Teilen Sie Ihre Hacking-Tricks, indem Sie PRs an dieHackTricks und HackTricks Cloud GitHub-Repositories senden.
Grundlegende Informationen
Azure Active Directory (Azure AD) dient als cloudbasierter Dienst von Microsoft für Identitäts- und Zugriffsverwaltung. Es ist entscheidend, um Mitarbeitern das Anmelden und den Zugriff auf Ressourcen zu ermöglichen, sowohl innerhalb als auch außerhalb der Organisation, einschließlich Microsoft 365, des Azure-Portals und einer Vielzahl anderer SaaS-Anwendungen. Das Design von Azure AD konzentriert sich auf die Bereitstellung wesentlicher Identitätsdienste, insbesondere Authentifizierung, Autorisierung und Benutzerverwaltung.
Zu den wichtigsten Funktionen von Azure AD gehören die Multi-Faktor-Authentifizierung und der bedingte Zugriff, zusammen mit einer nahtlosen Integration mit anderen Microsoft-Sicherheitsdiensten. Diese Funktionen erhöhen die Sicherheit von Benutzeridentitäten erheblich und ermöglichen es Organisationen, ihre Zugriffsrichtlinien effektiv umzusetzen und durchzusetzen. Als grundlegender Bestandteil des cloudbasierten Diensteökosystems von Microsoft ist Azure AD entscheidend für das cloudbasierte Management von Benutzeridentitäten.
AzureAD ist ein PowerShell-Modul von Microsoft zum Verwalten von Azure AD. Es zeigt nicht alle Eigenschaften von Azure AD-Objekten an und kann nicht verwendet werden, um Informationen zu Azure-Ressourcen abzurufen.
Az PowerShell ist ein Modul zum Verwalten von Azure-Ressourcen von der PowerShell-Befehlszeile.
Verbindung
azlogin#This will open the browserazlogin-u<username>-p<password>#Specify user and passwordazlogin--identity#Use the current machine managed identity (metadata)az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principalaz login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com #With password
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com #With cert
# Request access token (ARM)azaccountget-access-token# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
azaccountget-access-token--resource-typeaad-graph# If you want to configure some defaultsazconfigure# Get user logged-in alreadyazadsigned-in-usershow# Helpazfind"vm"# Find vm commandsazvm-h# Get subdomainsazaduserlist--query-examples# Get examples
Connect-AzureAD#Open browser# Using credentials$passwd =ConvertTo-SecureString"Welcome2022!"-AsPlainText -Force$creds =New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)Connect-AzureAD-Credential $creds# Using tokens## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connectConnect-AzureAD-AccountId test@corp.onmicrosoft.com -AadAccessToken $token
Connect-AzAccount#Open browser# Using credentials$passwd =ConvertTo-SecureString"Welcome2022!"-AsPlainText -Force$creds =New-Object System.Management.Automation.PSCredential("test@corp.onmicrosoft.com", $passwd)Connect-AzAccount-Credential $creds# Get Access Token(Get-AzAccessToken).Token# Request access token to other endpoints: AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
Get-AzAccessToken-ResourceTypeName MSGraph(Get-AzAccessToken-Resource "https://graph.microsoft.com").Token# Conenct with access tokenConnect-AzAccount-AccountId test@corp.onmicrosoft.com -AccessToken $tokenConnect-AzAccount-AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>## The -AccessToken is from management.azure.com# Connect with Service principal/enterprise app secret$password =ConvertTo-SecureString'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF'-AsPlainText -Force$creds =New-ObjectSystem.Management.Automation.PSCredential('2923847f-fca2-a420-df10-a01928bec653', $password)Connect-AzAccount-ServicePrincipal -Credential $creds -Tenant 29sd87e56-a192-a934-bca3-0398471ab4e7d#All the Azure AD cmdlets have the format *-AzAD*Get-Command*azad*#Cmdlets for other Azure resources have the format *Az*Get-Command*az*
# Request tokens to access endpoints# ARMcurl"$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER# Vaultcurl"$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER
Wenn Sie sich über die CLI bei Azure mit einem beliebigen Programm anmelden, verwenden Sie eine Azure-Anwendung aus einem Mandanten, der zu Microsoft gehört. Diese Anwendungen, wie diejenigen, die Sie in Ihrem Konto erstellen können, haben eine Client-ID. Sie können nicht alle von ihnen in den zulässigen Anwendungslisten sehen, die Sie in der Konsole sehen können, aber sie sind standardmäßig zugelassen.
