Az - AzureAD (AAD)
HackTricksのサポート
サブスクリプションプランをチェック!
💬 Discordグループに参加するか、telegramグループに参加するか、Twitter 🐦 @hacktricks_liveをフォローしてください。
HackTricksとHackTricks CloudのGitHubリポジトリにPRを提出して、ハッキングトリックを共有してください。
基本情報
Azure Active Directory(Azure AD)は、Microsoftのクラウドベースのアイデンティティおよびアクセス管理サービスとして機能します。これは、従業員が組織内外のリソースにサインインしてアクセスできるようにするのに重要であり、Microsoft 365、Azureポータル、および多数の他のSaaSアプリケーションを含んでいます。Azure ADの設計は、認証、承認、およびユーザー管理を含む重要なアイデンティティサービスの提供に焦点を当てています。
Azure ADの主な機能には、多要素認証と条件付きアクセスが含まれており、他のMicrosoftセキュリティサービスとのシームレスな統合が行われています。これらの機能は、ユーザーのアイデンティティのセキュリティを大幅に向上させ、組織が効果的にアクセスポリシーを実装および強制するのを支援します。Microsoftのクラウドサービスエコシステムの基本的なコンポーネントとして、Azure ADはユーザーのアイデンティティのクラウドベースの管理に不可欠です。
エンティティ
列挙
この列挙には、az cliツール、PowerShellモジュール AzureAD(またはAzureAD Preview)、およびAz PowerShellモジュールを使用できます。
Linuxでは、PowerShell Coreをインストールする必要があります。
sudo apt-get update
sudo apt-get install -y wget apt-transport-https software-properties-common
# Ubuntu 20.04
wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
# Update repos
sudo apt-get update
sudo add-apt-repository universe
# Install & start powershell
sudo apt-get install -y powershell
pwsh
# Az cli
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bashモジュールの違い
AzureAD は、Azure AD を管理するための Microsoft の PowerShell モジュールです。Azure AD オブジェクトのすべてのプロパティを表示せず、Azure リソース情報にアクセスするために使用することはできません。
Az PowerShell は、PowerShell コマンドラインから Azure リソースを管理するためのモジュールです。
接続
az login #This will open the browser
az login -u <username> -p <password> #Specify user and password
az login --identity #Use the current machine managed identity (metadata)
az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principal
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com #With password
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com #With cert
# Request access token (ARM)
az account get-access-token
# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
az account get-access-token --resource-type aad-graph
# If you want to configure some defaults
az configure
# Get user logged-in already
az ad signed-in-user show
# Help
az find "vm" # Find vm commands
az vm -h # Get subdomains
az ad user list --query-examples # Get examplesConnect-AzureAD #Open browser
# Using credentials
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)
Connect-AzureAD -Credential $creds
# Using tokens
## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connect
Connect-AzureAD -AccountId test@corp.onmicrosoft.com -AadAccessToken $tokenConnect-AzAccount #Open browser
# Using credentials
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@corp.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds
# Get Access Token
(Get-AzAccessToken).Token
# Request access token to other endpoints: AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
Get-AzAccessToken -ResourceTypeName MSGraph
(Get-AzAccessToken -Resource "https://graph.microsoft.com").Token
# Conenct with access token
Connect-AzAccount -AccountId test@corp.onmicrosoft.com -AccessToken $token
Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>
## The -AccessToken is from management.azure.com
# Connect with Service principal/enterprise app secret
$password = ConvertTo-SecureString 'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF' -AsPlainText -Force
$creds = New-Object
System.Management.Automation.PSCredential('2923847f-fca2-a420-df10-a01928bec653', $password)
Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant 29sd87e56-a192-a934-bca3-0398471ab4e7d
#All the Azure AD cmdlets have the format *-AzAD*
Get-Command *azad*
#Cmdlets for other Azure resources have the format *Az*
Get-Command *az*#Using management
$Token = 'eyJ0eXAi..'
# List subscriptions
$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value
# Using graph
Invoke-WebRequest -Uri "https://graph.windows.net/myorganization/users?api-version=1.6" -Headers @{Authorization="Bearer {0}" -f $Token}# Request tokens to access endpoints
# ARM
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
# Vault
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADERAzureにCLI経由でログインすると、Microsoftに所属するテナントからAzureアプリケーションを使用しています。これらのアプリケーションは、アカウントで作成できるもののように、クライアントIDを持っています。コンソールで見ることができる許可されたアプリケーションリストにはすべて表示されませんが、デフォルトで許可されています。
たとえば、powershellスクリプトが認証に使用するアプリケーションのクライアントIDは**1950a258-227b-4e31-a9cf-717495945fc2です。アプリがコンソールに表示されなくても、システム管理者はそのアプリをブロック**して、ユーザーがそのアプリを介して接続するツールを使用できないようにすることができます。
ただし、Azureに接続することを許可する他のクライアントIDもあります:
# The important part is the ClientId, which identifies the application to login inside Azure
$token = Invoke-Authorize -Credential $credential `
-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d' `
-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue
$token = Invoke-Authorize -Credential $credential `
-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9' `
-Scope 'openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah" `
-Verbose -Debug `
-InformationAction Continue
$token = Invoke-Authorize -Credential $credential `
-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095' `
-Scope 'openid' `
-Redirect_Uri "https://graphexplorer.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continueユーザー
# Enumerate users
az ad user list --output table
az ad user list --query "[].userPrincipalName"
# Get info of 1 user
az ad user show --id "test@corp.onmicrosoft.com"
# Search "admin" users
az ad user list --query "[].displayName" | findstr /i "admin"
az ad user list --query "[?contains(displayName,'admin')].displayName"
# Search attributes containing the word "password"
az ad user list | findstr /i "password" | findstr /v "null,"
# All users from AzureAD
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"
az ad user list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All users synced from on-prem
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"
az ad user list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get groups where the user is a member
az ad user get-member-groups --id <email>
# Get roles assigned to the user
az role assignment list --include-groups --include-classic-administrators true --assignee <email>Azure AD Enumeration
User Enumeration
To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD User Enumeration. These tools can help you gather information about users, such as display names, usernames, email addresses, and more.
