Microsoft Graph Module
Connect to MS Graph
Login pop-up
Use token
Copy $Token = eyJ0
Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force) Get a Token
Copy $passwd = ConvertTo-SecureString "Password123!" -AsPlainText -Force
$creds = New-Object System.management.automation.pscredential ("test@pp.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds
$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
$token Simple script to automate process
Copy # Prompt for Email
$email = Read-Host "Enter your email address"
# Prompt for Password (input is hidden)
$password = Read-Host "Enter your password" -AsSecureString
# Create a PSCredential object
$creds = New-Object System.Management.Automation.PSCredential ($email, $password)
# Connect to Azure Account
Connect-AzAccount -Credential $creds
# Get the Access Token for MSGraph
$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
# Output the token (optional)
Write-Host "Access Token for Mg-Graph:" $Token Users
Enumerate all users
Enumerate specific user
Copy Get-MgUser -UserId test@pp.onmicrosoft.com Search for users who contain the word "admin" in their Display name:
Copy Get-MgUser -Search '"DisplayName:admin"' -ConsistencyLevel eventual All users who are synced from on-prem:
Copy Get-MgUser -All | ?{$_.OnPremisesSecurityIdentifier -ne $null} Objects owned by a specific user:
Copy Get-MgUserOwnedObject -UserId test@pp.onmicrosoft.com | fl * If a normal user owns a object with a sensitive role such as "Global Administrator', the normal user is indirectly a GA as well!
Groups
Get goups and roles where specified user is a member of
Copy PS C:\Windows\system32> (Get-MgUserMemberOf -UserId test@pp.onmicrosoft.com).AdditionalProperties
Key Value
--- -----
@odata.type #microsoft.graph.group
creationOptions {}
groupTypes {}
proxyAddresses {}
resourceBehaviorOptions {}
resourceProvisioningOptions {}
onPremisesProvisioningErrors {}
serviceProvisioningErrors {}
@odata.type #microsoft.graph.group
creationOptions {}
groupTypes {}
proxyAddresses {}
resourceBehaviorOptions {}
resourceProvisioningOptions {}
onPremisesProvisioningErrors {}
serviceProvisioningErrors {} Get Members of a group:
Copy Get-AzADGroupMember -GroupDisplayName 'Name' | select DisplayName Roles
Get all available role templates
Copy Get-MgDirectoryRoleTemplate Get users who have a specific role such as Global Administrator:
Copy $RoleId = (Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'").Id
(Get-MgDirectoryRoleMember -DirectoryRoleId $RoleId).AdditionalProperties Devices
List owners of all the devices
Copy (Get-MgUserOwnedDevice -userId pp@pp.onmicrosoft.com).AdditionalProperties List devices registered by a user
Copy (Get-MgUserRegisteredDevice -userId pp@pp.onmicrosoft.com).AdditionalProperties List devices managed using Intune
Copy Get-MgDevice -All| ?{$_.IsCompliant -eq "True"} | fl * Applications (Registered Applications)
Get all applications objects registered with the current tenant
Copy Get-MgApplication -All The Get-MgApplication will show all the applications details including password but password value is not shown. List all the apps with an application password
Copy Get-MgApplication -All| ?{$_.PasswordCredentials -ne $null} Service Principals (Enterprise Applications)
Get All Service Principals:
Copy Get-MgServicePrincipal -all Via Graph token:
Copy $RequestParams = @{Method = 'GET'; Uri = $URI; Headers = @{'Authorization' = "Bearer $graphtoken"}}; (Invoke-RestMethod @RequestParams).value Administrative Unit
Get the administrative units:
Copy Get-MgDirectoryAdministrativeUnit Get the scoped role member:
Copy Get-MgDirectoryAdministrativeUnitScopedRoleMember Get Role ID
Copy (Get-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeunitId <ID>).RoleMemberInfo Az PowerShell
A module from Microsoft for managing Azure resources.