Zum Beispiel verwendet ein PowerShell-Skript, das sich authentifiziert, eine App mit der Client-ID 1950a258-227b-4e31-a9cf-717495945fc2. Selbst wenn die App nicht in der Konsole erscheint, könnte ein Systemadministrator diese Anwendung blockieren, sodass Benutzer nicht über Tools darauf zugreifen können, die über diese App eine Verbindung herstellen.
Es gibt jedoch andere Client-IDs von Anwendungen, die es Ihnen ermöglichen, eine Verbindung mit Azure herzustellen:
# The important part is the ClientId, which identifies the application to login inside Azure$token =Invoke-Authorize-Credential $credential `-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d'`-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email'`-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/"`-Verbose -Debug `-InformationAction Continue$token =Invoke-Authorize-Credential $credential `-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9'`-Scope 'openid profile Sites.Read.All User.Read email'`-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah"`-Verbose -Debug `-InformationAction Continue$token =Invoke-Authorize-Credential $credential `-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095'`-Scope 'openid'`-Redirect_Uri "https://graphexplorer.azurewebsites.net/"`-Verbose -Debug `-InformationAction Continue
Benutzer
# Enumerate usersazaduserlist--outputtableazaduserlist--query"[].userPrincipalName"# Get info of 1 userazadusershow--id"test@corp.onmicrosoft.com"# Search "admin" usersazaduserlist--query"[].displayName"|findstr/i"admin"azaduserlist--query"[?contains(displayName,'admin')].displayName"# Search attributes containing the word "password"azaduserlist|findstr/i"password"|findstr/v"null,"# All users from AzureADazaduserlist--query"[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"azaduserlist--query"[?onPremisesSecurityIdentifier==null].displayName"# All users synced from on-premazaduserlist--query"[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"azaduserlist--query"[?onPremisesSecurityIdentifier!=null].displayName"# Get groups where the user is a memberazaduserget-member-groups--id<email># Get roles assigned to the userazroleassignmentlist--include-groups--include-classic-administratorstrue--assignee<email>
Azure AD
Enumeration
Service Principal Enumeration: Use az ad sp list to list all service principals in the tenant.
User Enumeration: Use az ad user list to list all users in the tenant.
Group Enumeration: Use az ad group list to list all groups in the tenant.
Application Enumeration: Use az ad app list to list all applications in the tenant.
Dumping
Dump Service Principal: Use az ad sp show --id <service_principal_id> to dump the details of a specific service principal.
Dump User: Use az ad user show --id <user_id> to dump the details of a specific user.
Dump Group: Use az ad group show --group <group_id> to dump the details of a specific group.
Dump Application: Use az ad app show --id <app_id> to dump the details of a specific application.
Permissions
List OAuth2 Permissions of an Application: Use az rest --method get --uri https://graph.microsoft.com/v1.0/applications/<app_id>/oauth2PermissionGrants to list the OAuth2 permissions of a specific application.
List OAuth2 Permissions of a Service Principal: Use az rest --method get --uri https://graph.microsoft.com/v1.0/servicePrincipals/<sp_id>/oauth2PermissionGrants to list the OAuth2 permissions of a specific service principal.
Token Manipulation
Get Access Token: Use az account get-access-token --resource https://graph.microsoft.com to get an access token for the Microsoft Graph API.
Decode JWT Token: Use jwt.io or jwt.ms to decode a JWT token.
Other
List Sign-Ins: Use az monitor activity-log list --filter "category eq 'SignInLogs'" to list sign-ins in the tenant.
