Topics
Last updated
Last updated
Enumerate information from Azure AD about users, groups, devices, service principals, applications, and roles.
Map attack paths by listing objects owned by an Azure AD object.
Learn to use Microsoft’s tools like Azure AD Module, Az PowerShell and Az CLI for enumeration.
Understand device identities and map attack paths by enumerating active devices, device owners and state.
Find abusable service principals and applications by looking at applications that have application password, ownership of applications and roles.
Enumerate information from Azure about resources like Virtual Machines, Storage Accounts, Key vaults, Blobs, Automation Accounts, Deployment Templates, App Services, Function Apps and many more.
Enumerate role assignments to map attack paths.
Learn to use tools like ROADRecon and Azure Hound for enumeration. Understand the difference between enumerating Azure AD and on-prem AD.
Learn to use ARM and MS Graph REST API for enumeration
To further your enumeration efforts, using the Azure AD PowerShell Module is invaluable for extracting detailed information from Azure Active Directory (AD). Here's how to get started:
Install the Azure AD Module: If not already installed, you can install the module by running Install-Module -Name AzureAD or Install-Module -Name AzureADPreview for the latest preview version.
Connect to Azure AD: Before any enumeration can happen, you must authenticate to Azure AD with Connect-AzureAD. This will prompt for your credentials.
Enumerate Users: To retrieve a list of all users, you can use Get-AzureADUser. This command can be further refined with filters to narrow down the search.
Enumerate Groups: Use Get-AzureADGroup to list all groups in your Azure AD. To see the members of a specific group, Get-AzureADGroupMember can be used with the group's Object ID.
Enumerate Devices: To see the devices registered in Azure AD, the command Get-AzureADDevice proves useful.
Service Principals: Service principals represent applications in your directory. Use Get-AzureADServicePrincipal to list them. Inspect service principals and their permissions carefully to identify potentially abusable ones.
Applications: Applications in Azure AD can be enumerated with Get-AzureADApplication. Reviewing the applications and their configurations is crucial for security.
Roles and Role Assignments: To identify what roles are assigned and to whom, Get-AzureADDirectoryRole and Get-AzureADDirectoryRoleMember will list roles and their members, respectively.
Remember, proper permissions are required to perform these enumeration tasks. Always ensure you're complying with your organization's policies and guidelines while performing enumeration activities.
While PowerShell is a powerful tool for enumeration, there are specialized tools available that can further aid in this process:
Azure Hound: Part of the BloodHound suite, Azure Hound allows for an in-depth enumeration of Azure AD environments, enabling the visualization of attack paths.
ROADRecon: This tool focuses on Azure AD enumeration, providing detailed analysis of AD objects, their relationships, and potential vulnerabilities.
Using these tools in conjunction with the Azure AD PowerShell Module enables a comprehensive overview of your Azure AD environment, highlighting potential security concerns.
Understanding the landscape of your Azure AD and enumerating its resources, roles, and relationships are critical first steps in securing your cloud presence. By leveraging PowerShell and specialized tools, you can uncover hidden risks and strengthen your security posture.