Steps to Enumerate Users:
Gather Information: Use tools like
Azure AD Reconto gather user information.Identify Users: Identify valid user accounts within the Azure AD environment.
Collect Data: Collect data such as display names, usernames, and email addresses for further analysis.
Group Enumeration
Similarly, you can enumerate groups in Azure AD using tools like Azure AD Recon or Azure AD Group Enumeration. These tools can assist in identifying groups and their members within the Azure AD environment.
Steps to Enumerate Groups:
Gather Information: Utilize tools like
Azure AD Reconto gather group information.Identify Groups: Identify existing groups in the Azure AD environment.
List Members: List the members of each group for additional insights.
Device Enumeration
For enumerating devices in Azure AD, tools like Azure AD Recon or Azure AD Device Enumeration can be utilized. These tools can provide details about devices registered in the Azure AD environment.
Steps to Enumerate Devices:
Gather Information: Use tools like
Azure AD Reconto collect device information.Identify Devices: Identify registered devices within Azure AD.
Retrieve Details: Retrieve details suchjson as device names, types, and registration dates.
# Enumerate Users
Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName
# Get info of 1 user
Get-AzureADUser -ObjectId test@corp.onmicrosoft.com | fl
# Search "admin" users
Get-AzureADUser -SearchString "admin" #Search admin at the begining of DisplayName or userPrincipalName
Get-AzureADUser -All $true |?{$_.Displayname -match "admin"} #Search "admin" word in DisplayName
# Get all attributes of a user
Get-AzureADUser -ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}
# Search attributes containing the word "password"
Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
# All users from AzureAD# All users from AzureAD
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
# All users synced from on-prem
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
# Objects created by a/any user
Get-AzureADUser [-ObjectId <email>] | Get-AzureADUserCreatedObject
# Devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Objects owned by a specific user
Get-AzureADUserOwnedObject -ObjectId test@corp.onmicrosoft.com
# Get groups & roles where the user is a member
Get-AzureADUserMembership -ObjectId 'test@corp.onmicrosoft.com'
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get devices registered by a user
Get-AzureADUserRegisteredDevice -ObjectId test@defcorphq.onmicrosoft.com
# Apps where a user has a role (role not shown)
Get-AzureADUser -ObjectId roygcain@defcorphq.onmicrosoft.com | Get-AzureADUserAppRoleAssignment | fl *
# Get Administrative Units of a user
$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }Azure ADへの接続には、Azモジュールを使用します。次の手順に従って、Azモジュールを使用してAzure ADに接続します。
# Enumerate users
Get-AzADUser
# Get details of a user
Get-AzADUser -UserPrincipalName test@defcorphq.onmicrosoft.com
# Search user by string
Get-AzADUser -SearchString "admin" #Search at the beginnig of DisplayName
Get-AzADUser | ?{$_.Displayname -match "admin"}
# Get roles assigned to a user
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.comユーザーパスワードの変更
$password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText –Force
(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@corp.onmicrosoft.com"}).ObjectId | Set- AzureADUserPassword -Password $password –VerboseMFA & Conditional Access Policies
すべてのユーザーにMFAを追加することを強くお勧めしますが、一部の企業は設定しないか、特定の場所、ブラウザ、または条件からログインした場合にMFAを必要とする条件付きアクセスで設定するかもしれません。これらのポリシーは、適切に構成されていない場合、バイパスされる可能性があります。次の点を確認してください:
Az - Conditional Access Policies / MFA Bypassグループ
# Enumerate groups
az ad group list
az ad group list --query "[].[displayName]" -o table
# Get info of 1 group
az ad group show --group <group>
# Get "admin" groups
az ad group list --query "[].displayName" | findstr /i "admin"
az ad group list --query "[?contains(displayName,'admin')].displayName"
# All groups from AzureAD
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All groups synced from on-prem
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get members of group
az ad group member list --group <group> --query "[].userPrincipalName" -o table
# Check if member of group
az ad group member check --group "VM Admins" --member-id <id>
# Get which groups a group is member of
az ad group get-member-groups -g "VM Admins"
# Get Apps where a group has a role (role not shown)
Get-AzureADGroup -ObjectId <id> | Get-AzureADGroupAppRoleAssignment | fl *Azure AD
Azure ADは、Azureクラウドサービスの認証およびアクセス管理を提供するためのソリューションです。組織がAzure ADを使用すると、ユーザーの認証情報やアクセス許可を一元管理できます。Azure ADには、多要素認証やシングルサインオンなどのセキュリティ機能が組み込まれており、セキュリティを強化するためのさまざまな機能が提供されています。
Azure ADをペンテストする際には、ユーザーアカウントの弱いパスワード、不適切な構成、特権アクセスの権限など、様々な脆弱性が存在する可能性があります。ペンテスターは、これらの脆弱性を検出し、組織のセキュリティを向上させるための対策を提案することが求められます。
Azure ADのセキュリティを向上させるためには、適切なアクセス許可の設定、セキュリティポリシーの遵守、ログの監視などが重要です。定期的なセキュリティ監査や脆弱性スキャンを実施することで、セキュリティレベルを維持し、悪意あるアクセスから組織を保護することができます。
# Enumerate Groups
Get-AzureADGroup -All $true
# Get info of 1 group
Get-AzADGroup -DisplayName <resource_group_name> | fl
# Get "admin" groups
Get-AzureADGroup -SearchString "admin" | fl #Groups starting by "admin"
Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} #Groups with the word "admin"
# Get groups allowing dynamic membership
Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}
# All groups that are from Azure AD
Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
# All groups that are synced from on-prem (note that security groups are not synced)
Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
# Get members of a group
Get-AzureADGroupMember -ObjectId <group_id>
# Get roles of group
Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators" #Get group id
Get-AzureADMSRoleAssignment -Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'"
# Get Administrative Units of a group
$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }Az PowerShell
Connect to Azure AD
To connect to Azure AD using Az PowerShell, you can use the following command:
Connect-AzAccountThis command will open a dialog box for you to enter your Azure AD credentials. After entering the credentials, you will be connected to Azure AD.
List Azure AD Users
To list all the users in Azure AD using Az PowerShell, you can use the following command:
Get-AzADUserThis command will retrieve a list of all the users in Azure AD along with their details.
Get Azure AD User
To get details about a specific user in Azure AD using Az PowerShell, you can use the following command:
Get-AzADUser -UserPrincipalName user@example.comReplace user@example.com with the user's actual UPN (User Principal Name) to retrieve details about that specific user.
Summary
In this section, we have covered how to connect to Azure AD, list all users, and get details about a specific user using Az PowerShell.
# Get all groups
Get-AzADGroup
# Get details of a group
Get-AzADGroup -ObjectId <id>
# Search group by string
Get-AzADGroup -SearchString "admin" | fl * #Search at the beginnig of DisplayName
Get-AzADGroup |?{$_.Displayname -match "admin"}
# Get members of group
Get-AzADGroupMember -GroupDisplayName <resource_group_name>
# Get roles of group
Get-AzRoleAssignment -ResourceGroupName <resource_group_name>ユーザーをグループに追加する
グループの所有者は新しいユーザーをグループに追加できます
Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verboseグループはダイナミックになる可能性があります。つまり、ユーザーが特定の条件を満たすと、グループに追加されるということです。もちろん、条件が属性に基づいている場合、ユーザーが制御できるので、この機能を悪用して他のグループに入ることができます。 次のページでダイナミックグループを悪用する方法を確認してください:
サービス プリンシパル / エンタープライズ アプリケーション
PowerShell の用語での サービス プリンシパル は、Azure ポータル(Web)では エンタープライズ アプリケーション と呼ばれていることに注意してください。
# Get Service Principals
az ad sp list --all
az ad sp list --all --query "[].[displayName]" -o table
# Get details of one SP
az ad sp show --id 00000000-0000-0000-0000-000000000000
# Search SP by string
az ad sp list --all --query "[?contains(displayName,'app')].displayName"
# Get owner of service principal
az ad sp owner list --id <id> --query "[].[displayName]" -o table
# Get service principals owned by the current user
az ad sp list --show-mine
# List apps that have password credentials
az ad sp list --all --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad sp list -all --query "[?keyCredentials != null].displayName"Azure AD Enumeration
User Enumeration
User enumeration can be performed through the Azure AD login interface. By entering a valid username and observing the response, an attacker can determine if the username is valid or not. This can be automated using tools like enum4linux, ldapsearch, or custom scripts.
Group Enumeration
Group enumeration involves identifying Azure AD groups and their members. This can be done through the Azure portal or programmatically using the Microsoft Graph API. Understanding group memberships can help attackers identify high-privileged users or potential lateral movement paths.
Application Enumeration
Application enumeration focuses on identifying Azure AD applications and their configurations. Attackers can look for misconfigured applications that may allow unauthorized access or abuse of permissions. This can be done through the Azure portal or API queries.
Device Enumeration
Device enumeration involves identifying devices registered in Azure AD. Attackers can look for insecurely registered devices that may pose a security risk. This can be done through the Azure portal or API queries to gather information about devices and their configurations.
Service Principal Enumeration
Service principals represent applications or services in Azure AD and are used for authentication and authorization. Attackers can enumerate service principals to discover potentially sensitive applications or misconfigurations that could be exploited. This can be done through the Azure portal or API queries.
Role Enumeration
Role enumeration involves identifying roles assigned to users or applications in Azure AD. Understanding assigned roles can help attackers determine the level of access users or applications have within the Azure environment. This can be done through the Azure portal or API queries to identify role assignments.
# Get Service Principals
Get-AzureADServicePrincipal -All $true
# Get details about a SP
Get-AzureADServicePrincipal -ObjectId <id> | fl *
# Get SP by string name or Id
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -match "app"} | fl
Get-AzureADServicePrincipal -All $true | ?{$_.AppId -match "103947652-1234-5834-103846517389"}
# Get owner of SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwner |fl *
# Get objects owned by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwnedObject
# Get objects created by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalCreatedObject
# Get groups where the SP is a member
Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalMembership |fl *Azure AD への接続には、Connect-AzAccount コマンドレットを使用します。このコマンドを実行すると、Web ページが開き、Azure ポータルにサインインするよう求められます。サインイン後、PowerShell が Azure AD に接続されます。
# Get SPs
Get-AzADServicePrincipal
# Get info of 1 SP
Get-AzADServicePrincipal -ObjectId <id>
# Search SP by string
Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}
# Get roles of a SP
Get-AzRoleAssignment -ServicePrincipalName <String>以下は、Azure AD ページの一部です。
パスワード ポリシー
パスワードの最小長を設定します。
パスワードの有効期限を設定します。
パスワードの複雑さを設定します。
パスワードの履歴を保存します。
マルチファクタ認証
ユーザーがサインインする際に追加の確認を求めます。
セキュリティを向上させるために推奨されます。
ユーザー アカウント
不要なユーザーアカウントを削除します。
特権のあるユーザーアカウントを監視します。
ユーザーアカウントのアクセス許可を最小限にします。
サインイン ログ
異常なアクティビティを監覽します。
サインインの失敗を監視します。
サインインの成功を監視します。
$Token = 'eyJ0eX..'
