Azure Active Directory (Azure AD) służy jako usługa oparta na chmurze firmy Microsoft do zarządzania tożsamością i dostępem. Jest ona kluczowa dla umożliwienia pracownikom logowania się i uzyskiwania dostępu do zasobów, zarówno wewnątrz, jak i poza organizacją, obejmując Microsoft 365, portal Azure oraz wiele innych aplikacji typu SaaS. Projektowanie Azure AD skupia się na dostarczaniu podstawowych usług tożsamości, w tym uwierzytelniania, autoryzacji i zarządzania użytkownikami.
Kluczowe funkcje Azure AD obejmują uwierzytelnianie wieloskładnikowe i dostęp warunkowy, wraz z bezproblemową integracją z innymi usługami bezpieczeństwa firmy Microsoft. Te funkcje znacząco podnoszą bezpieczeństwo tożsamości użytkowników i umożliwiają organizacjom skuteczne wdrażanie i egzekwowanie swoich polityk dostępu. Jako fundamentalny składnik ekosystemu usług chmurowych firmy Microsoft, Azure AD jest kluczowy dla zarządzania tożsamościami użytkowników w chmurze.
AzureAD to moduł PowerShell od firmy Microsoft do zarządzania Azure AD. Nie wyświetla wszystkich właściwości obiektów Azure AD i nie można go używać do uzyskiwania informacji o zasobach Azure.
Az PowerShell to moduł do zarządzania zasobami Azure z wiersza polecenia PowerShell.
Połączenie
azlogin#This will open the browserazlogin-u<username>-p<password>#Specify user and passwordazlogin--identity#Use the current machine managed identity (metadata)az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principalaz login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com #With password
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com #With cert
# Request access token (ARM)azaccountget-access-token# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
azaccountget-access-token--resource-typeaad-graph# If you want to configure some defaultsazconfigure# Get user logged-in alreadyazadsigned-in-usershow# Helpazfind"vm"# Find vm commandsazvm-h# Get subdomainsazaduserlist--query-examples# Get examples
Connect-AzureAD#Open browser# Using credentials$passwd =ConvertTo-SecureString"Welcome2022!"-AsPlainText -Force$creds =New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)Connect-AzureAD-Credential $creds# Using tokens## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connectConnect-AzureAD-AccountId test@corp.onmicrosoft.com -AadAccessToken $token
Connect-AzAccount#Open browser# Using credentials$passwd =ConvertTo-SecureString"Welcome2022!"-AsPlainText -Force$creds =New-Object System.Management.Automation.PSCredential("test@corp.onmicrosoft.com", $passwd)Connect-AzAccount-Credential $creds# Get Access Token(Get-AzAccessToken).Token# Request access token to other endpoints: AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
Get-AzAccessToken-ResourceTypeName MSGraph(Get-AzAccessToken-Resource "https://graph.microsoft.com").Token# Conenct with access tokenConnect-AzAccount-AccountId test@corp.onmicrosoft.com -AccessToken $tokenConnect-AzAccount-AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>## The -AccessToken is from management.azure.com# Connect with Service principal/enterprise app secret$password =ConvertTo-SecureString'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF'-AsPlainText -Force$creds =New-ObjectSystem.Management.Automation.PSCredential('2923847f-fca2-a420-df10-a01928bec653', $password)Connect-AzAccount-ServicePrincipal -Credential $creds -Tenant 29sd87e56-a192-a934-bca3-0398471ab4e7d#All the Azure AD cmdlets have the format *-AzAD*Get-Command*azad*#Cmdlets for other Azure resources have the format *Az*Get-Command*az*
# Request tokens to access endpoints# ARMcurl"$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER# Vaultcurl"$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER
Kiedy zalogujesz się za pomocą CLI do Azure za pomocą jakiegokolwiek programu, używasz Aplikacji Azure z dzierżawy, która należy do Microsoftu. Te aplikacje, takie jak te, które możesz tworzyć w swoim koncie, posiadają identyfikator klienta. Nie będziesz w stanie zobaczyć wszystkich z nich na listach dozwolonych aplikacji, które widzisz w konsoli, ale są one domyślnie dozwolone.
Na przykład skrypt powershell, który uwierzytelnia, używa aplikacji o identyfikatorze klienta 1950a258-227b-4e31-a9cf-717495945fc2. Nawet jeśli aplikacja nie pojawia się w konsoli, administrator systemu mógłby zablokować tę aplikację, aby użytkownicy nie mogli uzyskać dostępu za pomocą narzędzi, które łączą się za pomocą tej aplikacji.
Jednakże istnieją inne identyfikatory klienta aplikacji, które pozwalają ci połączyć się z Azure:
# The important part is the ClientId, which identifies the application to login inside Azure$token =Invoke-Authorize-Credential $credential `-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d'`-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email'`-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/"`-Verbose -Debug `-InformationAction Continue$token =Invoke-Authorize-Credential $credential `-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9'`-Scope 'openid profile Sites.Read.All User.Read email'`-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah"`-Verbose -Debug `-InformationAction Continue$token =Invoke-Authorize-Credential $credential `-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095'`-Scope 'openid'`-Redirect_Uri "https://graphexplorer.azurewebsites.net/"`-Verbose -Debug `-InformationAction Continue
Użytkownicy
# Enumerate usersazaduserlist--outputtableazaduserlist--query"[].userPrincipalName"# Get info of 1 userazadusershow--id"test@corp.onmicrosoft.com"# Search "admin" usersazaduserlist--query"[].displayName"|findstr/i"admin"azaduserlist--query"[?contains(displayName,'admin')].displayName"# Search attributes containing the word "password"azaduserlist|findstr/i"password"|findstr/v"null,"# All users from AzureADazaduserlist--query"[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"azaduserlist--query"[?onPremisesSecurityIdentifier==null].displayName"# All users synced from on-premazaduserlist--query"[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"azaduserlist--query"[?onPremisesSecurityIdentifier!=null].displayName"# Get groups where the user is a memberazaduserget-member-groups--id<email># Get roles assigned to the userazroleassignmentlist--include-groups--include-classic-administratorstrue--assignee<email>
Azure AD Enumeration
User Enumeration
To enumerate users in Azure AD, you can use tools like Azure AD Connect or Azure AD Graph API. These tools can help you gather information about users, such as usernames, email addresses, and group memberships.
