Wolf in sheep's clothing: Azure Active Directory reconnaissance as an insider

Azure AD and Office 365 are cloud services and most information is hidden to the members (or guests) of the tenant. However, there are plenty of information publicly available to anyone. In this blog, using AADInternals v0.4.

This article is part of a blog series on Azure AD and Microsoft 365 kill chain. It focuses on how to gather information of any Azure AD tenant as an insider. Using AADInternals v0.4.5, an insider can retrieve the same information as a guest, such as tenant brand, tenant name, tenant ID, Azure AD objects, domains, non-admin users, users who can register apps, directory access, directory sync enabled, CA policies, MS Partner IDs, MS Partner DAP enabled, MS Partner contracts, and MS Partners. Additionally, the status of directory synchronization and the number of global admins are also shown.

The article also explains how to list all admin roles and their members, as well as synchronization information. This includes the name of the synchronization server, the service user name, and the synchronization configuration.

User enumeration is also discussed, which allows an insider to export all users and groups (including Teams) from the Azure AD. This includes identity information for both Azure AD and on-prem (if synced).

Azure AD sign-in log is now available for all Azure AD editions, and the AADInternals functions are using the application id of Microsoft Office. This means that getting a new access token seems to be a legit login event, and the API calls to Azure AD are not logged.

The article also explains how users are able to fill the Azure AD with user or device objects. This is done by creating Bulk PRT (BPRT) tokens, and the process is slow (20 users per minute and 90 devices per minute). The only way to prevent this is to prevent users from joining devices to Azure AD.

Overall, the article provides a comprehensive overview of how to gather information of any Azure AD tenant as an insider, as well as how to detect and prevent rogue behaviour.

📓 Wolf in sheep's clothing: Azure Active Directory reconnaissance as an insider

👉🏽 Azure AD and Office 365 are cloud services and most information is hidden to the members (or guests) of the tenant. However, there are plenty of information publicly available to anyone. In this blog, using AADInternals v0.4. 👉🏽 Azure AD and Microsoft 365 kill chain: focus on gathering information as an insider. 👉🏽 Use AADInternals v0.4.5 to retrieve same information as a guest. 👉🏽 Retrieve tenant brand, tenant name, tenant ID, Azure AD objects, domains, and more. 👉🏽 Access information on non-admin users, users who can register apps, and directory access. 👉🏽 Check directory sync enabled, CA policies, MS Partner IDs, MS Partner DAP enabled, and more. 👉🏽 Learn about MS Partner contracts, directory synchronization status, and number of global admins. 👉🏽 List all admin roles and members, including synchronization server and configuration. 👉🏽 Export users and groups (including Teams) from Azure AD, including identity information. 👉🏽 Discuss Azure AD sign-in log availability and AADInternals API call logging. 👉🏽 Understand how users can fill Azure AD with objects using Bulk PRT tokens and prevention methods.

🔗 source link: https://aadinternals.com/post/insider/

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/wolf-in-sheep-s-clothing-azure-active-directory-reconnaissance-as-an-insider

#AzureADInsider #InformationGathering #AdminRoles #UserEnumeration #RogueBehaviour