$URI = 'https://graph.microsoft.com/v1.0/applications'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).valueサービス プリンシパルの所有者は、そのパスワードを変更できます。
各エンタープライズ アプリにクライアント シークレットをリストして追加してみてください
```powershell # Just call Add-AzADAppSecret Function Add-AzADAppSecret { <# .SYNOPSIS Add client secret to the applications.
.PARAMETER GraphToken Pass the Graph API Token
.EXAMPLE PS C:> Add-AzADAppSecret -GraphToken 'eyJ0eX..'
.LINK https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http https://docs.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http #>
[CmdletBinding()] param( [Parameter(Mandatory=$True)] [String] $GraphToken = $null )
$AppList = $null $AppPassword = $null
List All the Applications
$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications" "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }
try { $AppList = Invoke-RestMethod @Params -UseBasicParsing } catch { }
Add Password in the Application
if($AppList -ne $null) { [System.Collections.ArrayList]$Details = @()
foreach($App in $AppList.value) { $ID = $App.ID $psobj = New-Object PSObject
$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications/$ID/addPassword" "Method" = "POST" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }
$Body = @{ "passwordCredential"= @{ "displayName" = "Password" } }
try { $AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json) Add-Member -InputObject $psobj -NotePropertyName "Object ID" -NotePropertyValue $ID Add-Member -InputObject $psobj -NotePropertyName "App ID" -NotePropertyValue $App.appId Add-Member -InputObject $psobj -NotePropertyName "App Name" -NotePropertyValue $App.displayName Add-Member -InputObject $psobj -NotePropertyName "Key ID" -NotePropertyValue $AppPassword.keyId Add-Member -InputObject $psobj -NotePropertyName "Secret" -NotePropertyValue $AppPassword.secretText $Details.Add($psobj) | Out-Null } catch { Write-Output "Failed to add new client secret to '$($App.displayName)' Application." } } if($Details -ne $null) { Write-Output "" Write-Output "Client secret added to : " Write-Output $Details | fl * } } else { Write-Output "Failed to Enumerate the Applications." } }
</details>
### ロール
<div data-gb-custom-block data-tag="tabs"></div>
<div data-gb-custom-block data-tag="tab" data-title='az cli'>
```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"Azure ADへの侵入は、多くの場合、ユーザーの認証情報を盗むことから始まります。これは、フィッシング攻撃、ソーシャルエンジニアリング、または既知の脆弱性を悪用することによって達成されることがよくあります。成功した場合、攻撃者はAzure AD内の機密データにアクセスできる可能性があります。
# Get all available role templates
Get-AzureADDirectoryroleTemplate
# Get enabled roles (Assigned roles)
Get-AzureADDirectoryRole
Get-AzureADDirectoryRole -ObjectId <roleID> #Get info about the role
# Get custom roles - use AzureAdPreview
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName
# Users assigned a role (Global Administrator)
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
Get-AzureADDirectoryRole -ObjectId <id> | fl
# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)
Get-AzureADMSScopedRoleMembership -Id <id> | fl *Azure AD への接続には、Connect-AzAccount コマンドレットを使用します。次の例は、Azure AD に接続する方法を示しています。
Connect-AzAccount# Get role assignments on the subscription
Get-AzRoleDefinition
# Get Role definition
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get roles of a user or resource
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>Azure AD Enumeration
User Enumeration
Description: Azure AD user enumeration can be performed using the Graph API. This can help identify valid usernames for further attacks.
Detection: Monitor for excessive requests to the Graph API
/usersendpoint.Recommendation: Implement rate limiting on requests to the Graph API to prevent enumeration.
Group Enumeration
Description: Azure AD group enumeration can be performed using the Graph API. Understanding group memberships can help in lateral movement.
Detection: Monitor for unusual or unauthorized requests to the Graph API
/groupsendpoint.Recommendation: Regularly review and update group memberships to minimize the risk of unauthorized access.
Application Enumeration
Description: Azure AD application enumeration can reveal information about registered applications and their configurations.
Detection: Monitor for requests to the Graph API
/applicationsendpoint that may indicate reconnaissance activities.Recommendation: Regularly review and audit registered applications to ensure they are still needed and properly configured.
Device Enumeration
Description: Azure AD device enumeration can provide insights into registered devices and their attributes.
Detection: Monitor for suspicious requests to the Graph API
/devicesendpoint that may indicate unauthorized device reconnaissance.Recommendation: Enforce device registration controls and regularly review registered devices for compliance.
Service Principal Enumeration
Description: Azure AD service principal enumeration can help identify service principals and their permissions within the directory.
Detection: Monitor for requests to the Graph API
/servicePrincipalsendpoint that may indicate reconnaissance or privilege escalation attempts.Recommendation: Regularly review and update service principal permissions to adhere to the principle of least privilege.
OAuth Application Enumeration
Description: Azure AD OAuth application enumeration can provide insights into OAuth applications registered in the directory.
Detection: Monitor for requests to the Graph API
/oauth2PermissionGrantsendpoint that may indicate unauthorized OAuth application activities.Recommendjson: Regularly review and audit OAuth applications to ensure they comply with security policies and standards.
Risky Sign-Ins Enumeration
Description: Azure AD risky sign-ins enumeration can help identify sign-in attempts that are considered risky based on Azure AD Identity Protection policies.
Detection: Monitor for risky sign-in events and investigate further to determine the nature of the risk.