Group Enumeration
For enumerating groups in Azure AD, you can utilize tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can retrieve information about existing groups, including group names, descriptions, and members.
Device Enumeration
To enumerate devices in Azure AD, you can leverage tools like Azure AD PowerShell module or Azure Portal. These tools allow you to collect data about devices registered in Azure AD, such as device names, types, and associated users.
Application Enumeration
For enumerating applications in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can obtain details about applications registered in Azure AD, including names, IDs, and permissions.
Service Principal Enumeration
To enumerate service principals in Azure AD, you can employ tools like Azure AD PowerShell module or Azure AD Graph API. These tools enable you to retrieve information about service principals, such as names, IDs, and associated applications.
Role Enumeration
For enumerating roles in Azure AD, you can use tools like Azure Portal or Azure AD PowerShell module. By querying the portal or utilizing PowerShell commands, you can gather information about roles assigned in Azure AD, including role names and associated members.
Policy Enumeration
To enumerate policies in Azure AD, you can leverage tools like Azure AD PowerShell module or Azure Portal. These tools allow you to fetch details about policies configured in Azure AD, such as policy names, settings, and assignments.
Certificate Enumeration
For enumerating certificates in Azure AD, you can utilize tools like Azure Portal or Azure AD Graph API. By accessing the portal interface or querying the API, you can retrieve information about certificates stored in Azure AD, including certificate names, types, and expiration dates.
OAuth App Enumeration
To enumerate OAuth apps in Azure AD, you can make use of tools like Azure AD Graph API or Azure Portal. By querying the API or accessing the portal, you can gather information about OAuth apps registered in Azure AD, such as names, IDs, and permissions.
API Permission Enumeration
For enumerating API permissions in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API endpoints or using the portal interface, you can obtain details about API permissions granted within Azure AD, including permission names and scopes.
App Registration Enumeration
To enumerate app registrations in Azure AD, you can employ tools like Azure Portal or Azure AD PowerShell module. By accessing the portal or using PowerShell commands, you can collect information about applications registered in Azure AD, such as registration details and owners.
Directory Role Enumeration
For enumerating directory roles in Azure AD, you can use tools like Azure AD PowerShell module or Azure Portal. By querying the PowerShell module or navigating through the portal, you can retrieve information about directory roles defined in Azure AD, including role names and members.
Domain Enumeration
To enumerate domains in Azure AD, you can utilize tools like Azure Portal or Azure AD Graph API. By accessing the portal interface or querying the API, you can obtain information about domains associated with Azure AD, including domain names and verification status.
Security Group Enumeration
For enumerating security groups in Azure AD, you can make use of tools like Azure AD Graph API or Azure Portal. By querying the API endpoints or using the portal interface, you can retrieve details about security groups in Azure AD, such as group names, descriptions, and members.
Sign-in Logs Enumeration
To enumerate sign-in logs in Azure AD, you can leverage tools like Azure AD PowerShell module or Azure Portal. These tools enable you to fetch information about sign-in activities within Azure AD, including details like user sign-ins, IP addresses, and timestamps.
Audit Logs Enumeration
For enumerating audit logs in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can retrieve audit log data related to activities and events within Azure AD, such as log details, timestamps, and performed actions.
Role Assignment Enumeration
To enumerate role assignments in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API endpoints or using the portal interface, you can obtain information about role assignments in Azure AD, including details like role names, assigned users, and scopes.
Conditional Access Policy Enumeration
For enumerating conditional access policies in Azure AD, you can make use of tools like Azure Portal or Azure AD PowerShell module. By accessing the portal or using PowerShell commands, you can gather information about conditional access policies configured in Azure AD, such as policy names, settings, and assignments.
Identity Protection Enumeration
To enumerate identity protection policies in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or accessing the portal interface, you can obtain details about identity protection policies defined in Azure AD, including policy names, configurations, and assignments.
Risky Sign-ins Enumeration
For enumerating risky sign-ins in Azure AD, you can utilize tools like Azure AD PowerShell module or Azure Portal. These tools allow you to fetch information about sign-in activities marked as risky within Azure AD, including details like user accounts, risk levels, and sign-in locations.
MFA Registration Enumeration
To enumerate MFA registrations in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can retrieve information about users registered for multi-factor authentication in Azure AD, including user details and MFA methods.
B2B User Enumeration
For enumerating B2B users in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API endpoints or using the portal interface, you can obtain information about B2B users invited to Azure AD, including user details and invitation statuses.
Application Proxy Enumeration
To enumerate application proxies in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal interface or querying the API, you can retrieve information about application proxies configured in Azure AD, including proxy names, URLs, and associated applications.
Terms of Use Enumeration
For enumerating terms of use in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or accessing the portal, you can obtain details about terms of use policies defined in Azure AD, including policy names, versions, and acceptance statuses.
User Flow Enumeration
To enumerate user flows in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can gather information about user flows configured in Azure AD, including flow names, types, and settings.
Identity Provider Enumeration
For enumerating identity providers in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API endpoints or using the portal interface, you can retrieve information about identity providers configured in Azure AD, including provider names, types, and settings.
Authentication Methods Enumeration
To enumerate authentication methods in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal interface or querying the API, you can fetch details about authentication methods available in Azure AD, including method names, types, and configurations.
Access Reviews Enumeration
For enumerating access reviews in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API endpoints or using the portal interface, you can obtain information about access reviews configured in Azure AD, including review names, settings, and participants.
