Post

Azure Pentesting — References, Tools & Cheatsheet

Posted
By heeeyaaaa
1 min read
Azure Pentesting — References, Tools & Cheatsheet

A living reference for Azure and Entra ID offensive security tools, blogs, official docs, and useful API endpoints.

If you are completely new to Azure it is recommended to go through Microsoft training material for Azure to get familiar with it. It helped me understand Azure a lot better than I might have if I hadn’t gone through it. I especially want to emphasize “Manage security controls for identity and access” module from AZ-500 Training.

Open Interactive Cheatsheet

Tools

ToolLink
AADInternalshttps://o365blog.com/aadinternals/
MicroBursthttps://github.com/NetSPI/MicroBurst
BlobHunterhttps://github.com/cyberark/blobhunter
Cloud Enumhttps://github.com/initstring/cloud_enum
MFASweephttps://github.com/dafthack/MFASweep
O365Reconhttps://github.com/nyxgeek/o365recon
AzureHoundhttps://github.com/BloodHoundAD/AzureHound
MSOLSprayhttps://github.com/dafthack/MSOLSpray
PynAuthhttps://github.com/Synzack/PynAuth
ROADtokenhttps://github.com/dirkjanm/ROADtoken
RequestAADRefreshTokenhttps://github.com/leechristensen/RequestAADRefreshToken
Mandiant ADFSDumphttps://github.com/mandiant/ADFSDump
Custom BloodHound Querieshttps://github.com/hausec/Bloodhound-Custom-Queries
Awesome Azure Pentesthttps://github.com/Kyuu-Ji/Awesome-Azure-Pentest
PayloadsAllTheThings Azurehttps://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md

Deployable Environments

Note: You have to activate Azure and Entra ID P2 free trials to be able to deploy these.

NameURL
BadZurehttps://github.com/mvelazc0/BadZure
EntraGoathttps://github.com/Semperis/EntraGoat

Blogs & Research

ResourceLink
dirkjanm.io - PRT abusehttps://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/
DrAzureAD - Device Code Phishinghttps://aadinternals.com/post/phishing/
DrAzureAD - ADFShttps://aadinternals.com/post/adfs/
DebugPrivilege - Managed Identity lateral movementhttps://m365internals.com/2021/11/30/lateral-movement-with-managed-identities-of-azure-virtual-machines/
Tripla.dk - Managed Identities labhttps://tripla.dk/2022/03/13/create-an-azure-vulnerable-lab-part-4-managed-identities/
Datadog Security Labs - AU abusehttps://web.archive.org/web/20260422094633/https://securitylabs.datadoghq.com/articles/abusing-entra-id-administrative-units/
Just Looking - Public API enumerationhttps://o365blog.com/post/just-looking/
cloud.hacktricks.wikihttps://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/index.html

Official Microsoft Docs

ResourceLink
Graph Permissions Referencehttps://learn.microsoft.com/en-us/graph/permissions-reference
Entra ID Role Permissionshttps://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
Azure Built-in Roleshttps://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Azure Domains Listhttps://learn.microsoft.com/en-us/azure/security/fundamentals/azure-domains
Managed Identities Overviewhttps://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Primary Refresh Tokenhttps://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
Graph Explorerhttps://developer.microsoft.com/en-us/graph/graph-explorer
Graph API Overviewhttps://learn.microsoft.com/en-us/graph/api/overview
Default User Permissionshttps://docs.azure.cn/en-us/entra/fundamentals/users-default-permissions
AZ-500 Traininghttps://learn.microsoft.com/en-us/training/courses/az-500t00
Publisher Verificationhttps://learn.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview

Useful API Endpoints

PurposeURL
Check if tenant uses Entra IDhttps://login.microsoftonline.com/getuserrealm.srf?login=user@COMPANY.com&xml=1
Get Tenant IDhttps://login.microsoftonline.com/<domain>/.well-known/openid-configuration
Device loginhttps://microsoft.com/devicelogin
OAuth token endpointhttps://login.microsoftonline.com/Common/oauth2/token?api-version=1.0

Key GUIDs

Role / PermissionGUID
Global Administrator62e90394-69f5-4237-9190-012177145e10
Privileged Role Administratore8611ab8-c189-46e8-94e1-60213ab1f814
Privileged Authentication Administrator7be44c8a-adaf-4e2a-84d6-ab2649e08a13
Application Administrator9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3
Cloud Application Administrator158c047a-c907-4556-b7ef-446551a6b5f7
User Administratorfe930be7-5e62-47db-91af-98c3a49a38b1
AppRoleAssignment.ReadWrite.All06b708a9-e830-4db3-a914-8e69da51d44f
Application.ReadWrite.All1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9
Application.ReadWrite.OwnedBy18a4783c-866b-4cc7-a460-3d5e5662c884
Directory.ReadWrite.All19dbc75e-c2e2-444c-a770-ec69d8559fc7
Directory.Read.All7ab1d382-f21e-4acd-a863-ba3e13f7da61
Organization.ReadWrite.All292d869f-3427-49a8-9dab-8c70152b74e9
RoleManagement.ReadWrite.Directory9e3f62cf-ca93-4e0f-b9a4-8c7d4e3b4f8a
Microsoft Graph SP (all tenants)216e59bf-6c38-42b9-9211-734fe4d2f3bb
Azure, Pentesting
azure entra-id cheatsheet reference tools pentesting
This post is licensed under CC BY 4.0 by the author.