Recommendation: Configure Azure AD Identity Protection policies to enforce multi-factor authentication and other security measures for risky sign-ins.
Directory Role Enumeration
Description: Azure AD directory role enumeration can reveal information about directory roles assigned to users.
Detection: Monitor for changes to directory role assignments that may indicate unauthorized privilege escalation.
Recommendation: Regularly review and update directory role assignments to ensure adherence to the principle of least privilege.
Domain Enumeration
Description: Azure AD domain enumeration can provide information about verified domains in the directory.
Detection: Monitor for unauthorized attempts to add or verify domains in Azure AD.
Recommendation: Implement controls to prevent unauthorized domain additions and regularly review verified domains for accuracy.
Policy Enumeration
Description: Azure AD policy enumeration can reveal information about configured policies in the directory.
Detection: Monitor for changes to policies that may indicate unauthorized modifications.
Recommendation: Regularly review and update policies to align with security requirements and best practices.
Credential Enumeration
Description: Azure AD credential enumeration can help identify leaked or weak credentials within the directory.
Detection: Monitor for suspicious authentication events that may indicate credential abuse.
Recommendation: Enforce strong password policies, implement multi-factor authentication, and regularly audit credentials for security weaknesses.
Security Defaults Enumeration
Description: Azure AD security defaults enumeration can provide insights into the security settings enabled by default in the directory.
Detection: Monitor for changes to security defaults configurations that may weaken the overall security posture.
Recommendation: Review and customize security defaults settings to align with organizational security requirements.
Sign-In Logs Enumeration
Description: Azure AD sign-in logs enumeration can help track and analyze sign-in activities in the directory.
Detection: Monitor for suspicious sign-in events that may indicate unauthorized access.
Recommendation: Regularly review sign-in logs for anomalies and investigate any suspicious activities promptly.
Conditional Access Enumeration
Description: Azure AD conditional access enumeration can reveal information about configured conditional access policies. -jsonDetection: Monitor for changes to conditional access policies that may indicate unauthorized access attempts.
Recommendation: Regularly review and update conditional access policies to enforce access controls and security measures effectively.
Identity Protection Enumeration
Description: Azure AD Identity Protection enumeration can provide insights into risk detections and vulnerabilities identified by Azure AD Identity Protection.
Detection: Monitor for risk detections and vulnerabilities identified by Azure AD Identity Protection that may require immediate action.
Recommendation: Respond promptly to risk detections and vulnerabilities identified by Azure AD Identity Protection to mitigate potential security risks.
B2B Guest Enumeration
Description: Azure AD B2B guest enumeration can help identify external users invited to the directory as guests.
Detection: Monitor for unusual guest activities that may indicate unauthorized access or misuse.
Recommendation: Regularly review and manage B2B guest access to prevent unauthorized access and data leakage.
Legacy Authentication Enumeration
Description: Azure AD legacy authentication enumeration can help identify authentication attempts using legacy protocols.
Detection: Monitor for legacy authentication events that may pose security risks due to outdated authentication mechanisms.
Recommendation: Disable legacy authentication protocols and encourage the use of modern authentication methods to enhance security.
Risky Users Enumeration
Description: Azure AD risky users enumeration can help identify users with risky behavior or compromised credentials.
Detection: Monitor for risky user activities and investigate further to determine the extent of the risk.
Recommendation: Take immediate action to secure accounts of risky users and enforce additional security measures as needed.
Security Defaults Enumeration
Description: Azure AD security defaults enumeration can provide insights into the security settings enabled by default in the directory.
Detection: Monitor for changes to security defaults configurations that may weaken the overall security posture.
Recommendation: Review and customize security defaults settings to align with organizational security requirements.
Sign-In Logs Enumeration
Description: Azure AD sign-in logs enumeration can help track and analyze sign-in activities in the directory.
Detection: Monitor for suspicious sign-in events that may indicate unauthorized access.
Recommendation: Regularly review sign-in logs for anomalies and investigate any suspicious activities promptly.
Conditional Access Enumeration
Description: Azure AD conditional access enumeration can reveal information about configured conditional access policies.
Detection: Monitor for changes to conditional access policies that may indicate unauthorized access attempts.
Recommendation: Regularly review and update conditional access policies to enforce access controls and security measures effectively.
Identity Protection Enumeration
Description: Azure AD Identity Protection enumeration can provide insights into risk detections and vulnerabilities identified by Azure AD Identity Protection.
Detection: Monitor for risk detections and vulnerabilities identified by Azure AD Identity Protection that may require immediate action.
Recommendation: Respond promptly to risk detections and vulnerabilities identified by Azure AD Identity Protection to mitigate potential security risks.
B2B Guest Enumeration
Description: Azure AD B2B guest enumeration can help identify external users invited to the directory as guests.
Detection: Monitor for unusual guest activities that may indicate unauthorized access or misuse.
Recommendation: Regularly review and manage B2B guest access to prevent unauthorized access and data leakage.
Legacy Authentication Enumeration
Description: Azure AD legacy authentication enumeration can help identify authentication attempts using legacy protocols.
Detection: Monitor for legacy authentication events that may pose security risks due to outdated authentication mechanisms.
Recommendation: Disable legacy authentication protocols and encourage the use of modern authentication methods to enhance security.
Risky Users Enumeration
Description: Azure AD risky users enumeration can help identify users with risky behavior or compromised credentials.
Detection: Monitor for risky user activities and investigate further to determine the extent of the risk.
Recommendation: Take immediate action to secure accounts of risky users and enforce additional security measures as needed.
Risky Users Enumeration
Description: Azure AD risky users enumeration can help identify users with risky behavior or compromised credentials.
Detection: Monitor for risky user activities and investigate further to determine the extent of the risk.
