Authenticated Enumeration

Microsoft Graph Module

Connect to MS Graph

Login pop-up

Connect-MgGraph

Use token

$Token = eyJ0
Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)

Get a Token

$passwd = ConvertTo-SecureString "Password123!" -AsPlainText -Force
$creds =  New-Object System.management.automation.pscredential ("test@pp.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds
$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
$token

Users

Enumerate all users

Get-MgUser -All

Enumerate specific user

Get-MgUser -UserId test@pp.onmicrosoft.com

Search for users who contain the word "admin" in their Display name:

Get-MgUser -Search '"DisplayName:admin"' -ConsistencyLevel eventual

All users who are synced from on-prem:

Get-MgUser -All | ?{$_.OnPremisesSecurityIdentifier -ne $null}

Objects owned by a specific user:

Get-MgUserOwnedObject -UserId test@pp.onmicrosoft.com | fl *

If a normal user owns a object with a sensitive role such as "Global Administrator', the normal user is indirectly a GA as well!

Groups

Get goups and roles where specified user is a member of

PS C:\Windows\system32> (Get-MgUserMemberOf -UserId test@pp.onmicrosoft.com).AdditionalProperties

Key                          Value
---                          -----
@odata.type                  #microsoft.graph.group
creationOptions              {}
groupTypes                   {}
proxyAddresses               {}
resourceBehaviorOptions      {}
resourceProvisioningOptions  {}
onPremisesProvisioningErrors {}
serviceProvisioningErrors    {}
@odata.type                  #microsoft.graph.group
creationOptions              {}
groupTypes                   {}
proxyAddresses               {}
resourceBehaviorOptions      {}
resourceProvisioningOptions  {}
onPremisesProvisioningErrors {}
serviceProvisioningErrors    {}

Roles

Get all available role templates

Get-MgDirectoryRoleTemplate

Get users who have a specific role such as Global Administrator:

$RoleId = (Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'").Id
(Get-MgDirectoryRoleMember -DirectoryRoleId $RoleId).AdditionalProperties

Devices

List owners of all the devices

(Get-MgUserOwnedDevice -userId pp@pp.onmicrosoft.com).AdditionalProperties

List devices registered by a user

(Get-MgUserRegisteredDevice -userId pp@pp.onmicrosoft.com).AdditionalProperties

List devices managed using Intune

Get-MgDevice -All| ?{$_.IsCompliant -eq "True"} | fl *

Applications (Registered Applications)

Get all applications objects registered with the current tenant

Get-MgApplication -All

The Get-MgApplication will show all the applications details including password but password value is not shown. List all the apps with an application password

Get-MgApplication -All| ?{$_.PasswordCredentials -ne $null}

Service Principals (Enterprise Applications)

Get All Service Principals:

Get-MgServicePrincipal -all

Az PowerShell

A module from Microsoft for managing Azure resources.

Install-Module Az

Connect to Entra ID first:

Connect-AzAccount

Using credentials from Command Line

$creds = Get-Credential
Connect-AzAccount -Credential $creds

Or:

$passwd = ConvertTo-SecureString "password123!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@pp.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds

Or use a token:

Connect-AzAccount -AccessToken $token -AccountID <account_id>

General context

Get information about the current context:

Get-AzContext

List all available contexts

Get-AzContext -ListAvailable

Enumerate all resources visible to the current user:

Get-AzResource

Enumerate all Azure RBAC role assignments

Get-AzRoleAssignment

VMs

Get all VMs that our context can READ:

Get-AzVM | fl

App Registrations

Get-AzWebApp

Storage Accounts

Get-AzStorageAccount | fl

Key Vaults

Get-AzKeyVault

Azure CLI

A set of commands used to create and manage Azure resources. Can be installed on multiple platforms and can be used with multiple clouds.

The default output format is JSON

Install using MSI https://learn.microsoft.com/nl-nl/cli/azure/install-azure-cli

Login using creds:

az login -u test@pp.onmicrosoft.com -p "Password123!"

Get users

az ad user list --output table

Last updated