List Audit Logs: Use az monitor activity-log list --filter "category eq 'AuditLogs'" to list audit logs in the tenant.
# Enumerate UsersGet-AzureADUser-All $trueGet-AzureADUser-All $true| select UserPrincipalName# Get info of 1 userGet-AzureADUser-ObjectId test@corp.onmicrosoft.com | fl# Search "admin" usersGet-AzureADUser-SearchString "admin"#Search admin at the begining of DisplayName or userPrincipalNameGet-AzureADUser-All $true|?{$_.Displayname-match"admin"} #Search "admin" word in DisplayName# Get all attributes of a userGet-AzureADUser-ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}# Search attributes containing the word "password"Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
# All users from AzureAD# All users from AzureADGet-AzureADUser-All $true|?{$_.OnPremisesSecurityIdentifier-eq$null}# All users synced from on-premGet-AzureADUser-All $true|?{$_.OnPremisesSecurityIdentifier-ne$null}# Objects created by a/any userGet-AzureADUser [-ObjectId<email>] |Get-AzureADUserCreatedObject# Devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Objects owned by a specific userGet-AzureADUserOwnedObject-ObjectId test@corp.onmicrosoft.com# Get groups & roles where the user is a memberGet-AzureADUserMembership-ObjectId 'test@corp.onmicrosoft.com'# Get devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Get devices registered by a userGet-AzureADUserRegisteredDevice-ObjectId test@defcorphq.onmicrosoft.com# Apps where a user has a role (role not shown)Get-AzureADUser-ObjectId roygcain@defcorphq.onmicrosoft.com |Get-AzureADUserAppRoleAssignment| fl *# Get Administrative Units of a user$userObj =Get-AzureADUser-Filter "UserPrincipalName eq 'bill@example.com'"Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }
Azure AD
Connect to Azure AD
Connect-AzAccount
List all users
Get-AzureADUser
List all groups
Get-AzureADGroup
List all applications
Get-AzureADApplication
List all service principals
Get-AzureADServicePrincipal
List all devices
Get-AzureADDevice``json
# Enumerate usersGet-AzADUser# Get details of a userGet-AzADUser-UserPrincipalName test@defcorphq.onmicrosoft.com# Search user by stringGet-AzADUser-SearchString "admin"#Search at the beginnig of DisplayNameGet-AzADUser|?{$_.Displayname-match"admin"}# Get roles assigned to a userGet-AzRoleAssignment-SignInName test@corp.onmicrosoft.com
Es wird dringend empfohlen, MFA für jeden Benutzer hinzuzufügen. Einige Unternehmen setzen es jedoch möglicherweise nicht oder aktivieren es mit einer bedingten Zugriffsrichtlinie: Der Benutzer wird zur MFA-Eingabe aufgefordert, wenn er sich von einem bestimmten Standort, Browser oder unter bestimmten Bedingungen aus anmeldet. Diese Richtlinien sind anfällig für Umgehungen, wenn sie nicht korrekt konfiguriert sind. Überprüfen Sie:
# Enumerate groupsaz ad group listaz ad group list --query "[].[displayName]"-o table# Get info of 1 groupaz ad group show --group <group># Get "admin" groupsaz ad group list --query "[].displayName"| findstr /i "admin"az ad group list --query "[?contains(displayName,'admin')].displayName"# All groups from AzureADaz ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"# All groups synced from on-premaz ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"# Get members of groupaz ad group member list --group <group>--query "[].userPrincipalName"-o table# Check if member of groupaz ad group member check --group "VM Admins"--member-id <id># Get which groups a group is member ofaz ad group get-member-groups -g "VM Admins"# Get Apps where a group has a role (role not shown)Get-AzureADGroup-ObjectId <id>|Get-AzureADGroupAppRoleAssignment| fl *
Azure AD
Enumeration
Service Principal Enumeration
Description: Enumerate service principals to find sensitive information.
Technique: Use the Azure CLI or PowerShell to list service principals.
Code:az ad sp list --all
User Enumeration
Description: Enumerate users to find potential targets.