Recommendation: Take immediate action to secure accounts of risky users and enforce additional security measures as needed.
Security Defaults Enumeration
Description: Azure AD security defaults enumeration can provide insights into the security settings enabled by default in the directory.
Detection: Monitor for changes to security defaults configurations that may weaken the overall security posture.
Recommendation: Review and customize security defaults settings to align with organizational security requirements.
Sign-In Logs Enumeration
Description: Azure AD sign-in logs enumeration can help track and analyze sign-in activities in the directory.
Detection: Monitor for suspicious sign-in events that may indicate unauthorized access.
Recommendation: Regularly review sign-in logs for anomalies and investigate any suspicious activities promptly.
Conditional Access Enumeration
Description: Azure AD conditional access enumeration can reveal information about configured conditional access policies.
Detection: Monitor for changes to conditional access policies that may indicate unauthorized access attempts.
Recommendation: Regularly review and update conditional access policies to enforce access controls and security measures effectively.
Identity Protection Enumeration
Description: Azure AD Identity Protection enumeration can provide insights into risk detections and vulnerabilities identified by Azure AD Identity Protection.
Detection: Monitor for risk detections and vulnerabilities identified by Azure AD Identity Protection that may require immediate action.
Recommendation: Respond promptly to risk detections and vulnerabilities identified by Azure AD Identity Protection to mitigate potential security risks.
B2B Guest Enumeration
Description: Azure AD B2B guest enumeration can help identify external users invited to the directory as guests.
Detection: Monitor for unusual guest activities that may indicate unauthorized access or misuse.
Recommendation: Regularly review and manage B2B guest access to prevent unauthorized access and data leakage.
Legacy Authentication Enumeration
Description: Azure AD legacy authentication enumeration can help identify authentication attempts using legacy protocols.
Detection: Monitor for legacy authentication events that may pose security risks due to outdated authentication mechanisms.
Recommendation: Disable legacy authentication protocols and encourage the use of modern authentication methods to enhance security.
Risky Users Enumeration
Description: Azure AD risky users enumeration can help identify users with risky behavior or compromised credentials.
Detection: Monitor for risky user activities and investigate further to determine the extent of the risk.
Recommendation: Take immediate action to secure accounts of risky users and enforce additional security measures as needed.
Security Defaults Enumeration
Description: Azure AD security defaults enumeration can provide insights into the security settings enabled by default in the directory.
Detection: Monitor for changes to security defaults configurations that may weaken the overall security posture.
Recommendation: Review and customize security defaults settings to align with organizational security requirements.
Sign-In Logs Enumeration
Description: Azure AD sign-in logs enumeration can help track and analyze sign-in activities in the directory.
Detection: Monitor for suspicious sign-in events that may indicate unauthorized access.
Recommendation: Regularly review sign-in logs for anomalies and investigate any suspicious activities promptly.
Conditional Access Enumeration
Description: Azure AD conditional access enumeration can reveal information about configured conditional access policies.
Detection: Monitor for changes to conditional access policies that may indicate unauthorized access attempts.
Recommendation: Regularly review and update conditional access policies to enforce access controls and security measures effectively.
Identity Protection Enumeration
Description: Azure AD Identity Protection enumeration can provide insights into risk detections and vulnerabilities identified by Azure AD Identity Protection.
Detection: Monitor for risk detections and vulnerabilities identified by Azure AD Identity Protection that may require immediate action.
Recommendation: Respond promptly to risk detections and vulnerabilities identified by Azure AD Identity Protection to mitigate potential security risks.
B2B Guest Enumeration
Description: Azure AD B2B guest enumeration can help identify external users invited to the directory as guests.
Detection: Monitor for unusual guest activities that may indicate unauthorized access or misuse.
Recommendation: Regularly review and manage B2B guest access to prevent unauthorized access and data leakage.
Legacy Authentication Enumeration
Description: Azure AD legacy authentication enumeration can help identify authentication attempts using legacy protocols.
Detection: Monitor for legacy authentication events that may pose security risks due to outdated authentication mechanisms.
Recommendation: Disable legacy authentication protocols and encourage the use of modern authentication methods to enhance security.
Risky Users Enumeration
Description: Azure AD risky users enumeration can help identify users with risky behavior or compromised credentials.
Detection: Monitor for risky user activities and investigate further to determine the extent of the risk.
Recommendation: Take immediate action to secure accounts of risky users and enforce additional security measures as needed.
Security Defaults Enumeration
Description: Azure AD security defaults enumeration can provide insights into the security settings enabled by default in the directory.
Detection: Monitor for changes to security defaults configurations that may weaken the overall security posture.
Recommendation: Review and customize security defaults settings to align with organizational security requirements.
Sign-In Logs Enumeration
Description: Azure AD sign-in logs enumeration can help track and analyze sign-in activities in the directory.
Detection: Monitor for suspicious sign-in events that may indicate unauthorized access.
Recommendation: Regularly review sign-in logs for anomalies and investigate any suspicious activities promptly.
Conditional Access Enumeration
Description: Azure AD conditional access enumeration can reveal information about configured conditional access policies.
Detection: Monitor for changes to conditional access policies that may indicate unauthorized access attempts.
Recommendation: Regularly review and update conditional access policies to enforce access controls and security measures effectively.
Identity Protection Enumeration
Description: Azure AD Identity Protection enumeration can provide insights into risk detections and vulnerabilities identified by Azure AD Identity Protection.
Detection: Monitor for risk detections and vulnerabilities identified by Azure AD Identity Protection that may require immediate action.
Recommendation: Respond promptly to risk detections and vulnerabilities identified by Azure AD Identity Protection to mitigate potential security risks.
B2B Guest Enumeration
Description: Azure AD B2B guest enumeration can help identify external users invited to the directory as guests.
