Az - AzureAD (AAD)

```powershell # Just call Add-AzADAppSecret Function Add-AzADAppSecret { <# .SYNOPSIS Add client secret to the applications.

.PARAMETER GraphToken Pass the Graph API Token

.EXAMPLE PS C:> Add-AzADAppSecret -GraphToken 'eyJ0eX..'

.LINK https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http https://docs.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http #>

[CmdletBinding()] param( [Parameter(Mandatory=$True)] [String] $GraphToken = $null )

$AppList = $null $AppPassword = $null

List All the Applications

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications" "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

try { $AppList = Invoke-RestMethod @Params -UseBasicParsing } catch { }

Add Password in the Application

if($AppList -ne $null) { [System.Collections.ArrayList]$Details = @()

foreach($App in $AppList.value) { $ID = $App.ID $psobj = New-Object PSObject

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications/$ID/addPassword" "Method" = "POST" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

$Body = @{ "passwordCredential"= @{ "displayName" = "Password" } }

try { $AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json) Add-Member -InputObject $psobj -NotePropertyName "Object ID" -NotePropertyValue $ID Add-Member -InputObject $psobj -NotePropertyName "App ID" -NotePropertyValue $App.appId Add-Member -InputObject $psobj -NotePropertyName "App Name" -NotePropertyValue $App.displayName Add-Member -InputObject $psobj -NotePropertyName "Key ID" -NotePropertyValue $AppPassword.keyId Add-Member -InputObject $psobj -NotePropertyName "Secret" -NotePropertyValue $AppPassword.secretText $Details.Add($psobj) | Out-Null } catch { Write-Output "Failed to add new client secret to '$($App.displayName)' Application." } } if($Details -ne $null) { Write-Output "" Write-Output "Client secret added to : " Write-Output $Details | fl * } } else { Write-Output "Failed to Enumerate the Applications." } }

</details>

### Majukumu

<div data-gb-custom-block data-tag="tabs"></div>

<div data-gb-custom-block data-tag="tab" data-title='az cli'>

```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"

Azure AD Enumeration

User Enumeration

User enumeration can be performed through the Azure AD login interface. By entering a valid username and observing the response, an attacker can determine if the username is valid or not. This can aid in further attacks such as password spraying or targeted phishing.

Group Enumeration

Group enumeration involves identifying Azure AD groups and their members. This information can be useful for understanding the organization's structure and identifying high-value targets for attacks.

Application Enumeration

Enumerating applications registered in Azure AD can provide insights into the organization's use of third-party services and potential points of compromise.

Device Enumeration

Identifying devices registered in Azure AD can help an attacker understand the devices used within the organization and potentially exploit vulnerabilities associated with these devices.

Role Enumeration

Enumerating roles assigned within Azure AD can reveal privileged accounts and roles within the organization, which can be valuable targets for attackers.

Policy Enumeration

Understanding the policies configured in Azure AD can help an attacker identify security controls in place and potential weaknesses that can be exploited.

Certificate Enumeration

Enumerating certificates used in Azure AD can reveal information about encryption mechanisms and potential weak points in the security infrastructure.

Endpoint Enumeration

Identifying endpoints exposed by Azure AD can help an attacker discover additional entry points into the organization's network and services.

OAuth App Enumeration

Enumerating OAuth applications registered in Azure AD can provide insights into potential authorization vulnerabilities and misconfigurations that could be leveraged in attacks.

Tenant Enumeration

Identifying Azure AD tenants associated with an organization can help an attacker understand the scope of the environment and potential interdependencies between different tenants.

Federation Enumeration

Enumerating federated services integrated with Azure AD can reveal external dependencies and potential attack vectors that could be exploited to compromise the organization's resources.

Risk Enumeration

Understanding the risk factors associated with Azure AD configurations can help an attacker prioritize targets based on the level of risk they pose to the organization's security posture.

Security Enumeration

Enumerating security settings and configurations within Azure AD can help identify gaps in security controls and potential misconfigurations that could be exploited by an attacker.

Logging Enumeration

Identifying logging and monitoring configurations in Azure AD can help an attacker understand the visibility of their actions and potential detection mechanisms in place.

API Enumeration

Enumerating APIs exposed by Azure AD can provide insights into the functionalities available to attackers and potential avenues for unauthorized access to sensitive data or resources.

