AzureAD

This library is already deprecated, better try to use the Az or Microsoft.Graph Libraries.

Installation

You can drop the zip file or install it:

Install-Module AzureAD

Connect to Azure

Import-Module C:\AzAD\Tools\AzureAD\AzureAD.psd1
$passwd = ConvertTo-SecureString "ItW!llN0tAnEasyPassw0rdY0UCantGu3ss1t" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("[email protected]", $passwd)
 
# GUI alternative: $creds = Get-Credential
 
Connect-AzureAD -Credential $creds

Enumeration Using AzureAD

Tenant and Session Details

PS> Get-AzureADCurrentSessionInfo
PS> Get-AzureADTenantDetail

Users, Groups and Roles

# List all users
Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName
Get-AzureADUser -SearchString "admin" # begins-with, no wildcards supported
Get-AzureADUser -All $true | ?{$_.Displayname -match "admin"}
 
# search for users with string 'password' in a property
Get-AzureADUser -ObjectID [email protected] | %{$_PSObject.Properties.Name | % {if ($properties.$? -match 'password') {"${($Properties.UserPrincipalName) - $_ - $($Properties.$_}"}}}
 
# get on-prem users
Get-AzureADUsers -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null} # on-prem
 
# get objects created by an user
# search for owned service principals -> add credentials to SP -> login as SP
Get-AzureADUser | Get-AzureADUserCreatedObject
Get-AyureADUserOwnedObject -ObjectId [email protected]
 
# List all Groups
Get-AzureADGroup -All $true
Get-AzureADGroup -SearchString 'Operations'
Get-AzureADMSGroup | ?{$_.GroupTypes -eq "DynamicMembership"} # find dynamic groups
 
# members of group
Get-AzureADGroupMember -ObjectId id-of-group
 
# what goups is the user member of
Get-AzureADUserMembership -ObjectId [email protected]
 
# Get Roles and Members
Get-AzureADDirectoryroleTemplate  # get all potential roles
Get-AzureADDirectoryRole # get all enabled (more than 0 assigned users) roles
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
Get-AzureADGroupAppRoleAssignment -ObjectId <group-id>
 
# To get custom roles, we need to use the AzureADPreview module
Import-Module C:\AzAD\Tools\AzureADPreview\AzureADPreview.psd1
$passwd = ConvertTo-SecureString "ItW!llN0tAnEasyPassw0rdY0UCantGu3ss1t" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("[email protected]", $passwd)
Connect-AzureAD -Credential $creds
 
# Get Custom Roles
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName

You can also change stuff:

# add user to group
Add-AzureAdGroupMember -objectid <group-id> -RefObjectId <user-id> -Verbose

Devices

• owners of the device are added to the local administrator’s group
• if we get access to that device, we might be able to extract a PRT

# List all Devices
Get-AzureADDevice -All $true
 
Get-AzureADDeviceConfiguration | fl *
 
# a device where a user actually logged in
Get-AzureADDeviceConfiguration | ?{$_.ApproximateLastLogonTimestamp -ne $null}
 
# get registered users/owners
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
 
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectId){$_; $user.UserPrincipalName;"`n"}}
 
Get-AzureADUserOwnedDevice -ObjectId [email protected]
Get-AzureADRegisteredDevice -ObjectId [email protected]
 
# get all intunes-managed devices
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"} 

list administrative units

Get-AzureADMSAdministrativeUnit
Get-AzureMSScopeRoleMembership
Get-AzureADDirectoryRole

Applications and Service Principals

• you can login as an application
  • this is nice because conditional access or MFA is not applied to applications
• we cannot see existing credentials, but we might add new credentials
  • owner can add secrets

# app registrations
Get-AzureADApplication -All $true
Get-AzureADApplicationPasswordCredential
 
# all apps with registered password credentials
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectId $_.ObjectId){$_}}
 
# get Owners (those can add new application credentials)
Get-AzureADApplication -ObjectId uuid | Get-AzureADApplicationOwner
 
# get app roles for an user or group
Get-AzureADUser -ObjectId [email protected] | Get-AzureADAUserAppRoleAssignments | fl *
Get-AzureADGroup -ObjectId uuid | Get-AzureADGroupAppRoleAssignment | fl *

• service principals are per tenant
• app registration only happens once (singleton in its home-tenant)
  • in the home tenant, there is a relationship between enterprise app and app
  • not cross-tenant

Get-AzureADServicePrincipal -All $true
Get-AzureADServicePrincipalOwner
Get-AzureADServiceprincipal -All $true | ?{$_.DisplayName -match "app"}
Get-AzureADServicePrincipal -All $true | %{if(Get-AzureADServicePrincipalKeyCredential -ObjectId $_.ObjectId) {$_}}
Get-AzureADServicePrincipal -SearchString 'AdminAppSimulation'
Get-AzureADServicePrincipalOwnedObjects
Get-AzureADServicePrincipalCreatedObject
Get-AzureADServicePrincipal -ObjectID uuid | Get-AzureADServicePrincipalOwnedObjects
Get-AzureADServicePrincipal -ObjectID uuid | Get-AzureADServicePrincipalMembership
(Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId <id>).Scope
 
# get SPs with non-empty key or password creentials
Get-AzureADServicePrincipal -All $true | ?{ $_.PasswordCredentials -ne {} }
Get-AzureADServicePrincipal -All $true | ?{ $_.KeyCredentials -ne {} }