Terms of Use Assignment Enumeration
To enumerate terms of use assignments in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can retrieve details about terms of use assigned to users in Azure AD, including assignment statuses and acceptance dates.
Authentication Methods Policy Enumeration
For enumerating authentication methods policies in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API endpoints or using the portal interface, you can gather information about authentication methods policies configured in Azure AD, including policy names, settings, and assignments.
Identity Governance Enumeration
To enumerate identity governance settings in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal interface or querying the API, you can obtain details about identity governance configurations in Azure AD, including policy names, settings, and assignments.
Privileged Identity Management Enumeration
For enumerating privileged identity management settings in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or accessing the portal interface, you can retrieve information about privileged identity management configurations in Azure AD, including role settings, assignments, and activation status.
Entitlement Management Enumeration
To enumerate entitlement management settings in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can gather information about entitlement management configurations in Azure AD, including policy names, settings, and assignments.
Identity Secure Score Enumeration
For enumerating identity secure score in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API or accessing the portal interface, you can obtain details about the identity secure score for your Azure AD tenant, including score values, improvement actions, and security recommendations.
Identity Protection Risky Users Enumeration
To enumerate identity protection risky users in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal interface or querying the API, you can retrieve information about users flagged as risky by Azure AD identity protection, including user details, risk levels, and risk reasons.
Identity Protection Risky Sign-ins Enumeration
For enumerating identity protection risky sign-ins in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can obtain details about sign-in activities marked as risky by Azure AD identity protection, including user accounts, risk levels, and sign-in locations.
Identity Protection Risky Users History Enumeration
To enumerate identity protection risky users history in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can fetch historical information about users previously flagged as risky by Azure AD identity protection, including risk details, mitigation actions, and resolution statuses.
Identity Protection Risky Sign-ins History Enumeration
For enumerating identity protection risky sign-ins history in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API or accessing the portal interface, you can retrieve historical data about sign-in activities marked as risky by Azure AD identity protection, including risk details, user accounts, and timestamps.
To enumerate identity protection risk detection reports in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal interface or querying the API, you can obtain reports detailing risk detections performed by Azure AD identity protection, including risk types, affected users, and detection timestamps.
For enumerating identity protection risky users reports in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can gather reports on users flagged as risky by Azure AD identity protection, including user details, risk levels, and risk reasons.
To enumerate identity protection risky sign-ins reports in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can retrieve reports on sign-in activities marked as risky by Azure AD identity protection, including risk details, user accounts, and sign-in locations.
Identity Protection Risky Users Report History Enumeration
For enumerating identity protection risky users report history in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API or accessing the portal interface, you can retrieve historical reports on users previously flagged as risky by Azure AD identity protection, including risk details, mitigation actions, and resolution statuses.
Identity Protection Risky Sign-ins Report History Enumeration
To enumerate identity protection risky sign-ins report history in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can fetch historical reports on sign-in activities marked as risky by Azure AD identity protection, including risk details, user accounts, and timestamps.
Identity Protection Risk Detection Report History Enumeration
For enumerating identity protection risk detection report history in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can retrieve historical reports on risk detections performed by Azure AD identity protection, including risk types, affected users, and detection timestamps.
To enumerate identity protection risky users summary reports in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can obtain summary reports on users flagged as risky by Azure AD identity protection, including risk levels, user counts, and risk reasons.
For enumerating identity protection risky sign-ins summary reports in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can gather summary reports on sign-in activities marked as risky by Azure AD identity protection, including risk levels, sign-in counts, and risk reasons.
To enumerate identity protection risk detection summary reports in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can retrieve summary reports on risk detections performed by Azure AD identity protection, including risk types, detection counts, and detection timestamps.
Identity Protection Configuration Enumeration
For enumerating identity protection configurations in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or accessing the portal interface, you can obtain details about configurations set up for Azure AD identity protection, including policy settings, risk levels, and user actions.
Identity Protection User Risk Policy Enumeration
To enumerate identity protection user risk policies in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can gather information about user risk policies defined in Azure AD identity protection, including policy names, settings, and assignments.
For enumerating identity protection sign-in risk policies in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can retrieve details about sign-in risk policies configured in Azure AD identity protection, including policy names, settings, and assignments.
To enumerate identity protection MFA registration policies in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can fetch information about MFA registration policies set up in Azure AD identity protection, including policy names, settings, and assignments.
For enumerating identity protection reset password policies in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or accessing the portal interface, you can obtain details about reset password policies configured in Azure AD identity protection, including policy names, settings, and assignments.
Identity Protection Session Policy Enumeration
To enumerate identity protection session policies in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can gather information about session policies defined in Azure AD identity protection, including policy names, settings, and assignments.
Identity Protection User Actions Enumeration
For enumerating identity protection user actions in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can retrieve information about user actions taken in response to risk detections by Azure AD identity protection, including action types, users involved, and timestamps.
Identity Protection Risky Users History Report Enumeration
To enumerate identity protection risky users history reports in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can obtain historical reports on users previously flagged as risky by Azure AD identity protection, including risk details, mitigation actions, and resolution statuses.
Identity Protection Risky Sign-ins History Report Enumeration
For enumerating identity protection risky sign-ins history reports in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can retrieve historical reports on sign-in activities marked as risky by Azure AD identity protection, including risk details, user accounts, and timestamps.
Identity Protection Risk Detection History Report Enumeration
To enumerate identity protection risk detection history reports in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can fetch historical reports on risk detections performed by Azure AD identity protection, including risk types, affected users, and detection timestamps.
For enumerating identity protection risky users summary reports in Azure AD, you can employ tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can gather summary reports on users flagged as risky by Azure AD identity protection, including risk levels, user counts, and risk reasons.
To enumerate identity protection risky sign-ins summary reports in Azure AD, you can use tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can retrieve summary reports on sign-in activities marked as risky by Azure AD identity protection, including risk levels, sign-in counts, and risk reasons.
