logs in using an Entra ID account, and you try dir \\otherhost\admin$, it works (assuming your account has admin access to that machine, and 445 is open) — but under the hood, it is not NTLM or Kerberos.

It is likely:

• SPNEGO starts the negotiation.
• NEGOEX is selected.
• PKU2U (certificate-based) is used for actual auth.

But here is the problem: tools like Responder, impacket and any other NTLM or Kerberos based tooling do not understand how to continue this flow. Windows can complete it. Linux cannot.

There are a few reasons.

1.  Entra ID joined machines do not enable NTLM for Entra ID accounts by default.
When a machine is Entra ID joined (and not hybrid or domain-joined), Entra ID accounts are not mapped to local NTLM SIDs the way traditional domain accounts are. NTLM needs a mapping from a username to a password hash in the local SAM or via domain trust. Entra ID does not do that — instead, it issues a PRT and uses WHfB or cert-based auth (PKU2U/NEGOEX). Even if the account appears as a local admin in net localgroup administrators, it is just a token representation tied to the device trust, not a credential that is usable via NTLM.

2. NTLM does not know who you are.
Net-NTLMv2 needs to have a local or domain NT hash to validate against in order for it to work. Net-NTLMv2 requires certain things:

• A challenge from the server
• A valid NT hash to compute a response
• The receiving host to understand the domain or user context
  
  

3. GPO or registry settings may prevent NTLM entirely.
Entra ID joined machines may ship with the following reg/GPO hardening by default or via Intune:

• Restrict NTLM. Deny incoming NTLM traffic.
• Allow PKU2U auth only for online identities.
• Local Security Policy → Network Security: Restrict NTLM. Deny all accounts.

When you attempt Net-NTLMv2 authentication with an Entra ID account against an Entra ID joined workstation, it will fail. Even if the creds were technically correct, the SID is not locally resolvable. This leads to specific event logs using a correct “AzureAD\” username/password combo.

You will see: “Unknown user or bad password,” indicating that the workstation cannot successfully validate the credential material you gave it against known credential material. This is what the event of the failed logon looks like in the Windows Event Viewer (Event ID 4625 is a failed logon).

Notice in Error! Reference source not found. how the TargetUserSid field is a default “S-1-0-0.” Normally, during NTLM authentication, the credentials being presented will get mapped to a user SID on the server (receiving) side. During Entra ID workstation authentication, the SID is required to be sent over with the authentication process. This is one of the things that is very likely breaking the standard NTLM authentication process.

Figure 6. Failed login attempting an Entra ID account with NTLM.

When comparing that to a successful logon (EventID 4624) with the exact same user, the only difference is that the “TargetUserSid” is identified, and the user has a successful login (Error! Reference source not found.).

Figure 7. Successful login with an Entra ID account to another Entra ID joined workstation.

Entra ID fundamentally changes some assumptions red teamers and blue teamers have relied on for decades. The presence of WHfB, PKU2U and NEGOEX makes lateral movement and credential relaying trickier — and breaks a lot of tools. But when approached differently, this can also offer unique attack vectors to pivot to cloud environments.

1. PINs stop credential material from getting transmitted to Responder. You must coerce password-based auth to get NetNTLMv2 handshakes.
2. Relaying Entra ID accounts is extremely limited in scope, if it works at all.
3. Credential dumping of Azure credentials needs to be approached differently but can offer substantial pivoting capability.
4. Credential dumping with Entra ID account credentials must be done in the context of that user, likely from their workstation or in the context of the user.
5. Relying on Kali Linux or remote Linux tools in an environment like this is going to hamstring you.

• https://github.com/fortra/impacket/issues/1376
• https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597
• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-negoex/0ad7a003-ab56-4839-a204-b555ca6759a2
• https://aadinternals.com/talks/NVS%202021.pdf
• https://blog.xpnsec.com/azuread-connect-for-redteam
• https://syfuhs.net/how-windows-single-sign-on-works
• https://access.redhat.com/solutions/1157393
• https://learn.microsoft.com/en-us/answers/questions/747817/azure-ad-joined-device-requires-an-internet-connec
• https://www.xintra.org/blog/tokens-in-entra-id-guide
• https://community.sap.com/t5/technology-blogs-by-sap/sap-single-sign-on-authenticate-with-kerberos-spnego/bc-p/13321548/highlight/true
• https://github.com/morRubin
• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities
• https://specterops.io/blog/2025/04/07/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie/
• https://github.com/wotwot563/aad_prt_bof/pull/3