Technique: Use the Azure CLI or PowerShell to list users.
Code:az ad user list --all
Group Enumeration
Description: Enumerate groups to identify potential targets.
Technique: Use the Azure CLI or PowerShell to list groups.
Code:az ad group list --all
Application Enumeration
Description: Enumate applications to identify potential targets.
Technique: Use the Azure CLI or PowerShell to list applications.
Code:az ad app list --all
Role Enumeration
Description: Enumerate roles assigned to users or service principals.
Technique: Use the Azure CLI or PowerShell to list roles.
Code:az role assignment list
Persistence
Service Principal Backdoor
Description: Create a backdoor by adding a new password credential to a service principal.
Technjsonik: Use the Azure CLI or PowerShell to add a new password credential.
Code:az ad app credential reset --id <service_principal_id> --password <new_password>
User Backdoor
Description: Create a backdoor by adding a new password credential to a user.
Technique: Use the Azure CLI or PowerShell to add a new password credential.
Code:az ad user credential reset --id <user_id> --password <new_password>
Application Backdoor
Description: Create a backdoor by adding a new password credential to an application.
Technique: Use the Azure CLI or PowerShell to add a new password credential.
Code:az ad app credential reset --id <app_id> --password <new_password>
Lateral Movement
Service Principal Impersonation
Description: Impersonate a service principal to access resources.
Technique: Use the obtained credentials to authenticate as the service principal.
Code: N/A
User Impersonation
Description: Impersonate a user to access resources.
Technique: Use the obtained credentials to authenticate as the user.
Code: N/A
Application Impersonation
Description: Impersonate an application to access resources.
Technique: Use the obtained credentials to authenticate as the application.
Code: N/A
# Enumerate GroupsGet-AzureADGroup-All $true# Get info of 1 groupGet-AzADGroup-DisplayName <resource_group_name>| fl# Get "admin" groupsGet-AzureADGroup-SearchString "admin"| fl #Groups starting by "admin"Get-AzureADGroup-All $true|?{$_.Displayname-match"admin"} #Groups with the word "admin"# Get groups allowing dynamic membershipGet-AzureADMSGroup|?{$_.GroupTypes-eq'DynamicMembership'}# All groups that are from Azure ADGet-AzureADGroup-All $true|?{$_.OnPremisesSecurityIdentifier-eq$null}# All groups that are synced from on-prem (note that security groups are not synced)Get-AzureADGroup-All $true|?{$_.OnPremisesSecurityIdentifier-ne$null}# Get members of a groupGet-AzureADGroupMember-ObjectId <group_id># Get roles of groupGet-AzureADMSGroup-SearchString "Contoso_Helpdesk_Administrators"#Get group idGet-AzureADMSRoleAssignment-Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'"# Get Administrative Units of a group$groupObj =Get-AzureADGroup-Filter "displayname eq 'TestGroup'"Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }
# Get all groupsGet-AzADGroup# Get details of a groupGet-AzADGroup-ObjectId <id># Search group by stringGet-AzADGroup-SearchString "admin"| fl *#Search at the beginnig of DisplayNameGet-AzADGroup|?{$_.Displayname-match"admin"}# Get members of groupGet-AzADGroupMember-GroupDisplayName <resource_group_name># Get roles of groupGet-AzRoleAssignment-ResourceGroupName <resource_group_name>
Benutzer zur Gruppe hinzufügen
Besitzer der Gruppe können neue Benutzer zur Gruppe hinzufügen
Gruppen können dynamisch sein, was im Grunde bedeutet, dass ein Benutzer einer Gruppe hinzugefügt wird, wenn er bestimmte Bedingungen erfüllt. Natürlich könnte ein Benutzer, wenn die Bedingungen auf Attributen basieren, die er kontrollieren kann, diese Funktion missbrauchen, um in andere Gruppen zu gelangen. Überprüfen Sie, wie dynamische Gruppen auf der folgenden Seite missbraucht werden können:
Beachten Sie, dass ein Service Principal in der PowerShell-Terminologie im Azure-Portal (Web) als Enterprise Applications bezeichnet wird.
