Unauthenticated Recon
Attacking
Goals an outsider wants to enumerate:
User login information
Resources that exist
Desktop SSO Info
Domain names
Tenant names and information
Enumeration focuses on exposed APIs and public DNS suffixes assigned by Microsoft.
List of publically exposed APIs
login.microsoftonline.com/<domain>/.well-known/openid-configuration
Login information, including tenant ID
Get-AADIntTenantID -Domain <domain>
autodiscover-s.outlook.com/autodiscover/autodiscover.svc
All domains of the tenant
Get-AADIntTenantDomains -Domain <domain>
login.microsoftonline.com/GetUserRealm.srf?login=<UserName>
Login information of the tenant, including tenant Name and domain authentication type
Get-AADIntLoginInformation -UserName <UserName>
login.microsoftonline.com/common/GetCredentialType
Login information, including Desktop SSO information
Get-AADIntLoginInformation -UserName <UserName>
DNS Suffixes
Determine if company is using AzureAD
Visit the following URL and replace DOMAIN with domain name.
https://login.microsoftonline.com/getuserrealm.srf?login=username@DOMAIN.onmicrosoft.com&xml=1


Enumerate Commands
#Enumerate Usernames with list
Get-Content .\users.txt. | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
Tenant ID is public information.

AzureAD Attack Tools
Awesome Azure Pentest
Cloud-Azure PayloadsAllTheThings
AADInternals by @DrAzureAD
MicroBurst (NetSPI)
BlobHunter (CyberArk)
Cloud Enum
MFASweep
O365Recon
AzureHound
Custom Bloodhound Queries for Azure
Detecting/Defending
Is and Isn't detected
IS NOT LOGGED
DNS Queries are not logged in Azure.
API and Tenant ID queries won't be logged.
IS LOGGED
Account sign-in attempts.
Logging Location
Sign-in activity is recorded in
Active Directory/Entra ID > Monitoring > Sign-in logs

Last updated