In the last chapter, we looked at Active Directory (AD) and on-premises authentication. In this chapter, we are looking at its successor and cloud identity provider (IdP): Azure Active Directory (AAD/Azure AD).

As of July 11, 2023, Microsoft renamed Azure AD to Entra ID. As this was just shortly announced before this book was released, we will refer to Entra ID just as Azure Active Directory, Azure AD or AAD in this chapter.

AAD is Microsoft’s cloud-based enterprise identity service. It provides single sign-on (SSO), Conditional Access, and multi-factor authentication (MFA) to protect users against various attack vectors, no matter whether they were initiated on-premises or using cloud-based techniques.

AAD is a multi-tenant cloud directory and authentication service. Other services, such as Office 365 or even Azure, rely on this service for authentication and authorization, by leveraging the accounts...

To get the most out of this chapter, ensure that you have the following:

• PowerShell 7.3 and above
• Visual Studio Code installed
• Access to the GitHub repository for Chapter07:

https://github.com/PacktPublishing/PowerShell-Automation-and-Scripting-for-Cybersecurity/tree/master/Chapter07

A common misconception when comparing AD and AAD is that AAD is just AD in the cloud. This statement is not true.

While AD is the directory service for on-premises domains, AAD allows users to access Office 365, the Azure portal, SaaS applications, internal resources, and other cloud-based apps.

Both are identity and access management solutions, yes. But besides that, both technologies are very different, as you can see in the following figure:

Figure 7.1 – AD versus AAD

AAD can sync with an on-premises AD (hybrid identity) and supports federation (e.g., through Security Assertion Markup Language (SAML)) or can be used as a single identity and access provider. It supports different types of authentication, such as the following:

• Cloud-only authentication: In this scenario, AAD acts as the sole IdP, without any synchronization with an on-premises AD. Users authenticate directly with AAD for access...

Before we start to dive deeper into what protocols are used and how they work, we first need to understand what a device identity is and how devices are joined.

Device identity – connecting devices to AAD

A device identity is simply the object that will be created in AAD once a device is registered or joined into the AAD tenant. It is similar to a device in on-premises AD and administrators can use it to manage the actual device or to get more information on it. Device identities can be found in the AAD portal under Devices | All devices.

There are three methods for joining or registering devices to AAD:

• AAD join: The default method for joining modern devices, such as Windows 10 or Windows 11, to your AAD tenant. Windows Server 2019+ virtual machines (VMs) running in your Azure tenant can be joined as well.
• AAD registration: A method to support bring-your-own-device (BYOD) or mobile device scenarios. This method is also considered a...

Privileged accounts and roles are the heart of any directory service and are the most powerful accounts/roles. Therefore, they are of special interest to adversaries and need an extra level of protection.

There are lots of built-in roles available in AAD. In this chapter, I won’t describe all of them, but will give you an overview of some important roles that have permissions that could be easily abused. Therefore, it makes sense to regularly check and audit which accounts do have those roles assigned:

• Global Administrator: This is the most powerful role in AAD. It is allowed to perform every administrative task that is possible within AAD.
• Privileged Role Administrator: This role can manage and assign all AAD roles, including the Global Administrator role. This role can also create and manage groups that can be assigned to AAD roles, as well as manage Privileged Identity Management and administrative units.
• Global Reader: This...

Of course, we all know the Azure portal; surely attackers can also take advantage of seamless SSO and access the portal using the user’s browser. There’s even a way to run code directly from the Azure portal using Azure Cloud Shell. But these methods are hard to automate and attackers would struggle to stay undetected. The following screenshot shows how Azure Cloud Shell can be run from the Azure portal:

Figure 7.6 – Using Azure Cloud Shell from the Azure portal

But there are also some ways to access AAD using code or the command line directly from your computer:

• The Azure CLI
• Azure PowerShell
• Azure .NET: https://docs.microsoft.com/en-us/dotnet/azure/

Originally, these methods were developed to support automation and simplify administration tasks, but as usual, they can also be abused by attackers.

We will not dive deeper into Azure .NET in this chapter. Azure .NET is a set of...

During an attack, enumeration is always one of the first steps (and repeated several times, depending on what the adversary can access) taken to get more details about an environment. Enumeration helps to find out what resources are available and what access rights can be abused.

While in AD, every user who has access to the corporate network can enumerate all user accounts, as well as admin membership, in AAD, every user who has access to Office 365 services via the internet can enumerate them, but for AAD.

Anonymous enumeration

There is even a way to find out more about the current AAD tenant anonymously. For an adversary, this has huge advantages, as they do not need to trick a user into providing their credentials through a phishing attack or similar. Also, the risk of being detected is massively decreased.

There are numerous APIs that do have a legit purpose, but can also be abused for anonymous enumeration.

One of those APIs is the following:

https...

Similar to on-premises AD, in AAD, identities are also the new perimeter and are very valuable to an adversary. As technology, as well as code review and secure coding processes, has drastically improved over the years, zero-day vulnerabilities are still a thing, but it is incredibly hard to spot them and to find a way to abuse them. Therefore, adversaries target the weakest link – the users, aka identities.

In this section, we will explore different ways that adversaries can steal AAD users’ identities and act in their name.

Token theft

One of the most common scenarios spotted in the wild is token theft. Token theft is a common attack vector in AAD, and it occurs when an attacker gains access to a user’s session token, authentication token, or session cookies. These tokens, such as refresh tokens and access tokens, can then be used to gain unauthorized access to the user’s account and sensitive information.

When we are talking...

There are several mitigations that can be employed to improve the security of AAD and protect against attacks such as enumeration, token theft, consent grant attacks, PTA, and SSO attacks. One way to start is by enabling security defaults in your AAD tenant, which provides a baseline level of security for all users, including requiring MFA and blocking legacy authentication protocols. Please also have a look into the quick security wins that Microsoft recommends:

• https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-mfa-get-started
• https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score
• https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-secure-remote-workers
• https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/five-steps-to-full-application-integration-with-azure-ad
• https://learn.microsoft.com/en-us/azure/active-directory/fundamentals...

In this chapter, you learned about some basic aspects of security in AAD. AAD itself is a huge topic that we could write entire books about, so make sure that you spend more time researching AAD if you want to explore it further.

We explored the differences between AAD and on-premises AD and know that AAD is not just AD in the cloud but much more.

You should now be familiar with some of the protocols that are used when it comes to AAD and understand the basics of how authentication is done, as well as how adversaries try to exploit it.

It’s important to have a solid understanding of privileged built-in accounts and where to find more information about them so that you can either protect your environment in a better way or use your knowledge for your next red team exercise.

We explored several ways to connect to and interact with AAD via the command line and examined some of the most common attacks against AAD, such as anonymous and authenticated enumeration...

If you want to explore some of the topics that were mentioned in this chapter, use these resources:

• AAD devices:
  • What is a device identity?: https://docs.microsoft.com/en-us/azure/active-directory/devices/overview
  • Plan your hybrid Azure Active Directory join implementation: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
• AAD overview:

What is Azure Active Directory?: https://adsecurity.org/?p=4211

• Azure AD Connect:

Download Azure AD Connect: https://www.microsoft.com/en-us/download/details.aspx?id=47594

• Entra ID

Azure AD is Becoming Microsoft Entra ID: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436

• Federation:

Authenticate users with WS-Federation in ASP.NET Core: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-5.0

• OAuth:
  • RFC –...