# Get Service Principalsazadsplist--allazadsplist--all--query"[].[displayName]"-otable# Get details of one SPazadspshow--id00000000-0000-0000-0000-000000000000# Search SP by stringazadsplist--all--query"[?contains(displayName,'app')].displayName"# Get owner of service principalazadspownerlist--id<id>--query"[].[displayName]"-otable# Get service principals owned by the current userazadsplist--show-mine# List apps that have password credentialsazadsplist--all--query"[?passwordCredentials != null].displayName"# List apps that have key credentials (use of certificate authentication)azadsplist-all--query"[?keyCredentials != null].displayName"
Azure AD
Enumeration
Service Principal Enumeration: Use az ad sp list to list all service principals in the tenant.
User Enumeration: Use az ad user list to list all users in the tenant.
Group Enumeration: Use az ad group list to list all groups in the tenant.
Application Enumeration: Use az ad app list to list all applications in the tenant.
Dumping Data
Dumping Service Principal Secrets: Use az ad sp credential list --id <service_principal_id> to list the credentials of a service principal.
Dumping User Secrets: Use az ad user show --id <user_id> to show the details of a user, including password hash.
Dumping Group Secrets: Use az ad group show --group <group_id> to show the details of a group, including members.
Dumping Application Secrets: Use az ad app show --id <app_id> to show the details of an application, including application secrets.
Persistence
Creating Service Principal: Use az ad sp create-for-rbac to create a new service principal for RBAC.
Adding User to Group: Use az ad group member add --group <group_id> --member-id <user_id> to add a user to a group.
Adding App Role Assignment: Use az ad app permission admin-consent --id <app_id> to grant admin consent for an application.
Privilege Escalation
Elevating Service Principal Permissions: Use az role assignment create --assignee <service_principal_id> --role <role> to assign a new role to a service principal.
Elevating User Permissions: Use az role assignment create --assignee <user_id> --role <role> to assign a new role to ajson user.
Lateral Movement
Using Service Principal Credentials: Use the credentials of a service principal to authenticate and access resources.
Using User Credentials: Use the credentials of a user to authenticate and access resources.
Using Application Credentials: Use the credentials of an application to authenticate and access resources.
Covering Tracks
Deleting Service Principal: Use az ad sp delete --id <service_principal_id> to delete a service principal.
Deleting User: Use az ad user delete --id <user_id> to delete a user.
Deleting Group: Use az ad group delete --group <group_id> to delete a group.
Deleting Application: Use az ad app delete --id <app_id> to delete an application.
# Get Service PrincipalsGet-AzureADServicePrincipal-All $true# Get details about a SPGet-AzureADServicePrincipal-ObjectId <id>| fl *# Get SP by string name or IdGet-AzureADServicePrincipal-All $true|?{$_.DisplayName-match"app"} | flGet-AzureADServicePrincipal-All $true|?{$_.AppId-match"103947652-1234-5834-103846517389"}# Get owner of SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalOwner|fl *# Get objects owned by a SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalOwnedObject# Get objects created by a SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalCreatedObject# Get groups where the SP is a memberGet-AzureADServicePrincipal|Get-AzureADServicePrincipalMembershipGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalMembership|fl *
# Get SPsGet-AzADServicePrincipal# Get info of 1 SPGet-AzADServicePrincipal-ObjectId <id># Search SP by stringGet-AzADServicePrincipal|?{$_.DisplayName-match"app"}# Get roles of a SPGet-AzRoleAssignment-ServicePrincipalName <String>
</details>
### Rollen
<div data-gb-custom-block data-tag="tabs"></div>
<div data-gb-custom-block data-tag="tab" data-title='az cli'>
```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"
Azure AD
Azure AD ist der Identitäts- und Zugriffsverwaltungsdienst von Microsoft für die Cloud. Hier sind einige Sicherheitstipps und -tricks für Azure AD:
Pass-the-Hash-Angriff: Wenn ein Angreifer Zugriff auf einen Hash des Benutzerpassworts erhält, kann er diesen verwenden, um sich bei einem Konto anzumelden, ohne das tatsächliche Passwort zu kennen.
