Midnight Blizzard and others operationalise ROADtools for Entra ID abuse

Unit 42 documented systematic nation-state operationalisation of the open-source ROADtools Entra ID framework by Midnight Blizzard, Curious Serpens and UTA0355 for device registration, token theft and tenant enumeration (daily 2026-05-23). This is the most broadly relevant item in the section — every M365/Entra tenant is in scope. Hunt for unexpected device-registration events, anomalous service-principal token requests, and ROADtools-characteristic enumeration patterns; tighten conditional-access on device-registration and review legacy-auth exposure.