AzureHound

Using AzureHound/BloodHound

$passwd = ConvertTo-SecureString "ItW!llN0tAnEasyPassw0rdY0UCantGu3ss1t" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@defcorphq.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds
 
Import-Module C:\AzAD\Tools\AzureAD\AzureAD.psd1
Connect-AzureAD -Credential $creds
 
. C:\AzAD\Tools\AzureHound\AzureHound.ps1
Invoke-AzureHound -Verbose
 
# new azurehound has a different syntax
.\azurehound.exe list -u 'test@defcorphq.onmicrosoft.com' -p 'V3ryH4rdt0Cr4ckN0OneC@nGu355ForT3stUs3r' -t 2d50cb29-5f7b-48a4-87ce-fe75a941adb6 -o azurehound.json

Start c:\azad\tools\bloodhound-win32-x64/BloodHound-win32-x64/BloodHound.exe

Sample Queries:

# fix the labels in the graph
MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname

# all users with the global administrator role
MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p

# all paths to the azure key vault
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p

# owners of azure applications
MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p