Token-Manipulation: Durch Manipulation von Tokens können Angreifer ihre Berechtigungen erhöhen und auf Ressourcen zugreifen, auf die sie normalerweise keinen Zugriff haben.
Passwort-Hashes stehlen: Angreifer können versuchen, Passworthashes aus Azure AD zu stehlen, um sie offline zu knacken.
Azure AD Connect: Überprüfen Sie die Konfiguration von Azure AD Connect, um sicherzustellen, dass keine sensiblen Informationen offengelegt werden.
Multi-Faktor-Authentifizierung umgehen: Versuchen Sie, die Multi-Faktor-Authentifizierung in Azure AD zu umgehen, um Zugriff auf ein Konto zu erhalten.
Diese Techniken können bei Sicherheitsbewertungen und Penetrationstests von Azure AD-Umgebungen nützlich sein.
# Get all available role templatesGet-AzureADDirectoryroleTemplate# Get enabled roles (Assigned roles)Get-AzureADDirectoryRoleGet-AzureADDirectoryRole-ObjectId <roleID>#Get info about the role# Get custom roles - use AzureAdPreviewGet-AzureADMSRoleDefinition|?{$_.IsBuiltin-eq$False} | select DisplayName# Users assigned a role (Global Administrator)Get-AzureADDirectoryRole-Filter "DisplayName eq 'Global Administrator'"|Get-AzureADDirectoryRoleMemberGet-AzureADDirectoryRole-ObjectId <id>| fl# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)Get-AzureADMSScopedRoleMembership-Id <id>| fl *
# Get role assignments on the subscription
Get-AzRoleDefinition
# Get Role definition
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get roles of a user or resource
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>
Das folgende ist Inhalt aus einem Hacking-Buch über Hacking-Techniken. Der folgende Inhalt stammt aus der Datei /hacktricks-cloud/pentesting-cloud/azure-security/az-azuread/README.md. Übersetze den relevanten englischen Text ins Deutsche und gib die Übersetzung zurück, wobei die Markdown- und HTML-Syntax genau beibehalten wird. Übersetze keine Codes, Hacking-Technik-Namen, Hacking-Wörter, Cloud/SaaS-Plattform-Namen (wie Workspace, aws, gcp...), das Wort 'leak', Pentesting und Markdown-Tags. Füge auch keine zusätzlichen Informationen hinzu, außer der Übersetzung und der Markdown-Syntax.
# Get permissions over a resource using ARM directly
$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value
Geräte
# If you know how to do this send a PR!
Azure AD
Enumeration
Service Principal Enumeration: Use az ad sp list to list all service principals in the tenant.
User Enumeration: Use az ad user list to list all users in the tenant.
Group Enumeration: Use az ad group list to list all groups in the tenant.
Application Enumeration: Use az ad app list to list all applications in the tenant.
Dumping Data
Dumping Service Principal Secrets: Use az ad sp credential list --id <service_principal_id> to list the credentials of a service principal.
Dumping User Secrets: Use az ad user show --id <user_id> to show the details of a user, including the user's password hash.
Persistence
Creating Service Principal: Use az ad sp create-for-rbac to create a new service principal for RBAC.
Privilege Escalation
Add User to Admin Role: Use az role assignment create --assignee <user_id> --role Owner to add a user to the Owner role.
Miscellaneous
Get Tenant Details: Use az account show to get details about the tenant.
# Enumerate Devices
Get-AzureADDevice -All $true | fl *
# List all the active devices (and not the stale devices)
Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
# Get owners of all devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using Intune
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get Administrative Units of a device
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }
Wenn ein Gerät (VM) AzureAD-verbunden ist, können sich Benutzer aus AzureAD anmelden.
Darüber hinaus, wenn der angemeldete Benutzer Besitzer des Geräts ist, wird er lokaler Administrator sein.
