Authenticated Enumeration

Microsoft Graph Module

Connect to MS Graph

Connect-MgGraph

Use token

$Token = eyJ0
Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)

Get a Token

$passwd = ConvertTo-SecureString "Password123!" -AsPlainText -Force
$creds =  New-Object System.management.automation.pscredential ("[email protected]", $passwd)
Connect-AzAccount -Credential $creds
$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
$token

Simple script to automate process

# Prompt for Email
$email = Read-Host "Enter your email address"

# Prompt for Password (input is hidden)
$password = Read-Host "Enter your password" -AsSecureString

# Create a PSCredential object
$creds = New-Object System.Management.Automation.PSCredential ($email, $password)

# Connect to Azure Account
Connect-AzAccount -Credential $creds

# Get the Access Token for MSGraph
$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token

# Output the token (optional)
Write-Host "Access Token for Mg-Graph:" $Token

Users

Enumerate all users

Get-MgUser -All

Enumerate specific user

Get-MgUser -UserId [email protected]

Search for users who contain the word "admin" in their Display name:

Get-MgUser -Search '"DisplayName:admin"' -ConsistencyLevel eventual

All users who are synced from on-prem:

Get-MgUser -All | ?{$_.OnPremisesSecurityIdentifier -ne $null}

Objects owned by a specific user:

Get-MgUserOwnedObject -UserId [email protected] | fl *

If a normal user owns a object with a sensitive role such as "Global Administrator', the normal user is indirectly a GA as well!

Groups

Get goups and roles where specified user is a member of

PS C:\Windows\system32> $RoleId = (Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'").Id
(Get-MgDirectoryRoleMember -DirectoryRoleId $RoleId).AdditionalProperties
Key                          Value
---                          -----
@odata.type                  #microsoft.graph.group
creationOptions              {}
groupTypes                   {}
proxyAddresses               {}
resourceBehaviorOptions      {}
resourceProvisioningOptions  {}
onPremisesProvisioningErrors {}
serviceProvisioningErrors    {}
@odata.type                  #microsoft.graph.group
creationOptions              {}
groupTypes                   {}
proxyAddresses               {}
resourceBehaviorOptions      {}
resourceProvisioningOptions  {}
onPremisesProvisioningErrors {}
serviceProvisioningErrors    {}

Get Members of a group:

Get-AzADGroupMember -GroupDisplayName 'Name' | select DisplayName

Roles

Get all available role templates

Get-MgDirectoryRoleTemplate

Get users who have a specific role such as Global Administrator:

$RoleId = (Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'").Id
(Get-MgDirectoryRoleMember -DirectoryRoleId $RoleId).AdditionalProperties

User assigned roles:

$userEmail = "[email protected]"
$user = Get-MgUser -Filter "userPrincipalName eq '$userEmail'"

$directoryRoles = Get-MgDirectoryRole

$userRoleNames = @()

foreach ($role in $directoryRoles) {
    $members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id
    if ($members.Id -contains $user.Id) {
        $userRoleNames += $role.DisplayName
    }
}

$userRoleNames

Devices

List owners of all the devices

(Get-MgUserOwnedDevice -userId [email protected]).AdditionalProperties

List devices registered by a user

(Get-MgUserRegisteredDevice -userId [email protected]).AdditionalProperties

List devices managed using Intune

Get-MgDevice -All| ?{$_.IsCompliant -eq "True"} | fl *

Applications (Registered Applications)

Get all applications objects registered with the current tenant

Get-MgApplication -All

The Get-MgApplication will show all the applications details including password but password value is not shown. List all the apps with an application password

Get-MgApplication -All| ?{$_.PasswordCredentials -ne $null}

Service Principals (Enterprise Applications)

Get All Service Principals:

Get-MgServicePrincipal -all

Via Graph token:

$RequestParams = @{Method = 'GET'; Uri = $URI; Headers = @{'Authorization' = "Bearer $graphtoken"}}; (Invoke-RestMethod @RequestParams).value

Administrative Unit

Get the administrative units:

Get-MgDirectoryAdministrativeUnit

Get the scoped role member:

Get-MgDirectoryAdministrativeUnitScopedRoleMember

Get Role ID

(Get-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeunitId <ID>).RoleMemberInfo

Get M365 license

Get-MgUserLicenseDetail -UserId "[email protected]"

Id                                          SkuId                                SkuPartNumber
--                                          -----                                -------------
xxx 3b555118-da6a-4418-894f-7df1e2096870 O365_BUSINESS_ESSENTIALS

Az PowerShell

A module from Microsoft for managing Azure resources.