Synchronization Enumeration

Identifying synchronization configurations in Azure AD can help an attacker understand how user accounts and data are synchronized across different systems and potentially identify weaknesses in the synchronization process.

Privilege Enumeration

Enumerating privileges assigned within Azure AD can help identify accounts with elevated permissions and roles that could be targeted for privilege escalation attacks.

Multi-factor Authentication Enumeration

Enumerating multi-factor authentication settings in Azure AD can help identify accounts protected by MFA and potential bypass techniques that could be used to circumvent this additional security measure.

Password Policy Enumeration

Understanding the password policies enforced in Azure AD can help an attacker identify potential weaknesses in password management practices and exploit them to gain unauthorized access to accounts.

Conditional Access Enumeration

Enumerating conditional access policies in Azure AD can help identify restrictions and controls placed on user access based on specific conditions, providing insights into potential bypass techniques or misconfigurations that could be abused by an attacker.

Sign-In Enumeration

Identifying sign-in configurations and settings in Azure AD can help an attacker understand the authentication mechanisms in place and potential vulnerabilities that could be exploited to gain unauthorized access to user accounts.

Risky Sign-Ins Enumeration

Enumerating risky sign-ins detected by Azure AD can help identify potential security incidents and ongoing attacks targeting the organization's resources, allowing for timely response and mitigation efforts.

Identity Protection Enumeration

Enumerating identity protection policies and configurations in Azure AD can help an attacker understand the measures in place to protect user identities and detect suspicious activities, providing insights into potential weaknesses that could be exploited.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses that could be targeted by attackers attempting to bypass these protections.

Smart Lockout Enumeration

Enumerating smart lockout settings in Azure AD can help identify account lockout policies and mechanisms in place to prevent brute force attacks, providing insights into potential bypass techniques or misconfigurations that could be exploited by an attacker.

Risk Events Enumeration

Enumerating risk events detected by Azure AD can help identify security incidents and suspicious activities that may indicate ongoing attacks or unauthorized access attempts, allowing for prompt investigation and response to mitigate potential risks.

Security Defaults Enumeration

Understanding the security defaults enabled in Azure AD can help identify baseline security settings and potential gaps that may exist in the default configurations, allowing an attacker to focus on exploiting these weaknesses to gain unauthorized access.

Guest User Enumeration

Enumerating guest users in Azure AD can help identify external users with access to the organization's resources and potential entry points that could be leveraged in attacks targeting the guest accounts.

Application Proxy Enumeration

Identifying applications published through Azure AD Application Proxy can help an attacker discover internal applications exposed to the internet and potential misconfigurations that could be exploited to gain unauthorized access to sensitive data or resources.

Password Protection Enumeration

Enumerating password protection settings in Azure AD can help identify additional security measures in place to prevent password-based attacks and potential weaknesses

# Get all available role templates
Get-AzureADDirectoryroleTemplate
# Get enabled roles (Assigned roles)
Get-AzureADDirectoryRole
Get-AzureADDirectoryRole -ObjectId <roleID> #Get info about the role
# Get custom roles - use AzureAdPreview
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName
# Users assigned a role (Global Administrator)
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
Get-AzureADDirectoryRole -ObjectId <id> | fl
# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)
Get-AzureADMSScopedRoleMembership -Id <id> | fl *

Az PowerShell

Install Az PowerShell Module

To interact with Azure AD using PowerShell, you need to install the Az PowerShell module. You can install the module by running the following command:

Install-Module -Name Az -AllowClobber -Scope CurrentUser

Connect to Azure AD

After installing the Az PowerShell module, you can connect to Azure AD using the following command:

Connect-AzAccount

This command will prompt you to enter your Azure credentials to authenticate and establish a connection to Azure AD.

List Azure AD Users

You can list all the users in Azure AD by running the following command:

Get-AzADUser

This command will return a list of all the users in your Azure AD tenant.

Get Azure AD User

To get information about a specific user in Azure AD, you can use the following command:

Get-AzADUser -UserPrincipalName user@example.com

Replace user@example.com with the user's actual UPN.

Create a New Azure AD User

You can create a new user in Azure AD using the following command:

New-AzADUser -DisplayName "John Doe" -UserPrincipalName john.doe@example.com -Password "P@ssw0rd"

Replace the values with the user's desired display name, user principal name, and password.

