Recon

Azure Tenant

Get if Azure tenant is in use, tenant name and Federation

https://login.microsoftonline.com/getuserrealm.srf?login=[USERNAME@ValidDOMAIN]&xml=1

Get the Tenant ID

https://login.microsoftonline.com/[DOMAIN]/.well-known/openid-configuration

Validate Email ID by sending POST requests to

https://login.microsoftonline.com/common/GetCredentialType

We can use the AADInternals tool to gather information

Import-Module C:\AzAD\Tools\AADInternals\AADInternals.psd1

Get-AADIntLoginInformation -UserName admin@defcorphq.onmicrosoft.com

To get the Tenant ID

Get-AADIntTenantID -Domain defcorphq.onmicrosoft.com

Get tenant domains

Get-AADIntTenantDomains -Domain defcorphq.onmicrosoft.com
Get-AADIntTenantDomains -Domain deffin.onmicrosoft.com
Get-AADIntTenantDomains -Domain microsoft.com

Get all the information (as external)

Invoke-AADIntReconAsOutsider -DomainName defcorphq.onmicrosoft.com

Email IDs

• We can use o365creeper (https://github.com/LMGsec/o365creeper) to check if an email ID belongs to a tenant.

• It makes requests to the GetCredentialType API.

C:\Python27\python.exe C:\AzAD\Tools\o365creeper\o365creeper.py -f C:\AzAD\Tools\emails.txt -o C:\AzAD\Tools\validemails.txt

Azure Services

• Azure services are available at specific domains and subdomains. We can enumerate if the target organization is using any of the services by looking for such subdomains.

• The tool that we will use for this is MicroBurst (https://github.com/NetSPI/MicroBurst)

• Microburst is a useful tool for security assessment of Azure. It uses Az, AzureAD, AzurRM and MSOL tools and additional REST API calls.

Import-Module C:\AzAD\Tools\MicroBurst\MicroBurst.psm1 -Verbose

Enumerate all subdomains for an organization specified using the '-Base' parameter:

Invoke-EnumerateAzureSubDomains -Base defcorphq -Verbose

To Validate Emails we will use o365creeper

C:\Python27\python.exe C:\AzAD\Tools\o365creeper\o365creeper.py -f C:\AzAD\Tools\emails.txt -o C:\AzAD\Tools\validemails.txt