Install-Module Az

Connect to Entra ID first:

Connect-AzAccount

Using credentials from Command Line

$creds = Get-Credential
Connect-AzAccount -Credential $creds

Or:

$passwd = ConvertTo-SecureString "password123!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("[email protected]", $passwd)
Connect-AzAccount -Credential $creds

Or use a token:

Connect-AzAccount -AccessToken $token -AccountID <account_id>

General context

Get information about the current context:

Get-AzContext

List all available contexts

Get-AzContext -ListAvailable

Enumerate all resources visible to the current user:

Get-AzResource

Enumerate all Azure RBAC role assignments

Get-AzRoleAssignment

Get-AzRoleAssignment | Select-Object DisplayName, RoleDefinitionName

VMs

Get all VMs that our context can READ:

Get-AzVM | fl

App Registrations

Get-AzWebApp

Storage Accounts

Get-AzStorageAccount | fl

Key Vaults

Get-AzKeyVault

Automated script

enum.ps1

# Usage: .\enum.ps1 -u <email> -p <password>
# Or use Access Token: .\enum.ps1 -accesstoken <token>
e
param (
    [string]$u,
    [string]$p,
    [string]$accesstoken,
    [string]$accountid
)

function Authenticate-WithCredentials {
    param (
        [string]$Email,
        [string]$Password
    )
    
    # Convert password to SecureString
    $SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
    
    # Create a PSCredential object
    $creds = New-Object System.Management.Automation.PSCredential ($Email, $SecurePassword)
    
    # Connect to Azure Account
    Connect-AzAccount -Credential $creds
    
    # Get the Access Token for MSGraph
    $Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
    
    return $Token
}

# Function to authenticate using an existing access token
function Authenticate-WithToken {
    param (
        [string]$AccessToken
    )
    if (-not $AccessToken) {
        Write-Host "No access token provided. Exiting..." -ForegroundColor Red
        exit
    }
    Write-Host "Using provided access token." -ForegroundColor Green
    Connect-AzAccount -AccessToken $AccessToken -AccountId $accountid
    $Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
    return $Token
}

if ($u -and $p) {
    $Token = Authenticate-WithCredentials -Email $u -Password $p
} elseif ($accesstoken) {
    $Token = Authenticate-WithToken -AccessToken $accesstoken
} else {
    Write-Host "Invalid selection. Provide either -u and -p for credentials or -accesstoken for token authentication. Exiting..." -ForegroundColor Red
    exit
}

# If authenticated, enumerate
if ($Token) {
    Write-Host "[+] Successfully authenticated" -ForegroundColor green

    if ($u -and $p) {
    # copy access token to clipboard
    (Get-AzAccessToken -ResourceTypeName MSGraph).Token | clip
    Write-Host "[+] Copied Access Token for $u to clipboard" -ForegroundColor Green
    }

    Write-Host "[+] Getting authenticated context" -ForegroundColor Green
    Get-AzContext | Format-List *
    
    Write-Host "[+] Getting Role Assignments" -ForegroundColor Green
    Get-AzRoleAssignment | Select-Object DisplayName, RoleDefinitionName, ObjectId | Format-Table -AutoSize
    
    Write-Host "[+] Getting Resources" -ForegroundColor Green
    Get-AzResource | Select-Object Name, ResourceGroupName | Format-Table -AutoSize

    Write-Host "[+] Getting Key Vaults" -ForegroundColor Green
    Get-AzKeyVault | Select-Object VaultName, ResourceGroupName | Format-Table -AutoSize

    Write-Host "[+] Getting Virtual Machines" -ForegroundColor Green
    Get-AzVM | Select-Object ResourceGroupName, Name, VmId, LicenseType | Format-Table -AutoSize

    Write-Host "[+] Getting Web Applications" -ForegroundColor Green
    Get-AzWebApp | Select-Object hostnames, defaulthostname, RepositorySiteName | Format-Table -AutoSize

    Write-Host "[+] Getting Storage Accounts" -ForegroundColor Green
    Get-AzStorageAccount

}

Example output:

Azure CLI

A set of commands used to create and manage Azure resources. Can be installed on multiple platforms and can be used with multiple clouds.

The default output format is JSON

Install using MSI https://learn.microsoft.com/nl-nl/cli/azure/install-azure-cli

az login -u [email protected] -p "Password123!"

Get users

az ad user list --output table

PreviousConditional Access NextROADTools

Last updated 8 months ago

hashtagMicrosoft Graph Module

hashtagConnect to MS Graph

hashtagGet a Token

hashtagUsers

hashtagGroups

hashtagRoles

hashtagDevices

hashtagApplications (Registered Applications)

hashtagService Principals (Enterprise Applications)

hashtagAdministrative Unit

hashtagGet M365 license

hashtagAz PowerShell

hashtagGeneral context

hashtagVMs

hashtagApp Registrations

hashtagStorage Accounts

hashtagKey Vaults

hashtagAutomated script

hashtagAzure CLI

hashtagGet users