Anwendungen
Apps sind App-Registrierungen im Portal (nicht Unternehmensanwendungen).
Aber jede App-Registrierung wird eine Unternehmensanwendung (Serviceprinzipal) mit demselben Namen erstellen.
Darüber hinaus, wenn die App eine Multi-Tenant-App ist, wird eine weitere Unternehmensanwendung (Serviceprinzipal) in diesem Mandanten mit demselben Namen erstellt.
Wenn eine App generiert wird, werden 2 Arten von Berechtigungen erteilt:
Berechtigungen, die dem Serviceprinzipal erteilt werden
Berechtigungen, die die App haben und im Namen des Benutzers verwenden kann.
# List Apps
az ad app list
az ad app list --query "[].[displayName]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# List all the apps with an application password
az ad app list --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad app list --query "[?keyCredentials != null].displayName"
Azure AD
Enumeration
Get Tenant Info
GET request to /.well-known/openid-configuration
Get Users
GET request to /users
Get Groups
GET request to /groups
Get Roles
GET request to /roles
Get Service Principals
GET request to /servicePrincipals
Get Applications
GETjson request to /applications
Get Domains
GET request to /domains
Get Subscriptions
GET request to /subscriptions
Get Policies
GET request to /policies
Get Sign-Ins
GET request to /signIns
Get Directory Roles
GET request to /directoryRoles
Get Devices
GET request to /devices
Get Contacts
GETjson request to /contacts
Get Contracts
GET request to /contracts
Get OAuth2PermissionGrants
GET request to /oauth2PermissionGrants
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to /appRoleAssignments
Get AppRoleAssignments
GET request to `/appRoleAssign
# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id> | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *
Azure AD enumeration
Enumerate Azure AD users
Get-AzureADUser
Enumerate Azure AD groups
Get-AzureADGroup
Enumerate Azure AD applications
Get-AzureADApplication
Enumname Azure AD service principals
Get-AzureADServicePrincipal
Enumerate Azure AD devices
Get-AzureADDevice
``json
# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential
Eine App mit der Berechtigung AppRoleAssignment.ReadWrite kann sich zum Globalen Administrator eskalieren, indem sie sich selbst die Rolle gewährt.
Für weitere Informationen überprüfen Sie dies.
Ein geheimer String, den die Anwendung verwendet, um ihre Identität bei der Anforderung eines Tokens zu beweisen, ist das Anwendungspasswort.
Wenn Sie dieses Passwort finden, können Sie als Serviceprinzipalinnerhalb des Mandanten darauf zugreifen.
Beachten Sie, dass dieses Passwort nur sichtbar ist, wenn es generiert wurde (Sie könnten es ändern, aber Sie können es nicht erneut abrufen).
Der Besitzer der Anwendung kann ein Passwort hinzufügen (um sich als diese auszugeben).
Anmeldungen als diese Serviceprinzipale sind nicht als riskant markiert und sie haben keine MFA.
Unterschied zwischen Anwendungen & (Unternehmensanwendungen oder Serviceprinzipale)
Unterschied zwischen einer Anwendung und einem Serviceprinzipal in Azure:
Anwendung/App-Registrierungen: Sind Anwendungen, die in Ihrem Azure AD existieren
Serviceprinzipal/Unternehmensanwendungen: Sicherheitsobjekte in Ihrem Azure AD, die Privilegien im Azure-Verzeichnis haben können und mit Ihrer Anwendung oder einer Anwendung eines Drittanbieters verknüpft sind
Ein Administrator muss die gewährten Berechtigungen möglicherweise genehmigen, wenn sie sehr sensibel sind.
Eine Anwendung kann in einem Drittanbieter-Mandanten ausgeführt werden, und sobald Sie sie verwenden und ihr Zugriff gewähren, wird eine Unternehmensanwendung/Serviceprinzipal in Ihrem Mandanten erstellt, um ihr den Zugriff auf die benötigten Informationen zu ermöglichen:
Administrativgruppen
Sie werden zur besseren Verwaltung von Benutzern verwendet.