For enumerating identity protection risk detection summary reports in Azure AD, you can leverage tools like Azure AD Graph API or Azure Portal. By querying the API or using the portal interface, you can obtain summary reports on risk detections performed by Azure AD identity protection, including risk types, detection counts, and detection timestamps.
Identity Protection Configuration Enumeration
To enumerate identity protection configurations in Azure AD, you can make use of tools like Azure Portal or Azure AD Graph API. By accessing the portal or querying the API, you can gather details about configurations set up for Azure AD identity protection, including policy settings, risk levels, and user actions.
Identity Protection User Risk Policy Enumeration
For enumerating identity protection user risk policies in Azure AD, you can employ tools like `Azure AD
# Enumerate UsersGet-AzureADUser-All $trueGet-AzureADUser-All $true| select UserPrincipalName# Get info of 1 userGet-AzureADUser-ObjectId test@corp.onmicrosoft.com | fl# Search "admin" usersGet-AzureADUser-SearchString "admin"#Search admin at the begining of DisplayName or userPrincipalNameGet-AzureADUser-All $true|?{$_.Displayname-match"admin"} #Search "admin" word in DisplayName# Get all attributes of a userGet-AzureADUser-ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}# Search attributes containing the word "password"Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
# All users from AzureAD# All users from AzureADGet-AzureADUser-All $true|?{$_.OnPremisesSecurityIdentifier-eq$null}# All users synced from on-premGet-AzureADUser-All $true|?{$_.OnPremisesSecurityIdentifier-ne$null}# Objects created by a/any userGet-AzureADUser [-ObjectId<email>] |Get-AzureADUserCreatedObject# Devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Objects owned by a specific userGet-AzureADUserOwnedObject-ObjectId test@corp.onmicrosoft.com# Get groups & roles where the user is a memberGet-AzureADUserMembership-ObjectId 'test@corp.onmicrosoft.com'# Get devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Get devices registered by a userGet-AzureADUserRegisteredDevice-ObjectId test@defcorphq.onmicrosoft.com# Apps where a user has a role (role not shown)Get-AzureADUser-ObjectId roygcain@defcorphq.onmicrosoft.com |Get-AzureADUserAppRoleAssignment| fl *# Get Administrative Units of a user$userObj =Get-AzureADUser-Filter "UserPrincipalName eq 'bill@example.com'"Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }
Az PowerShell
Install Az PowerShell Module
To interact with Azure AD using PowerShell, you need to install the Az PowerShell module. You can install the module by running the following command:
Install-Module -Name Az -AllowClobber -Scope CurrentUser
Connect to Azure AD
After installing the Az PowerShell module, you can connect to Azure AD using the following command:
Connect-AzAccount
This command will prompt you to enter your Azure credentials to authenticate.
List Azure AD Users
You can list all Azure AD users using the following command:
Get-AzADUser
This will display a list of all users in your Azure AD tenant.
Get Azure AD User
To get information about a specific Azure AD user, you can use the following command:
Get-AzADUser -UserPrincipalName user@example.com
Replace user@example.com with the user's actual UPN.
Summary
In this section, we covered how to install the Az PowerShell module, connect to Azure AD, list Azure AD users, and get information about a specific user. These are essential tasks when performing security assessments on Azure AD.
# Enumerate usersGet-AzADUser# Get details of a userGet-AzADUser-UserPrincipalName test@defcorphq.onmicrosoft.com# Search user by stringGet-AzADUser-SearchString "admin"#Search at the beginnig of DisplayNameGet-AzADUser|?{$_.Displayname-match"admin"}# Get roles assigned to a userGet-AzRoleAssignment-SignInName test@corp.onmicrosoft.com
Zaleca się dodanie MFA do każdego użytkownika, jednak niektóre firmy mogą tego nie ustawiać lub mogą ustawić to za pomocą dostępu warunkowego: Użytkownik będzie wymagany do MFA, jeśli zaloguje się z określonej lokalizacji, przeglądarki lub jakiegoś warunku. Te polityki, jeśli nie są skonfigurowane poprawnie, mogą być podatne na obejścia. Sprawdź:
# Enumerate groupsaz ad group listaz ad group list --query "[].[displayName]"-o table# Get info of 1 groupaz ad group show --group <group># Get "admin" groupsaz ad group list --query "[].displayName"| findstr /i "admin"az ad group list --query "[?contains(displayName,'admin')].displayName"# All groups from AzureADaz ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"# All groups synced from on-premaz ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"# Get members of groupaz ad group member list --group <group>--query "[].userPrincipalName"-o table# Check if member of groupaz ad group member check --group "VM Admins"--member-id <id># Get which groups a group is member ofaz ad group get-member-groups -g "VM Admins"# Get Apps where a group has a role (role not shown)Get-AzureADGroup-ObjectId <id>|Get-AzureADGroupAppRoleAssignment| fl *
Azure AD
Enumeration
User Enumeration: Attackers can use the Graph API to enumerate users within the Azure AD tenant. This can help in identifying valid usernames for further attacks.
Group Enumeration: By querying the Graph API, attackers can enumerate groups within the Azure AD tenant. Understanding group memberships can aid in lateral movement and privilege escalation.
Application Enumeration: Attackers can also enumerate applications registered in Azure AD. This information can be useful in identifying potential entry points or misconfigurations.
Brute Force Attacks
Password Spraying: Attackers can perform password spraying attacks against Azure AD accounts to avoid account lockouts. This involves trying a few common passwords against many accounts.
Credential Stuffing: Similar to password spraying, credential stuffing involves using known username and password combinations to gain unauthorized access to accounts.
Exploitation
Phishing: Attackers can leverage phishing techniques to trick users into revealing their credentials, which can then be used to gain unauthorized access to Azure AD resources.