Update Azure AD User

To update an existing Azure AD user's information, you can use the following command:

Set-AzADUser -UserPrincipalName user@example.com -DisplayName "Jane Smith"

Replace user@example.com with the user's actual UPN and update the display name as needed.

Remove Azure AD User

To remove a user from Azure AD, you can use the following command:

Remove-AzADUser -UserPrincipalName user@example.com

Replace user@example.com with the user's actual UPN.

# Get role assignments on the subscription
Get-AzRoleDefinition
# Get Role definition
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get roles of a user or resource
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>

# Get permissions over a resource using ARM directly
$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

Vifaa

# If you know how to do this send a PR!

Azure AD Enumeration

Azure AD enumeration involves gathering information about users, groups, applications, and permissions within an Azure AD environment. This information can be used to identify potential security weaknesses and plan further attacks.

Tools for Azure AD Enumeration

1. Azure AD PowerShell Module: Allows you to manage Azure AD users, groups, and applications using PowerShell commands.

2. Azure AD Graph API: Enables programmatic access to Azure AD through a REST API, allowing you to retrieve information about users, groups, and applications.

3. Azure AD Explorer: A graphical tool that helps you explore and manipulate Azure AD entities, such as users and groups.

Techniques for Azure AD Enumeration

1. User Enumeration: Gathering information about Azure AD users, such as usernames, email addresses, and assigned roles.

2. Group Enumeration: Identifying Azure AD groups and their members to understand the group structure and relationships.

3. Application Enumeration: Discovering registered applications in Azure AD and their permissions to access resources.

4. Permission Enumeration: Understanding the permissions assigned to users, groups, and applications within Azure AD.

By performing Azure AD enumeration, pentesters can gain valuable insights into the target Azure AD environment and identify potential security risks.

# Enumerate Devices
Get-AzureADDevice -All $true | fl *
# List all the active devices (and not the stale devices)
Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
# Get owners of all devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using Intune
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get Administrative Units of a device
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }

Ikiwa kifaa (VM) kimejiunga na AzureAD, watumiaji kutoka AzureAD wataweza kuingia. Aidha, ikiwa mtumiaji aliyeingia ni Mmiliki wa kifaa, atakuwa msimamizi wa ndani.

Maombi

Programu ni Usajili wa Programu kwenye portal (sio Maombi ya Kampuni). Lakini kila Usajili wa Programu utaunda Maombi ya Kampuni (Mwakilishi wa Huduma) yenye jina sawa. Aidha, ikiwa Programu ni Programu inayoruhusu wapangaji wengi, Maombi mengine ya Kampuni (Mwakilishi wa Huduma) yataundwa kwenye mpangaji huo na jina sawa.

Wakati Programu inapoundwa aina 2 za ruhusa hupewa:

• Ruhusa zilizopewa Mwakilishi wa Huduma

• Ruhusa ambazo programu inaweza kuwa nazo na kutumia kwa niaba ya mtumiaji.

# List Apps
az ad app list
az ad app list --query "[].[displayName]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# List all the apps with an application password
az ad app list --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad app list --query "[?keyCredentials != null].displayName"

Azure AD

Azure AD ina jukumu muhimu katika usalama wa mfumo wa Azure. Inashughulikia uthibitishaji, idara, udhibiti wa upatikanaji, na zaidi. Kwa hivyo, wakati wa kufanya ukaguzi wa usalama wa Azure, ni muhimu kuzingatia maeneo haya kuhakikisha kuwa mifumo yako imehifadhiwa vizuri.

Uthibitishaji wa Multi-Factor (MFA)

Kuwezesha uthibitishaji wa hatua nyingi (MFA) kwa watumiaji wote ni muhimu sana. Hii inasaidia kuzuia ufikiaji usioidhinishwa hata kama nywila zimevuja au zimeibiwa. Hakikisha MFA imeanzishwa kwa watumiaji wote, haswa wale wenye ruhusa za juu au ufikiaji wa data nyeti.

Udhibiti wa Upatikanaji

Tumia sera za udhibiti wa upatikanaji kudhibiti ni nani anayeweza kufanya nini ndani ya Azure AD. Weka viwango vya ufikiaji kulingana na majukumu ya watumiaji ili kupunguza hatari ya ufikiaji usioidhinishwa au matumizi mabaya ya rasilimali.

Ufuatiliaji wa Usalama

Hakikisha kufuatilia shughuli za usalama ndani ya Azure AD. Angalia kwa karibu shughuli za kuingia, mabadiliko ya ruhusa, au shughuli zingine za kutiliwa shaka. Ufuatiliaji wa mara kwa mara utasaidia kugundua haraka vitisho au matumizi mabaya.

Usimamizi wa Kifaa

Tumia zana za usimamizi wa kifaa kudhibiti vifaa vinavyoingia kwenye Azure AD. Weka sera za usalama kama vile kuhitaji vifaa kuthibitishwa kabla ya kupata rasilimali au kuhakikisha vifaa vina programu za usalama zilizosasishwa.

Usimamizi wa Kitambulisho

Hakikisha kusimamia vyeti, funguo, na kitambulisho kingine cha siri kwa uangalifu. Epuka kushiriki sana au kuhifadhi vibadilishaji vya siri kwenye maeneo yasiyofaa. Weka mifumo ya kisasa ya kusimamia kitambulisho ili kuzuia upatikanaji usioidhinishwa.

Hitimisho

Kwa kuzingatia maeneo haya muhimu ya usalama ndani ya Azure AD, unaweza kuboresha sana usalama wa mifumo yako ya Azure na kuzuia vitisho vya usalama. Kumbuka kufanya ukaguzi wa mara kwa mara na kurekebisha mapungufu yoyote haraka iwezekanavyo.

# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id>  | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *

Az PowerShell

Install Az PowerShell Module

To interact with Azure AD using PowerShell, you need to install the Az PowerShell module. You can install the module by running the following command:

Install-Module -Name Az -AllowClobber -Scope CurrentUser

Connect to Azure AD

After installing the Az PowerShell module, you can connect to Azure AD using the following command:

Connect-AzAccount

This command will prompt you to enter your Azure credentials to authenticate and establish a connection to Azure AD.

List Azure AD Users

Once connected, you can list all the users in Azure AD by running the following command:

Get-AzADUser

This command will return a list of all the users along with their details such as UserPrincipalName, DisplayName, and ObjectId.

Get Azure AD User by UserPrincipalName

You can retrieve a specific user by their UserPrincipalName using the following command:

Get-AzADUser -UserPrincipalName user@example.com

Replace user@example.com with the actual UserPrincipalName you want to search for.

More Azure AD Operations

The Az PowerShell module provides various cmdlets to perform operations such as creating users, updating user details, resetting passwords, and more in Azure AD. You can explore these cmdlets by referring to the official Az PowerShell documentation.

# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential

Programu yenye ruhusa AppRoleAssignment.ReadWrite inaweza kupanda hadhi hadi Msimamizi Mkuu kwa kujipa jukumu hilo. Kwa maelezo zaidi angalia hii.

Kamba ya siri ambayo programu hutumia kuthibitisha utambulisho wake wakati wa kuomba token ni nenosiri la programu. Kwa hivyo, ukigundua hili nenosiri unaweza kupata ufikiaji kama mkuu wa huduma ndani ya mpangaji. Tafadhali kumbuka kuwa nenosiri hili linaweza kuonekana tu wakati wa kuzalishwa (unaweza kulibadilisha lakini huwezi kulipata tena). Mmiliki wa programu anaweza kuongeza nenosiri kwake (hivyo anaweza kujifanya). Kuingia kama hawa mkuu wa huduma hawatakuwa na alama ya hatari na hawatakuwa na MFA.

Tofauti kati ya Programu na (Programu za Kampuni au Mkuu wa Huduma)

Tofauti kati ya programu na Mkuu wa Huduma katika Azure:

• Programu/Viandikishaji vya Programu: Ni programu zilizopo katika Azure AD yako

• (Get-AzureADApplication -filter "DisplayName eq 'testapp'")

• Mkuu wa Huduma/Programu za Kampuni: Vitu vya usalama katika Azure AD yako vinavyoweza kuwa na ruhusa katika Dhibiti la Azure na vimeunganishwa na programu yako au programu ya mtu wa tatu

• Get-AzureADServicePrincipal -filter "DisplayName eq 'testapp'")

• Msimamizi anaweza kuhitaji kupitisha ruhusa zilizotolewa ikiwa ni nyeti sana.