Administrative Einheiten beschränken Berechtigungen in einer Rolle auf einen beliebigen Teil Ihrer Organisation, den Sie definieren. Sie könnten beispielsweise administrative Einheiten verwenden, um die Helpdesk-Administrator-Rolle an regionale Support-Spezialisten zu delegieren, damit sie nur Benutzer in der von ihnen unterstützten Region verwalten können.
Daher können Sie Rollen der Administratoreinheit zuweisen, und die Mitglieder davon werden diese Rollen haben.
AzureAD
Enumeration
Service Principal Enumeration:
Use az ad sp list to list all service principals.
Use az ad sp show --id <service_principal_id> to get details of a specific service principal.
User Enumeration:
Use az ad user list to list all users.
Use az ad user show --id <user_id> to get details of a specific user.
Group Enumeration:
Use az ad group list to list all groups.
Use az ad group show --group <group_id> to get details of a specific group.
Application Enumeration:
Use az ad app list to list all applications.
Use az ad app show --id <app_id> to get details of a specific application.
Dumping Data
Dump All Users:
Use az ad user list to dump all users.
Dump All Service Principals:
Use az ad sp list to dump all service principals.
Dump All Groups:
Use az ad group list to dump all groups.
Dump All Applications:
Use az ad app list to dump all applications.
Password Spraying
Password Spraying Attack:
Use az ad signin to perform password spraying attacks against Azure AD accounts.
Password Policies
View Password Policies:
Use az ad sp list to view password policies.
Privilege Escalation
Add User to Admin Role:
Use az role assignment create --assignee <user_id> --role Owner to add a user to the Owner role.
Add Service Principal to Admin Role:
Use az role assignment create --assignee <service_principal_id> --role Owner to add a service principal to the Owner role.
Add Group to Admin Role:
Use az role assignment create --assignee <group_id> --role Owner to add a group to the Owner role.
# Get Administrative Units
Get-AzureADMSAdministrativeUnit
Get-AzureADMSAdministrativeUnit -Id <id>
# Get ID of admin unit by string
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
# List the users, groups, and devices affected by the administrative unit
Get-AzureADMSAdministrativeUnitMember -Id <id>
# Get the roles users have over the members of the AU
Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members
Azure AD Identity Protection (AIP)
Azure AD Identity Protection (AIP) ist ein Sicherheitsdienst, der automatisierte Erkennung und Behebung verwendet, um Benutzeridentitäten in Azure Active Directory vor Kompromittierung zu schützen. AIP überwacht kontinuierlich und bewertet das Risiko von Benutzeranmeldungen und Identitätskonfigurationen, wenden automatisch geeignete Sicherheitsmaßnahmen an, wie z. B. die Anforderung von Multi-Faktor-Authentifizierung oder das Blockieren potenziell gefährlicher Aktivitäten. Dies hilft Organisationen, Sicherheitsverletzungen aufgrund von Identitäten zu verhindern.
Ablauf:
Azure AD Identity Protection überwacht Benutzeraktivitäten und sammelt Daten zu Benutzer Anmeldungen, Authentifizierungs-Ereignissen und anderen relevanten Aktivitäten.
Der Dienst verwendet Machine-Learning-Algorithmen, um diese Daten zu analysieren und potenzielle Sicherheitsbedrohungen zu erkennen.
Azure AD Identity Protection weist der Bedrohung ein Risikolevel zu (z. B. Anmeldung) und generiert bei Bedarf einen Alarm, um eine automatische Aktion durchzuführen.
Azure AD Password Protection (APP)
Azure AD Password Protection (APP) ist eine Sicherheitsfunktion, die schwache Passwörter in Azure Active Directory durch die Durchsetzung starker Passwortrichtlinien verhindert. APP blockiert häufig verwendete schwache Passwörter und deren Varianten, was das Risiko von passwortbezogenen Sicherheitsverletzungen reduziert. Es kann sowohl auf Cloud-Ebene als auch in der lokalen Active Directory angewendet werden und verbessert insgesamt die Passwortsicherheit in der Organisation.