Token Impersonation: By stealing or forging tokens, attackers can impersonate users or applications to access resources they are not authorized to use.
Password Policies: Weak password policies can be exploited by attackers to crack passwords or conduct successful brute force attacks.
Mitigation
Multi-Factor Authentication (MFA): Enabling MFA can significantly enhance the security of Azure AD accounts by requiring additional verification steps beyond passwords.
Regular Security Training: Educating users about phishing techniques and the importance of strong passwords can help prevent successful attacks against Azure AD.
Monitoring and Logging: Implementing robust monitoring and logging mechanisms can help detect suspicious activities and potential security breaches in Azure AD.
# Enumerate GroupsGet-AzureADGroup-All $true# Get info of 1 groupGet-AzADGroup-DisplayName <resource_group_name>| fl# Get "admin" groupsGet-AzureADGroup-SearchString "admin"| fl #Groups starting by "admin"Get-AzureADGroup-All $true|?{$_.Displayname-match"admin"} #Groups with the word "admin"# Get groups allowing dynamic membershipGet-AzureADMSGroup|?{$_.GroupTypes-eq'DynamicMembership'}# All groups that are from Azure ADGet-AzureADGroup-All $true|?{$_.OnPremisesSecurityIdentifier-eq$null}# All groups that are synced from on-prem (note that security groups are not synced)Get-AzureADGroup-All $true|?{$_.OnPremisesSecurityIdentifier-ne$null}# Get members of a groupGet-AzureADGroupMember-ObjectId <group_id># Get roles of groupGet-AzureADMSGroup-SearchString "Contoso_Helpdesk_Administrators"#Get group idGet-AzureADMSRoleAssignment-Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'"# Get Administrative Units of a group$groupObj =Get-AzureADGroup-Filter "displayname eq 'TestGroup'"Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }
W przypadku automatyzacji zadań w usłudze Azure AD zaleca się użycie modułu Az PowerShell. Moduł ten zapewnia szeroki zakres poleceń do zarządzania zasobami Azure AD, co ułatwia tworzenie skryptów do konfigurowania i monitorowania usługi Azure AD. Aby rozpocząć pracę z modułem Az PowerShell, należy najpierw zainstalować go na swoim komputerze. Można to zrobić za pomocą menedżera pakietów NuGet lub poprzez pobranie i zainstalowanie modułu ręcznie z platformy GitHub. Po zainstalowaniu modułu, można zacząć korzystać z poleceń PowerShell do zarządzania usługą Azure AD.
# Get all groupsGet-AzADGroup# Get details of a groupGet-AzADGroup-ObjectId <id># Search group by stringGet-AzADGroup-SearchString "admin"| fl *#Search at the beginnig of DisplayNameGet-AzADGroup|?{$_.Displayname-match"admin"}# Get members of groupGet-AzADGroupMember-GroupDisplayName <resource_group_name># Get roles of groupGet-AzRoleAssignment-ResourceGroupName <resource_group_name>
Dodawanie użytkownika do grupy
Właściciele grupy mogą dodawać nowych użytkowników do grupy
Grupy mogą być dynamiczne, co oznacza, że jeśli użytkownik spełnia określone warunki, zostanie dodany do grupy. Oczywiście, jeśli warunki te opierają się na atrybutach, które użytkownik może kontrolować, może on nadużyć tej funkcji, aby dostać się do innych grup.
Sprawdź, jak można nadużyć dynamiczne grupy na następnej stronie:
Zauważ, że Service Principal w terminologii PowerShell jest nazywany Enterprise Applications w portalu Azure (web).
# Get Service Principalsazadsplist--allazadsplist--all--query"[].[displayName]"-otable# Get details of one SPazadspshow--id00000000-0000-0000-0000-000000000000# Search SP by stringazadsplist--all--query"[?contains(displayName,'app')].displayName"# Get owner of service principalazadspownerlist--id<id>--query"[].[displayName]"-otable# Get service principals owned by the current userazadsplist--show-mine# List apps that have password credentialsazadsplist--all--query"[?passwordCredentials != null].displayName"# List apps that have key credentials (use of certificate authentication)azadsplist-all--query"[?keyCredentials != null].displayName"
Azure AD
Enumeration
Azure AD enumeration can be performed using various techniques such as:
User enumeration: Enumerating valid usernames through the login interface or other means.
Group enumeration: Identifying Azure AD groups and their members.
Application enumeration: Discovering registered applications in Azure AD.
Service principal enumeration: Identifying service principals and their permissions.
Exploitation
Exploiting Azure AD involves techniques like:
Password spraying: Attempting to authenticate using a list of common passwords against multiple accounts.
Brute force attacks: Trying various password combinations to gain unauthorized access.
Phishing attacks: Tricking users into providing their credentials through deceptive means.
Token manipulation: Manipulating tokens to escalate privileges or gain unauthorized access.
Post-Exploitation
After gaining access to Azure AD, an attacker can perform actions like:
Data exfiltration: Stealing sensitive data from Azure AD.
Persistence mechanisms: Establishing backdoors or other means to maintain access.
Privilege escalation: Elevating privileges within Azure AD to access more resources.
Account takeover: Taking control of user accounts for malicious purposes.