Programu inaweza kuwa ikifanya kazi katika mpangaji wa mtu wa tatu na mara tu unapoanza kutumia na kumpa ufikiaji Programu ya Kampuni/Mkuu wa Huduma inaundwa katika mpangaji wako ili kumpa ufikiaji wa habari anayohitaji:

Vitengo vya Utawala

Inatumika kwa usimamizi bora wa watumiaji.

Vitengo vya utawala vinazuia ruhusa katika jukumu lolote la sehemu yoyote ya shirika lako unayoidhinisha. Unaweza, kwa mfano, kutumia vitengo vya utawala kuweka Msimamizi wa Msaada wa Duka kwa wataalamu wa msaada wa kikanda, ili waweze kusimamia watumiaji tu katika eneo wanalounga mkono.

Kwa hivyo, unaweza kumteua jukumu kwa kitengo cha msimamizi na wanachama wake watapata majukumu haya.

AzureAD

AzureAD is Microsoft's cloud-based identity and access management service. It allows organizations to manage users and provide secure access to resources in the cloud. When conducting security assessments on Azure environments, it is crucial to thoroughly test the configuration of AzureAD to identify any potential vulnerabilities that could be exploited by attackers.

Key areas to focus on when pentesting AzureAD:

1. User Accounts: Check for weak passwords, unauthorized access, and unusual login activities.

2. Multi-Factor Authentication (MFA): Test the effectiveness of MFA implementation to prevent unauthorized access.

3. Privileged Accounts: Review the permissions and activities of privileged accounts to prevent misuse.

4. Security Policies: Assess the security policies in place and ensure they align with best practices.

5. Integration: Check for secure integration with other applications and services to prevent data leaks.

By thoroughly examining these key areas, pentesters can help organizations identify and address security issues in their AzureAD configuration.

# Get Administrative Units
Get-AzureADMSAdministrativeUnit
Get-AzureADMSAdministrativeUnit -Id <id>
# Get ID of admin unit by string
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
# List the users, groups, and devices affected by the administrative unit
Get-AzureADMSAdministrativeUnitMember -Id <id>
# Get the roles users have over the members of the AU
Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members

Azure AD Identity Protection (AIP)

Azure AD Identity Protection (AIP) ni huduma ya usalama inayotumia ugunduzi na urekebishaji wa moja kwa moja kusaidia kulinda utambulisho wa mtumiaji katika Azure Active Directory usidukuliwe. AIP inachunguza na kutathmini hatari za kuingia kwa mtumiaji na mipangilio ya utambulisho, kisha kutumia hatua sahihi za usalama moja kwa moja, kama vile kuhitaji uthibitishaji wa hatua nyingi au kuzuia shughuli hatari. Hii husaidia mashirika kuzuia uvunjaji wa usalama unaotokana na utambulisho.

Mchakato:

1. Azure AD Identity Protection inachunguza shughuli za mtumiaji na kukusanya data kuhusu kuingia, matukio ya uthibitishaji, na shughuli zingine muhimu.

2. Huduma hutumia algorithms za machine learning kuchambua data hii na kugundua vitisho vya usalama.

3. Azure AD Identity Protection inapanga kiwango cha hatari ya tishio (k.m. kuingia) na kutoa tahadhari ikiwa inahitajika kufanya hatua moja kwa moja.

Azure AD Password Protection (APP)

Azure AD Password Protection (APP) ni kipengele cha usalama kinachosaidia kuzuia nywila dhaifu katika Azure Active Directory kwa kutekeleza sera kali za nywila. APP inazuia nywila dhaifu zinazotumiwa mara kwa mara na toleo zake, kupunguza hatari ya uvunjaji unaohusiana na nywila. Inaweza kutumika katika kiwango cha wingu na kwenye Active Directory ya ndani, ikiboresha usalama wa nywila kwa jumla katika shirika.

Marejeo

• https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units

Jifunze & zoezi Udukuzi wa AWS:Mafunzo ya HackTricks AWS Red Team Expert (ARTE) Jifunze & zoezi Udukuzi wa GCP: Mafunzo ya HackTricks GCP Red Team Expert (GRTE)