Unauthenticated Recon
Attacking
Goals an outsider wants to enumerate:
User login information
Resources that exist
Desktop SSO Info
Domain names
Tenant names and information
Enumeration focuses on exposed APIs and public DNS suffixes assigned by Microsoft.
List of publically exposed APIs
API | Information | AADInternals function |
---|---|---|
login.microsoftonline.com/<domain>/.well-known/openid-configuration | Login information, including tenant ID | Get-AADIntTenantID -Domain <domain> |
autodiscover-s.outlook.com/autodiscover/autodiscover.svc | All domains of the tenant | Get-AADIntTenantDomains -Domain <domain> |
login.microsoftonline.com/GetUserRealm.srf?login=<UserName> | Login information of the tenant, including tenant Name and domain authentication type | Get-AADIntLoginInformation -UserName <UserName> |
login.microsoftonline.com/common/GetCredentialType | Login information, including Desktop SSO information | Get-AADIntLoginInformation -UserName <UserName> |
DNS Suffixes
Determine if company is using AzureAD
Visit the following URL and replace DOMAIN with domain name.
Enumerate Commands
Tenant ID is public information.
AzureAD Attack Tools
Awesome Azure Pentest
Cloud-Azure PayloadsAllTheThings
AADInternals by @DrAzureAD
MicroBurst (NetSPI)
BlobHunter (CyberArk)
Cloud Enum
MFASweep
O365Recon
AzureHound
Custom Bloodhound Queries for Azure
Detecting/Defending
Is and Isn't detected
IS NOT LOGGED
DNS Queries are not logged in Azure.
API and Tenant ID queries won't be logged.
IS LOGGED
Account sign-in attempts.
Logging Location
Sign-in activity is recorded in
Active Directory/Entra ID > Monitoring > Sign-in logs
Last updated