# Get Service PrincipalsGet-AzureADServicePrincipal-All $true# Get details about a SPGet-AzureADServicePrincipal-ObjectId <id>| fl *# Get SP by string name or IdGet-AzureADServicePrincipal-All $true|?{$_.DisplayName-match"app"} | flGet-AzureADServicePrincipal-All $true|?{$_.AppId-match"103947652-1234-5834-103846517389"}# Get owner of SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalOwner|fl *# Get objects owned by a SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalOwnedObject# Get objects created by a SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalCreatedObject# Get groups where the SP is a memberGet-AzureADServicePrincipal|Get-AzureADServicePrincipalMembershipGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalMembership|fl *
Az PowerShell
Install Az PowerShell Module
To interact with Azure AD using PowerShell, you can use the Az PowerShell module. You can install the Az PowerShell module by running the following command:
Install-Module-Name Az -AllowClobber -Scope CurrentUser
Connect to Azure AD
You can connect to Azure AD using the following command:
Connect-AzAccount
List Azure AD Users
To list all Azure AD users, you can use the following command:
Get-AzADUser
Get Azure AD User by UserPrincipalName
To get a specific Azure AD user by UserPrincipalName, you can use the following command:
Get-AzADUser-UserPrincipalName user@example.com
Get Azure AD User by ObjectId
To get a specific Azure AD user by ObjectId, you can use the following command:
Get-AzADUser-ObjectId <ObjectId>
Get Azure AD User by DisplayName
To get a specific Azure AD user by DisplayName, you can use the following command:
Get-AzADUser-DisplayName "John Doe"
# Get SPsGet-AzADServicePrincipal# Get info of 1 SPGet-AzADServicePrincipal-ObjectId <id># Search SP by stringGet-AzADServicePrincipal|?{$_.DisplayName-match"app"}# Get roles of a SPGet-AzRoleAssignment-ServicePrincipalName <String>
W celu zabezpieczenia swojej infrastruktury Azure AD zaleca się skonfigurowanie jednokrotnego logowania (SSO) z wieloma czynnikami uwierzytelniania, takimi jak hasło i potwierdzenie SMS. Można również skonfigurować zabezpieczenia oparte na ryzyku, aby dodatkowo chronić zasoby. Warto regularnie monitorować aktywność logowania i wykrywać podejrzane działania, takie jak logowanie z nieznanych lokalizacji czy podejmowanie nietypowych działań.
</details>
### Role
<div data-gb-custom-block data-tag="tabs"></div>
<div data-gb-custom-block data-tag="tab" data-title='az cli'>
```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"
Azure AD
Enumeration
User Enumeration: Attackers can use methods like searching for users through the Graph API, checking the sign-in activity, or using password spray attacks to enumerate valid usernames.
Group Enumeration: Enumerating groups can help attackers understand the organization's structure and potentially identify high-value targets.
Application Enumeration: Identifying applications registered in Azure AD can reveal potential entry points for attackers to target.
Brute Force Attacks
Password Spraying: Attackers attempt to authenticate using a small number of common passwords against a large number of usernames to avoid account lockouts.
Credential Stuffing: Attackers use lists of known usernames and passwords obtained from previous data breaches to gain unauthorized access.
Phishing
OAuth Phishing: Attackers can craft OAuth phishing pages to trick users into granting permissions to a malicious application.
Password Reset Phishing: Sending fake password reset emails to users to trick them into revealing their credentials.
Exploiting Misconfigurations
Permissions Misconfigurations: Attackers look for misconfigured permissions that could allow them to escalate privileges within Azure AD.
Application Misconfigurations: Exploiting misconfigured applications to gain unauthorized access or perform malicious activities within the organization.
Data Exfiltration
Access Token Theft: Attackers can steal access tokens to maintain persistent access to Azure AD resources.
Sensitive Information Exposure: Exploiting vulnerabilities to access sensitive information stored within Azure AD.
Persistence
Backdoors: Attackers can create backdoors in Azure AD to maintain access even after remediation efforts.
Service Principals: Abusing service principals to maintain persistence and access resources within Azure AD.
Post-Exploitation
Lateral Movement: Moving laterally within Azure AD to access more valuable assets or escalate privileges.
Data Manipulation: Modifying or deleting data within Azure AD to disrupt operations or achieve specific goals.
Detection Evasion
Disabling Auditing: Attackers may attempt to disable or manipulate auditing settings to avoid detection of their activities.
Tampering with Logs: Modifying or deleting logs to hide malicious actions within Azure AD.
Social Engineering
User Impersonation: Social engineering attacks to trick users into revealing sensitive information or performing actions on behalf of the attacker.
CEO Fraud: Impersonating high-level executives to manipulate employees into transferring funds or sensitive information.
Insider Threats
Malicious Insiders: Employees or contractors with malicious intent can abuse their privileges to exfiltrate data or disrupt operations.
Accidental Misconfigurations: Unintentional misconfigurations by insiders that could expose sensitive data or weaken security controls.
```powershell # Get all available role templates Get-AzureADDirectoryroleTemplate # Get enabled roles (Assigned roles) Get-AzureADDirectoryRole Get-AzureADDirectoryRole -ObjectId #Get info about the role # Get custom roles - use AzureAdPreview Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName # Users assigned a role (Global Administrator) Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember Get-AzureADDirectoryRole -ObjectId | fl # Roles of the Administrative Unit (who has permissions over the administrative unit and its members) Get-AzureADMSScopedRoleMembership -Id | fl * ```
Az PowerShell
Install the Az PowerShell module
To interact with Azure AD using PowerShell, you can use the Az PowerShell module. You can install this module by running the following command:
Install-Module-Name Az -AllowClobber -Scope CurrentUser
Connect to Azure AD
After installing the Az PowerShell module, you can connect to Azure AD using the following command:
Connect-AzAccount
This command will prompt you to enter your Azure credentials to authenticate.
List Azure AD users
You can list all Azure AD users using the following command:
Get-AzADUser
This will display a list of all users in your Azure AD tenant.
Get detailed information about a specific user
To get detailed information about a specific user, you can use the following command:
Get-AzADUser-UserPrincipalName user@example.com
Replace user@example.com with the user's actual UPN.
Disable a user account
To disable a user account in Azure AD, you can use the following command:
This will enable the user account associated with the specified UPN.
