Az Powershell can enumerate both Azure AD and Azure Resources. Replaced the AzureRM and Azure Module to manage Azure Resources
- Install
- Enumeration AAD Users
- Enumeration AAD Groups
- Enumeration AAD Apps
- Enumeration AAD Service Principals
- Using Tokens With Az PowerShell
- Stealing Tokens From Az PowerShell
- Runbook
Needs Internet Connection
Get-Command *azad*
Install-Module Az
Connect-AzAccount
$creds = Get-Credential
Connect-AzAccount -Credential $creds
$passwd = ConvertTo-SecureString "SuperVeryEasytoGuessPassword@1234" - AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("[email protected]",$passwd)
Connect-AzAccount -Credential $creds
- All the Azure AD cmdlets have the format -AzAD
Get-Command *azad*
Get-AzADUser
- Cmdlets for other Azure resources have the format AZ
Get-Command *az*
Get-AzResource
- Find cmdlets for a particular resource. For example, VMs
Get-Command *azvm*
Get-Command -Noun *vm* -Verb Get
Get-Command *vm*
- Get the information about the current context (Account, Tenant, Subscription etc.)
Get-AzContext
- List all available contexts
Get-AzContext -ListAvailable
- Enumerate subscriptions accessible by the current user
Get-AzSubscription
- Enumerate all resources visible to the current user
Get-AzResource
- Azure RBAC role assignments
Get-AzRoleAssignment
Get-AzRoleAssignment -Scope /subscriptions/b413826f-108d4049-8c11-
d52d5d388768/resourceGroups/Engineering/providers/Microsoft.Automation/automa
tionAccounts/HybridAutomation
Get-AzAutomationHybridWorkerGroup -AutomationAccountName HybridAutomation -ResourceGroupName Engineering
- Enumerate all users
Get-AzADUser
- Enumerate a specific user
Get-AzADUser -UserPrincipalName test@defcorphq.onmicrosoft.com
- Search for a user based on string in first characters of DisplayName
Get-AzADUser -SearchString "admin"
- Search for users who contain the word "admin" in their DisplayName;
Get-AzADUser | ?{$_.DisplayName -match "admin"}
- List all groups
Get-AZADGroup
- Enumerate a specific group
Get-AZADGroup -ObjectId 783a312d-0de2-4490-92e4-539b0e4ee03e
- Search for a group based on string in first characters of DisplayName
Get-AzADGroup -SearchString "admin" | fl *
- Search for groups which contain the word "admin" in their name:
Get-AzADGroup | ?{$_.DisplayName -match "admin"}
- Get members of a group
Get-AzADGroupMember -ObjectId 783a312d-0de2-4490-92e4- 539b0e4ee03e
- List all app objects
Get-AzADApplication
- Get all details about an application
Get-AzADApplication -ObjectId a1333e88-1278-41bf-8145-155a069ebed0
- Get an application based on the display name
Get-AzADApplication | ?{$_.DisplayName -match "app"}
- Show the applications with an application password
Get-AzADAppCredential
- Get all service principals
Get-AzADServicePrincipal
- Get all details about a service principal
Get-AzADServicePrincipal -ObjectId cdddd16e-2611-4442-8f45- 053e7c37a264
- Get an service principal based on the display name
Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}
- Already connected to a tenant, request an access token for resource manager (ARM)
Get-AzAccessToken
(Get-AzAccessToken).Token
- Request an access token for AAD Graph to access Azure AD. Supported tokens
AadGraph
AnalysisServices
Arm
Attestation
Batch
DataLabe
KeyVault
OperationalInsights
ResourceManager
Synapse
Get-AzAccessToken -ResourceTypeName AadGraph
- For Microsoft Graph
(Get-AzAccessToken -Resource "https://graph.microsoft.com").Token
- Use the Access token
Connect-AzAccount -AccountId test@defcorphq@onmicrosoft.com -AccessToken eyj0eXA....
- Use other access tokens. Use the one for AAD Graph (access token is still required) for accessing Azure AD
Connect-AzAccount -AccountId test@defcorphq.onmicrosoft.com -AccessToken eyJ0eXA... -GraphAccessToken eyJ0eXA......
- Az PowerShell (older versions) stores access tokens in clear text in
TokenCache.dat
in the directory;
C:\Users\[username]\.Azure
- In this folder stores
ServicePrincipalSecret
in clear-text inAzureRmContext.json
if a service principal secret is used to authenticate. - Another way to steal token, process dump of PowerShell and looking for tokens in it!
- Users can save tokens using
Save-AzContext
. Search it in PowerShell console history! - Always use
Disconnect-AzAccount
Import-AzAutomationRunbook -Name studentx -Path C:\AzAD\Tools\studentx.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Type PowerShell -Force -Verbose
Publish-AzAutomationRunbook -RunbookName studentx -AutomationAccountName HybridAutomation -ResourceGroupName Enfineering -Verbose
Start-AzAutomationRunbook -RunbookName studentx -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose