Authenticated Enumeration

Connect to the tenant using the Az PowerShell module

$passwd = ConvertTo-SecureString "V3ryH4rdt0Cr4ckN0OneC@nGu355ForT3stUs3r" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@defcorphq.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds

Connecting to the Microsoft Graph using 

$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)

To enumerate all users

Get-MgUser -All

To list only the UPNs of the users

Get-MgUser -All | select UserPrincipalName

To list all the groups

Get-MgGroup -All

list all the devices

Get-MgDevice

To get all the Global Administrators

$RoleId = (Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'").Id
(Get-MgDirectoryRoleMember -DirectoryRoleId $RoleId).AdditionalProperties

To list all custom directory roles

Get-MgRoleManagementDirectoryRoleDefinition | ?{$_.IsBuiltIn -eq $False} | select DisplayName

Enumeration Using AzModule

Connecting Using AzModule

$passwd = ConvertTo-SecureString "V3ryH4rdt0Cr4ckN0OneC@nGu355ForT3stUs3r" -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential ("test@defcorphq.onmicrosoft.com", $passwd)

Connect-AzAccount -Credential $creds

List all the resources accessible to the current account:

Get-AzResource

Get all the role assignments for the test user:

Get-AzRoleAssignment -SignInName test@defcorphq.onmicrosoft.com

list all the VMs where the current user has at least the Reader role:

Get-AzVM | fl

List all App Services

Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}

To list Function Apps

Get-AzFunctionApp

List storage accounts:

Get-AzStorageAccount | fl

list the readable keyvaults for the current user

Get-AzKeyVault

Enumeration Using az cli

Connecting

az login -u test@defcorphq.onmicrosoft.com -p V3ryH4rdt0Cr4ckN0OneC@nGu355ForT3stUs3r

list all the VMs where the current user has at least the Reader role.

az vm list

listing the 'name' of the VMs

az vm list --query "[].[name]" -o table

the names of app services

az webapp list --query "[].[name]" -o table

list Function Apps

az functionapp list --query "[].[name]" -o table

list storage accounts

az storage account list

readable keyvaults for the current user

az keyvault list

Enumeration using ROADTools

cd C:\AzAD\Tools\ROADTools

.\venv\Scripts\activate


roadrecon auth -u test@defcorphq.onmicrosoft.com -p V3ryH4rdt0Cr4ckN0OneC@nGu355ForT3stUs3r

roadrecon gather

roadrecon gui

Enumerating Conditional Access Policies

Note that it is possible to enumerate Conditional Access Policies as a normal user using RoadRecon. This is due to the “internal-1.61” AAD Graph API version.

roadrecon plugin policies

Open caps.html (from C:\AzAD\Tools\ROADTools)to find Conditional Access Policies in the target environment:

Enumeration using StormSpotter

cd C:\AzAD\Tools\stormspotter\backend\
pipenv shell


cd C:\AzAD\Tools\stormspotter\frontend\dist\spa\
quasar.cmd serve -p 9091 --history


cd C:\AzAD\Tools\stormspotter\stormcollector\
pipenv shell


az login -u test@defcorphq.onmicrosoft.com -p V3ryH4rdt0Cr4ckN0OneC@nGu355ForT3stUs3r

python C:\AzAD\Tools\stormspotter\stormcollector\sscollector.pyz cli

Enumeration using BloodHound

$passwd = ConvertTo-SecureString "V3ryH4rdt0Cr4ckN0OneC@nGu355ForT3stUs3r" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@defcorphq.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds


Import-Module C:\AzAD\Tools\AzureAD\AzureAD.psd1
Connect-AzureAD -Credential $creds

. C:\AzAD\Tools\AzureHound\AzureHound.ps1
Invoke-AzureHound -Verbose
PreviousEntra ID - Authentication and APIsNextMg Module

Last updated