# Get role assignments on the subscriptionGet-AzRoleDefinition# Get Role definitionGet-AzRoleDefinition-Name "Virtual Machine Command Executor"# Get roles of a user or resourceGet-AzRoleAssignment-SignInName test@corp.onmicrosoft.comGet-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>
# Get permissions over a resource using ARM directly$Token = (Get-AzAccessToken).Token$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams =@{Method ='GET'Uri = $URIHeaders =@{'Authorization'="Bearer $Token"}}(Invoke-RestMethod @RequestParams).value
Urządzenia
# If you know how to do this send a PR!
Azure AD Enumeration
User Enumeration
To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect to gather information such as user accounts, groups, and permissions.
Group Enumeration
For enumerating groups in Azure AD, tools like Azure AD Recon or Azure AD Connect can be used to discover group memberships, group owners, and group permissions.
Permission Enumeration
To enumerate permissions in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect to identify permissions assigned to users, groups, and applications.
Device Enumeration
For enumerating devices in Azure AD, tools like Azure AD Recon or Azure AD Connect can be utilized to gather information about registered devices, device configurations, and device permissions.
Application Enumeration
To enumerate applications in Azure AD, tools like Azure AD Recon or Azure AD Connect can be employed to identify registered applications, application permissions, and application configurations.
Service Principal Enumeration
For enumerating service principals in Azure AD, tools like Azure AD Recon or Azure AD Connect can be used to discover service principal accounts, service principal permissions, and service principal configurations.
Azure AD Exploitation
Password Spraying
Password spraying attacks can be conducted against Azure AD to attempt to gain unauthorized access by trying a small number of commonly used passwords across many user accounts.
Phishing Attacks
Phishing attacks targeting Azure AD users can be used to trick users into revealing their credentials, which can then be used to gain unauthorized access to Azure AD resources.
Brute Force Attacks
Brute force attacks can be launched against Azure AD to crack weak passwords and gain unauthorized access to user accounts, groups, or applications.
Token Impersonation
By stealing or forging authentication tokens, attackers can impersonate legitimate users or applications to gain unauthorized access to Azure AD resources.
Privilege Escalation
Privilege escalation techniques can be used to elevate permissions within Azure AD, allowing attackers to access additional resources or perform unauthorized actions.
Backdooring Accounts
Attackers can create backdoor accounts in Azure AD to maintain access even after being detected and removed, providing a persistent entry point into the environment.
# Enumerate DevicesGet-AzureADDevice-All $true| fl *# List all the active devices (and not the stale devices)Get-AzureADDevice-All $true|?{$_.ApproximateLastLogonTimeStamp-ne$null}# Get owners of all devicesGet-AzureADDevice-All $true|Get-AzureADDeviceRegisteredOwnerGet-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devicesGet-AzureADDevice-All $true|Get-AzureADDeviceRegisteredUserGet-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using IntuneGet-AzureADDevice-All $true|?{$_.IsCompliant-eq"True"}# Get devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Get Administrative Units of a deviceGet-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }
Jeśli urządzenie (VM) jest dołączone do AzureAD, użytkownicy z AzureAD będą mogli się zalogować.
Co więcej, jeśli zalogowany użytkownik jest Właścicielem urządzenia, zostanie on lokalnym administratorem.
Aplikacje
Aplikacje to Rejestracje aplikacji w portalu (nie aplikacje przedsiębiorstwa).
Ale każda Rejestracja aplikacji utworzy Aplikację przedsiębiorstwa (Podmiot usługi) o tej samej nazwie.
Co więcej, jeśli Aplikacja jest aplikacją wielotenantową, zostanie utworzona inna Aplikacja przedsiębiorstwa (Podmiot usługi) w tym najemcy o tej samej nazwie.
Podczas generowania aplikacji nadawane są 2 rodzaje uprawnień:
Uprawnienia nadane Podmiotowi usługi
Uprawnienia, które aplikacja może mieć i używać w imieniu użytkownika.
# List Appsazadapplistazadapplist--query"[].[displayName]"-otable# Get info of 1 Appazadappshow--id00000000-0000-0000-0000-000000000000# Search App by stringazadapplist--query"[?contains(displayName,'app')].displayName"# Get the owner of an applicationazadappownerlist--id<id>--query"[].[displayName]"-otable# List all the apps with an application passwordazadapplist--query"[?passwordCredentials != null].displayName"# List apps that have key credentials (use of certificate authentication)azadapplist--query"[?keyCredentials != null].displayName"
Azure AD Enumeration
User Enumeration
To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect Sync. These tools can help you gather information about users, groups, and contacts in the Azure AD environment.
Group Enumeration
For enumerating groups in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be used. These tools can provide details about the groups present in the Azure AD setup.
Device Enumeration
To enumerate devices in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be utilized. These tools can assist in identifying the devices registered in the Azure AD infrastructure.
Application Enumeration
For enumerating applications in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be employed. These tools can reveal information about the applications integrated with Azure AD.
Service Principal Enumeration
To enumerate service principals in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be helpful. These tools can provide insights into the service principals configured in Azure AD.
Role Enumeration
For enumerating roles in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be valuable. These tools can disclose details about the roles assigned within the Azure AD environment.
Policy Enumeration
To enumerate policies in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be effective. These tools can give visibility into the policies defined in Azure AD.
Tenant Enumeration
For enumerating tenants in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be utilized. These tools can provide information about the tenants associated with the Azure AD instance.
Domain Enumeration
To enumerate domains in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be used. These tools can help in identifying the domains linked to the Azure AD setup.
Application Registration Enumeration
For enumerating application registrations in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be employed. These tools can assist in discovering the applications registered in Azure AD.
Certificate Enumeration
To enumerate certificates in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be helpful. These tools can reveal information about the certificates used in the Azure AD environment.
Key Enumeration
For enumerating keys in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be valuable. These tools can provide details about the keys employed within Azure AD.
OAuth 2.0 Permission Enumeration
To enumerate OAuth 2.0 permissions in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be effective. These tools can give insights into the OAuth 2.0 permissions granted in Azure AD.