Detection: Monitor for unusual guest activities that may indicate unauthorized access or misuse.
Recommendation: Regularly review and manage B2B guest access to prevent unauthorized access and data leakage.
Legacy Authentication Enumeration
Description: Azure AD legacy authentication enumeration can help identify authentication attempts using legacy protocols.
Detection: Monitor for legacy authentication events that may pose security risks due to outdated authentication mechanisms.
Recommendation: Disable legacy authentication protocols and encourage the use of modern authentication methods to enhance security.
Risky Users Enumeration
Description: Azure AD risky users enumeration can help identify users with risky behavior or compromised credentials.
Detection: Monitor for risky user activities and investigate further to determine the extent of the risk.
Recommendation: Take immediate action to secure accounts of risky users and enforce additional security measures as needed.
Security Defaults Enumeration
Description: Azure AD security defaults enumeration can provide insights into the security settings enabled by default in the directory.
Detection: Monitor for changes to security defaults configurations that may weaken the overall security posture.
Recommendation: Review and customize security defaults settings to align with organizational security requirements.
Sign-In Logs Enumeration
Description: Azure AD sign-in logs enumeration can help track and analyze sign-in activities in the directory.
Detection: Monitor for suspicious sign-in events that may indicate unauthorized access.
Recommendation: Regularly review sign-in logs for anomalies and investigate any suspicious activities promptly.
Conditional Access Enumeration
Description: Azure AD conditional access enumeration can reveal information about configured conditional access policies.
Detection: Monitor for changes to conditional access policies that may indicate unauthorized access attempts.
Recommendation: Regularly review and update conditional access policies to enforce access controls and security measures effectively.
Identity Protection Enumeration
Description: Azure AD Identity Protection enumeration can provide insights into risk detections and vulnerabilities identified by Azure AD Identity Protection.
Detection: Monitor for risk detections and vulnerabilities identified by Azure AD Identity Protection that may require immediate action.
Recommendation: Respond promptly to risk detections and vulnerabilities identified by Azure AD Identity Protection to mitigate potential security risks.
B2B Guest Enumeration
Description: Azure AD B2B guest enumeration can help identify external users invited to the directory as guests.
Detection: Monitor for unusual guest activities that may indicate unauthorized access or misuse.
Recommendation: Regularly review and manage B2B guest access to prevent unauthorized access and data leakage.
Legacy Authentication Enumeration
Description: Azure AD legacy authentication enumeration can help identify authentication attempts using legacy protocols.
Detection: Monitor for legacy authentication events that may pose security risks due to outdated authentication mechanisms.
Recommendation: Disable legacy authentication protocols and encourage the use of modern authentication methods to enhance security.
Risky Users Enumeration
Description: Azure AD risky users enumeration can help identify users with risky behavior or compromised credentials.
Detection: Monitor for risky user activities and investigate further to determine the extent of the risk.
Recommendation: Take immediate action to secure accounts of risky users and enforce additional security measures as needed.
Security Defaults Enumeration
Description: Azure AD security defaults enumeration can provide insights into the security settings enabled by default in the directory.
Detection: Monitor for changes to security defaults configurations that may weaken the overall security posture.
Recommendation: Review and customize security defaults settings to align with organizational security requirements.
Sign-In Logs Enumeration
Description: Azure AD sign-in logs enumeration can help track and analyze sign-in activities in the directory.
Detection: Monitor for suspicious sign-in events that may indicate unauthorized access.
Recommendation: Regularly review sign-in logs for anomalies and investigate any suspicious activities promptly.
Conditional Access Enumeration
Description: Azure AD conditional access enumeration can reveal information about configured conditional access policies.
Detection: Monitor for changes to conditional access policies that may indicate unauthorized access attempts.
Recommendation: Regularly review and update conditional access policies to enforce access controls and security measures effectively.
Identity Protection Enumeration
Description: Azure AD Identity Protection enumeration can provide insights into risk detections and vulnerabilities identified by Azure AD Identity Protection.
Detection: Monitor for risk detections and vulnerabilities identified by Azure AD Identity Protection that may require immediate action.
Recommendation: Respond promptly to risk detections and vulnerabilities identified by Azure AD Identity Protection to mitigate potential security risks.
B2B Guest Enumeration
Description: Azure AD B2B guest enumeration can help identify external users invited to the directory as guests.
Detection: Monitor for unusual guest activities that may indicate unauthorized access or misuse.
Recommendation: Regularly review and manage B2B guest access to prevent unauthorized access and data leakage.
Legacy Authentication Enumeration
Description: Azure AD legacy authentication enumeration can help identify authentication attempts using legacy protocols.
Detection: Monitor for legacy authentication events that may pose security risks due to outdated authentication mechanisms.
Recommendation: Disable legacy authentication protocols and encourage the use of modern authentication methods to enhance security.
Risky Users Enumeration
Description: Azure AD risky users enumeration can help identify users with risky behavior or compromised credentials.
Detection: Monitor for risky user activities and investigate further to determine the extent of the risk.