Connect to Entra ID first:
Using credentials from Command Line
Copy $creds = Get-Credential
Connect-AzAccount -Credential $creds Or:
Copy $passwd = ConvertTo-SecureString "password123!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@pp.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds Or use a token:
Copy Connect-AzAccount -AccessToken $token -AccountID <account_id> General context
Get information about the current context:
List all available contexts
Copy Get-AzContext -ListAvailable Enumerate all resources visible to the current user:
Enumerate all Azure RBAC role assignments
Copy Get-AzRoleAssignment
Get-AzRoleAssignment | Select-Object DisplayName, RoleDefinitionName VMs
Get all VMs that our context can READ:
App Registrations
Storage Accounts
Copy Get-AzStorageAccount | fl Key Vaults
Automated script
Copy # Usage: .\enum.ps1 -u <email> -p <password>
# Or use Access Token: .\enum.ps1 -accesstoken <token>
e
param (
[string]$u,
[string]$p,
[string]$accesstoken,
[string]$accountid
)
function Authenticate-WithCredentials {
param (
[string]$Email,
[string]$Password
)
# Convert password to SecureString
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
# Create a PSCredential object
$creds = New-Object System.Management.Automation.PSCredential ($Email, $SecurePassword)
# Connect to Azure Account
Connect-AzAccount -Credential $creds
# Get the Access Token for MSGraph
$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
return $Token
}
# Function to authenticate using an existing access token
function Authenticate-WithToken {
param (
[string]$AccessToken
)
if (-not $AccessToken) {
Write-Host "No access token provided. Exiting..." -ForegroundColor Red
exit
}
Write-Host "Using provided access token." -ForegroundColor Green
Connect-AzAccount -AccessToken $AccessToken -AccountId $accountid
$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
return $Token
}
if ($u -and $p) {
$Token = Authenticate-WithCredentials -Email $u -Password $p
} elseif ($accesstoken) {
$Token = Authenticate-WithToken -AccessToken $accesstoken
} else {
Write-Host "Invalid selection. Provide either -u and -p for credentials or -accesstoken for token authentication. Exiting..." -ForegroundColor Red
exit
}
# If authenticated, enumerate
if ($Token) {
Write-Host "[+] Successfully authenticated" -ForegroundColor green
if ($u -and $p) {
# copy access token to clipboard
(Get-AzAccessToken -ResourceTypeName MSGraph).Token | clip
Write-Host "[+] Copied Access Token for $u to clipboard" -ForegroundColor Green
}
Write-Host "[+] Getting authenticated context" -ForegroundColor Green
Get-AzContext | Format-List *
Write-Host "[+] Getting Role Assignments" -ForegroundColor Green
Get-AzRoleAssignment | Select-Object DisplayName, RoleDefinitionName, ObjectId | Format-Table -AutoSize
Write-Host "[+] Getting Resources" -ForegroundColor Green
Get-AzResource | Select-Object Name, ResourceGroupName | Format-Table -AutoSize
Write-Host "[+] Getting Key Vaults" -ForegroundColor Green
Get-AzKeyVault | Select-Object VaultName, ResourceGroupName | Format-Table -AutoSize
Write-Host "[+] Getting Virtual Machines" -ForegroundColor Green
Get-AzVM | Select-Object ResourceGroupName, Name, VmId, LicenseType | Format-Table -AutoSize
Write-Host "[+] Getting Web Applications" -ForegroundColor Green
Get-AzWebApp | Select-Object hostnames, defaulthostname, RepositorySiteName | Format-Table -AutoSize
Write-Host "[+] Getting Storage Accounts" -ForegroundColor Green
Get-AzStorageAccount
} Example output:
Azure CLI
A set of commands used to create and manage Azure resources. Can be installed on multiple platforms and can be used with multiple clouds.
Copy Install using MSI https://learn.microsoft.com/nl-nl/cli/azure/install-azure-cli Login using creds:
Copy az login -u test@pp.onmicrosoft.com -p "Password123!" Get users
Copy az ad user list --output table Last updated 2 months ago
