Microsoft Entra ID Enumeration
Table of contents
Vulnerability
TODO: Describe the vulnerability here.
Prerequisites
- Being authenticated in the Azure tenant you want to enumerate.
Automated tools
AzureHound
AzureHound is a BloodHound ingestor for Microsoft Entra ID. It’s written in Go, so it could be run from both Windows and Linux.
# Enumerate tenant as an authenticated user and write the output in JSON format.
# The JSON output file can be imported in BloodHound.
azurehound list -u "$UserPrincipalName" -p "$Password" -t "$TenantID" -o "output.json"
ROADrecon
Use ROADrecon to extract Microsoft Entra ID objects as a database you can then browse through a tiny local web application.
# Authenticate with MFA if enabled.
roadrecon auth --device-code
# Retrieve all information in roadrecon.db.
roadrecon gather
# Start local web application on http://127.0.0.1:5000/ to browse gathered information.
roadrecon gui
Manuel enumeration
This section references how to manually enumerate Azure using AzureAD PowerShell module. Before that, you need to authenticate on the tenant as shown below.
Install-Module AzureAD
Connect-AzureAD
Applications
# List all app registrations.
Get-AzureADApplication -All $True
Devices
# List all joined and registered devices.
Get-AzureADDevice -All $True
# List devices owned by a user.
Get-AzureADUserOwnedDevice -ObjectId $UserPrincipalName
Groups
# List all Microsoft Entra ID groups that are synchronized from on-premises Active Directory.
Get-AzureADGroup -All $True | ?{$_.OnPremisesSecurityIdentifier -ne $Null}
# Get all attributes of a specific group.
Get-AzureADGroup -ObjectId $GroupObjectId | Format-List
# Search for groups based on their DisplayName.
Get-AzureADGroup -SearchString "$Whatever"
# List group members.
Get-AzureADGroupMember -ObjectId $GroupObjectId
Roles
# List all Microsoft Entra ID roles that are enabled.
Get-AzureADDirectoryRole
# List all role templates.
Get-AzureADDirectoryRoleTemplate
# Get all attributes of a specific role.
Get-AzureADDirectoryRole -ObjectId $RoleObjectId | Format-List
# Search for roles based on their DisplayName.
Get-AzureADDirectoryRole | ?{$_.DisplayName -match "$Whatever"}
#List role members.
Get-AzureADDirectoryRoleMember -ObjectId $RoleObjectId
Service Principals
# List all enterprise applications.
Get-AzureADServicePrincipal -All $True
# Get groups and roles of a service principal.
Get-AzureADServicePrincipal -ObjectId $ServicePrincipalObjectId | Get-AzureADServicePrincipalMembership | Format-List *
Users
In Microsoft Entra ID, UserPrincipalName for users are basically their email address.
# List all Microsoft Entre ID users that are synchronized from on-premises Active Directory.
Get-AzureADUser -All $True | ?{$_.OnPremisesSecurityIdentifier -ne $Null}
# Get all attributes of a specific user.
Get-AzureADUser -ObjectId $UserPrincipalName | Format-List
# Search for users based on their DisplayName and UserPrincipalName.
Get-AzureADUser -SearchString "$Whatever"
# Get groups and roles a user belongs to.
Get-AzureADUserMembership -ObjectId $UserPrincipalName
Recommendations
- Ensure Microsoft Entra ID enumeration is not possible for standard users from Microsoft Administration Portals, PowerShell and Microsoft Graph APIs, which is controlled by different permissions.