App Registration Certificate Enumeration
For enumerating application registration certificates in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be utilized. These tools can reveal information about the certificates associated with application registrations in Azure AD.
App Registration Key Enumeration
To enumerate application registration keys in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be used. These tools can help in identifying the keys linked to application registrations in Azure AD.
App Registration OAuth 2.0 Permission Enumeration
For enumerating OAuth 2.0 permissions associated with application registrations in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be employed. These tools can assist in discovering the permissions granted to application registrations in Azure AD.
# List all registered applicationsGet-AzureADApplication-All $true# Get details of an applicationGet-AzureADApplication-ObjectId <id>| fl *# List all the apps with an application passwordGet-AzureADApplication-All $true|%{if(Get-AzureADApplicationPasswordCredential-ObjectID $_.ObjectID){$_}}# Get owner of an applicationGet-AzureADApplication-ObjectId <id>|Get-AzureADApplicationOwner|fl *
Az PowerShell
Install Az PowerShell Module
To interact with Azure AD using PowerShell, you can use the Az PowerShell module. You can install the Az PowerShell module by running the following command:
Install-Module-Name Az -AllowClobber -Scope CurrentUser
Connect to Azure AD
You can connect to Azure AD using the following command:
Connect-AzAccount
List Azure AD Users
To list all Azure AD users, you can use the following command:
Get-AzADUser
Get Azure AD User
To get information about a specific Azure AD user, you can use the following command:
Get-AzADUser-UserPrincipalName user@example.com
Create Azure AD User
To create a new Azure AD user, you can use the following command:
# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential
Aplikacja z uprawnieniem AppRoleAssignment.ReadWrite może eskalować do roli Global Admin, udzielając sobie tej roli.
Więcej informacji sprawdź to.
Sekretny ciąg znaków, który aplikacja używa do udowodnienia swojej tożsamości podczas żądania tokena, to hasło aplikacji.
Dlatego, jeśli znajdziesz to hasło, możesz uzyskać dostęp jako service principalwewnątrztenant.
Zauważ, że to hasło jest widoczne tylko podczas generowania (możesz je zmienić, ale nie możesz go ponownie uzyskać).
Właścicielaplikacji może dodać hasło do niej (aby mógł się pod nią podszyć).
Logowania jako te service principale nie są oznaczone jako ryzykowne i nie będą miały MFA.
Różnice między Aplikacjami a (Aplikacjami Przedsiębiorstwa lub Service Principals)
Różnica między aplikacją a Service Principalem w Azure:
Aplikacja/Rejestracje aplikacji: To aplikacje, które istnieją w Twoim Azure AD
Service Principal/Aplikacje Przedsiębiorstwa: Obiekty zabezpieczeń w Twoim Azure AD, które mogą mieć uprawnienia w Katalogu Azure i są powiązane z Twoją aplikacją lub aplikacją innej firmy
Administrator może potrzebować zatwierdzenia udzielonych uprawnień, jeśli są one bardzo wrażliwe.
Aplikacja może działać w Tenant innej firmy i gdy zaczniesz jej używać i udzielasz jej dostępu, Aplikacja Przedsiębiorstwa/Service Principal jest tworzony w Twoim tenancie, aby dać jej dostęp do potrzebnych informacji:
Jednostki Administracyjne
Służą do lepszego zarządzania użytkownikami.
Jednostki administracyjne ograniczają uprawnienia w roli do dowolnej części Twojej organizacji, którą zdefiniujesz. Na przykład możesz użyć jednostek administracyjnych do delegowania roli Administratora Helpdesku do specjalistów wsparcia regionalnego, aby mogli zarządzać użytkownikami tylko w regionie, który obsługują.
Dlatego możesz przypisać role do jednostki administratora, a członkowie tej jednostki będą mieć te role.
AzureAD
# Get Administrative Units
Get-AzureADMSAdministrativeUnit
Get-AzureADMSAdministrativeUnit -Id <id>
# Get ID of admin unit by string
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
# List the users, groups, and devices affected by the administrative unit
Get-AzureADMSAdministrativeUnitMember -Id <id>
# Get the roles users have over the members of the AU
Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members
Ochrona tożsamości Azure AD (AIP)
Ochrona tożsamości Azure AD (AIP) to usługa bezpieczeństwa, która wykorzystuje automatyczne wykrywanie i usuwanie, aby pomóc chronić tożsamości użytkowników w Azure Active Directory przed naruszeniem. AIP ciągle monitoruje i ocenia ryzyko logowania użytkowników oraz konfiguracje tożsamości, automatycznie stosując odpowiednie środki bezpieczeństwa, takie jak wymaganie uwierzytelniania wieloskładnikowego lub blokowanie potencjalnie niebezpiecznych działań. Pomaga to organizacjom zapobiegać naruszeniom bezpieczeństwa opartym na tożsamości.
Przebieg:
Ochrona tożsamości Azure AD monitoruje aktywności użytkowników i zbiera dane dotyczące logowania, zdarzeń uwierzytelniania oraz innych istotnych działań.
Usługa wykorzystuje algorytmy uczenia maszynowego do analizy tych danych i wykrywania potencjalnych zagrożeń bezpieczeństwa.
Ochrona tożsamości Azure AD przypisuje poziom ryzyka dla zagrożenia (np. logowania) i generuje alert w razie potrzeby wykonania jakiejś automatycznej akcji.
Ochrona hasła Azure AD (APP)
Ochrona hasła Azure AD (APP) to funkcja bezpieczeństwa, która pomaga zapobiegać słabym hasłom w Azure Active Directory poprzez narzucanie silnych zasad dotyczących haseł. APP blokuje powszechnie używane słabe hasła oraz ich warianty, zmniejszając ryzyko naruszeń związanych z hasłami. Może być stosowana zarówno na poziomie chmury, jak i w lokalnym katalogu Active Directory, poprawiając ogólną bezpieczeństwo haseł w całej organizacji.