Recommendation: Take immediate action to secure accounts of risky
# Get permissions over a resource using ARM directly
$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).valueデバイス
# If you know how to do this send a PR!Azure ADへの侵入は、多くの場合、ユーザーの認証情報を盗むことから始まります。これは、フィッシング攻撃、ソーシャルエンジニアリング、または既知の脆弱性を悪用することによって達成される可能性があります。侵入した後は、権限昇格、データの窃取、または他のAzureサービスへの進展など、さまざまな悪意ある活動が行われる可能性があります。
# Enumerate Devices
Get-AzureADDevice -All $true | fl *
# List all the active devices (and not the stale devices)
Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
# Get owners of all devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using Intune
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get Administrative Units of a device
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }デバイス(VM)がAzureADに参加している場合、AzureADのユーザーはログインできるようになります。 さらに、ログインしたユーザーがデバイスの所有者である場合、彼はローカル管理者になります。
アプリケーション
アプリはポータル内のApp Registrationsです(エンタープライズアプリケーションではありません)。 ただし、各App Registrationは同じ名前のエンタープライズアプリケーション(サービス プリンシパル)を作成します。 さらに、アプリがマルチテナント アプリである場合、別のエンタープライズ アプリ(サービス プリンシパル)がそのテナントに同じ名前で作成されます。
アプリが生成されると、2種類のアクセス許可が与えられます:
サービス プリンシパルに与えられるアクセス許可
ユーザーを代表してアプリが持ち、使用できるアクセス許可。
# List Apps
az ad app list
az ad app list --query "[].[displayName]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# List all the apps with an application password
az ad app list --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad app list --query "[?keyCredentials != null].displayName"Azure ADへの侵入は、多くの場合、ユーザーの認証情報を盗むことから始まります。これは、フィッシング攻撃、ソーシャルエンジニアリング、または既知の脆弱性を悪用することによって達成される可能性があります。侵入した後は、権限昇格、データの窃取、または他のAzureサービスへの進展など、さまざまな悪意ある活動が行われる可能性があります。
# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id> | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *Azure ADへの接続には、Azモジュールを使用します。Azモジュールを使用すると、Azure ADに対してPowerShellスクリプトを実行できます。以下は、Azモジュールを使用してAzure ADに接続する方法の例です。
Connect-AzAccountこのコマンドを実行すると、Azure ADに接続するためのログインプロンプトが表示されます。ログイン情報を入力してAzure ADにログインすることができます。
# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredentialAppRoleAssignment.ReadWrite の権限を持つアプリは、自身に役割を付与することで Global Admin に昇格 できます。
詳細はこちらをチェック。
アプリケーションがトークンをリクエストする際に自身のアイデンティティを証明するために使用する秘密文字列は、アプリケーションパスワードです。 したがって、この パスワード を見つけると、テナント内のサービスプリンシパルとしてアクセス できます。 このパスワードは生成時にのみ表示されることに注意してください(変更できますが、再度取得することはできません)。 アプリケーション の 所有者 は、それに パスワードを追加 できます(そのアプリケーションを偽装できます)。 これらのサービスプリンシパルとしてのログインは リスクが高いとマークされず、MFA がない ことに注意してください。
アプリケーションと(エンタープライズアプリケーションまたはサービスプリンシパル)の違い
Azure におけるアプリケーションとサービスプリンシパルの違い:
アプリケーション/アプリ登録: Azure AD に存在するアプリケーションです
(Get-AzureADApplication -filter "DisplayName eq 'testapp'")サービスプリンシパル/エンタープライズアプリケーション: Azure AD におけるセキュリティオブジェクトで、Azure ディレクトリでの 特権 を持ち、あなたのアプリケーションまたはサードパーティアプリケーションにリンクされています
Get-AzureADServicePrincipal -filter "DisplayName eq 'testapp'")管理者は、非常に機密性の高い権限を与える場合は、その権限を承認する必要があるかもしれません。
アプリケーションは サードパーティテナント を実行する可能性があり、それを使用し始めてアクセスを与えると、必要な情報にアクセスするためにあなたのテナントに エンタープライズアプリケーション/サービスプリンシパルが作成 されます:
管理単位
ユーザーの管理をより効果的に行うために使用されます。
管理単位は、組織内の任意の部分に対する役割の権限を制限します。たとえば、管理単位を使用して Helpdesk Administrator 役割を地域サポートスペシャリストに委任し、彼らがサポートする地域のユーザーのみを管理できるようにすることができます。
したがって、管理者単位に役割を割り当てることができ、そのメンバーはこの役割を持つことになります。
{% タブのタイトル="AzureAD" %}
# Get Administrative Units
Get-AzureADMSAdministrativeUnit
Get-AzureADMSAdministrativeUnit -Id <id>
# Get ID of admin unit by string
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
# List the users, groups, and devices affected by the administrative unit
Get-AzureADMSAdministrativeUnitMember -Id <id>
# Get the roles users have over the members of the AU
Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role membersAzure AD Identity Protection (AIP)
Azure AD Identity Protection (AIP)は、自動検出と是正を使用して、Azure Active Directory内のユーザーのアイデンティティを保護するのに役立つセキュリティサービスです。AIPは、ユーザーサインインやアイデンティティ構成のリスクを継続的に監視し、適切なセキュリティ対策を自動的に適用して、多要素認証の要求や潜在的に危険なアクティビティのブロックなどを行います。これにより、組織はアイデンティティに基づくセキュリティ侵害を防ぐのに役立ちます。
フロー:
Azure AD Identity Protectionは、ユーザーのアクティビティを監視し、ユーザーのサインイン、認証イベントなどのデータを収集します。
サービスは、このデータを分析し、潜在的なセキュリティ脅威を検出するために機械学習アルゴリズムを使用します。
Azure AD Identity Protectionは、脅威(たとえば、サインイン)にリスクレベルを割り当てし、必要に応じてアラートを生成して自動アクションを実行します。
Azure AD Password Protection (APP)
Azure AD Password Protection (APP)は、Azure Active Directory内の弱いパスワードを防ぐのに役立つセキュリティ機能であり、強力なパスワードポリシーを強制することにより、一般的に使用される弱いパスワードおよびそのバリアントをブロックして、パスワード関連の侵害のリスクを低減します。これは、クラウドレベルとオンプレミスのActive Directoryの両方で適用でき、組織全体でパスワードセキュリティを向上させます。
参考
Last updated
