What Is Azure Active Directory - Active Directory Security

What is Azure Active Directory? – Active Directory Security https://adsecurity.org/?
p=4211
•  (https://adsecurity.org/?feed=rss2)
 Slides Posted for Black Hat USA 2019 Talk: Attacking & Defending the Microsoft Cloud
(https://adsecurity.org/?p=4179)
From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path (https://adsecurity.org
/?p=4277) 
Jan 12 2020
What is Azure Active Directory?

• By Sean Metcalf (https://adsecurity.org/?author=2) in Technical Reference (https://adsecurity.org
/?cat=2)
Many are familiar with Active Directory, the on-premises directory and authentication system that is
available with Windows Server, but exactly what is Azure Active Directory (https://docs.microsoft.com/en-
us/azure/active-directory/fundamentals/active-directory-whatis)?
Azure Active Directory (Azure AD or AAD) is a multi-tenant cloud directory and authentication
(https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios)service.
Azure AD is the directory service that Office 365 (and Azure) leverages for account, groups, and roles.
It is also an Identity Provider (IPD) and supports federation (SAML, etc).
Note: given how rapidly the cloud changes, elements of this post may become out of date soon after the
original post date.
Azure AD is highly available and globally deployed.
1 of 24 10/15/23, 16:38
What is Azure Active Directory? – Active Directory Security https://adsecurity.org/?p=4211
Azure AD is deployed in over 30 datacenters around the world

leveraging Azure Availability Zones where present. This
number is growing rapidly as additional Azure Regions are
deployed.
For durability, any piece of data written to Azure AD is

replicated to at least 4 and up to 13 datacenters depending on
your tenant configuration. Within each data center, data is
again replicated at least 9 times for durability but also to scale
out capacity to serve authentication load. To illustrate—this
means that at any point in time, there are at least 36 copies of
your directory data available within our service in our smallest
region. For durability, writes to Azure AD are not completed
until a successful commit to an out of region datacenter.
This approach gives us both durability of the data and

massive redundancy—multiple network paths and datacenters
can serve any given authorization request, and the system
automatically and intelligently retries and routes around
failures both inside a datacenter and across datacenters.
To validate this, we regularly exercise fault injection and

validate the system’s resiliency to failure of the system
components Azure AD is built on. This extends all the way to
taking out entire datacenters on a regular basis to confirm the
system can tolerate the loss of a datacenter with zero
customer impact.
…
Azure AD is already a massive system running on over
300,000 CPU Cores and able to rely on the massive
scalability of the Azure Cloud to dynamically and rapidly scale
up to meet any demand. This can include both natural
increases in traffic, such as a 9AM peak in authentications in a
given region, but also huge surges in new traffic served by our
2 of 24 10/15/23, 16:38
Azure AD B2C which powers some of the world’s largest

events and frequently sees rushes of millions of new users.
…
To support the health checks that gate safe deployment and
give our engineering team insight into the health of the
systems, Azure AD emits a massive amount of internal
telemetry, metrics, and signals used to monitor the health of
our systems. At our scale, this is over 11 PetaBytes a week of
signals that feed our automated health monitoring systems.
https://azure.microsoft.com/en-us/blog/advancing-azure-active-directory-availability/
(https://azure.microsoft.com/en-us/blog/advancing-azure-active-directory-availability/)
Azure Active Directory is Not Cloud AD

Azure Active Directory is not Active Directory hosted in the cloud.
There is no standard AD authentication methods such as NTLM or Kerberos; no LDAP; and no group policy
(GPO), so Azure AD won’t work for traditional on-prem applications.
There are cloud hosted Active Directory environments that can be used to manage cloud workloads in
Microsoft Azure (Azure Active Directory Domain Services (https://azure.microsoft.com/en-us/services
/active-directory-ds/)), Amazon AWS (Amazon Managed Microsoft AD (https://docs.aws.amazon.com
/directoryservice/latest/admin-guide/directory_microsoft_ad.html)), and Google Cloud (Managed Service for
Microsoft Active Directory (AD) (https://cloud.google.com/managed-microsoft-ad/)). These are all hosted
Microsoft Active Directory environments which have 2 Domain Controllers (or more) and the tenant admins
do not receive Domain Admin rights to the hosted AD environment; only delegated access is provided which
often includes the ability to create/manage resources in a specific OU and specific GPOs.
Note: I don’t have room to include a comparison of these services here, but may write a future post if there’s
interest (I did some research comparing Microsoft Azure vs Amazon AWS hosted AD service offerings in
2017).
3 of 24 10/15/23, 16:38
Primary Management Tools

The tool that most AD administrators are familiar with is Active Directory Users and Computers aka ADUC
(MMC tool).
4 of 24 10/15/23, 16:38
Azure Active Directory administrators will primarily use the web console at https://portal.azure.com to
administer the environment.
5 of 24 10/15/23, 16:38
Admins that manage Active Directory on-prem and now Azure AD/Office 365 will be using the on-prem
MMC tools as well as the web admin portals (and various URLs associated with them).
There are PowerShell cmdlets available for managing Azure AD (similar to on-prem), though cloud features
6 of 24 10/15/23, 16:38
often move faster than the PowerShell tools are released, which means that using the cloud admin portal
should still be used, even when using PowerShell.
Interfacing with Azure Active Directory

Since Azure AD doesn’t have LDAP, interfacing with AAD involves connecting via the Graph API (or
PowerShell modules). I like PowerShell, so I use the PowerShell modules (or Portal websites) for
management and reporting.
There are 2 primary PowerShell modules for interfacing with Azure AD: MSOnline
(https://docs.microsoft.com/en-us/powershell/module/msonline/?view=azureadps-1.0)and AzureAD
(https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0). These can be
installed through the PowerShell install feature:
Install-Module -Name MSOnline -Force
Install-Module -Name AzureAD -Force
The AzureAD module may eventually replace the MSOnline PowerShell module, but there are features
available in MSOnline that haven’t been ported to the Azure AD module (yet).
Azure AD PowerShell Modules & Cmdlets Comparison

(module & cmdlet data as of January 2020)
Category MSOnline AzureAD
Administrative Get-MsolAdministrativeUnit (https://docs.microsoft.com

Unit /en-us/powershell/module/msonline/get-
msoladministrativeunit?view=azureadps-1.0)
Administrative Get-MsolAdministrativeUnitMember
Unit (https://docs.microsoft.com/en-us/powershell/module
/msonline/get-
msoladministrativeunitmember?view=azureadps-1.0)
Application Get-AzureADApplication (https://docs.m

/module/azuread/get-azureadapplication
Application Get-AzureADApplicationExtensionPrope
/en-us/powershell/module/azuread/get-
azureadapplicationextensionproperty?vi
Application Get-AzureADApplicationKeyCredential
us/powershell/module/azuread/get-
azureadapplicationkeycredential?view=a
Application Get-AzureADApplicationLogo
azureadapplicationlogo?view=azureadp
Application Get-AzureADApplicationOwner
azureadapplicationowner?view=azuread
7 of 24 10/15/23, 16:38
Application Get-AzureADApplicationPasswordCrede
azureadapplicationpasswordcredential?
Application Get-AzureADApplicationProxyApplicatio
azureadapplicationproxyapplication?view
Application Get-AzureADApplicationProxyApplicatio
(https://docs.microsoft.com/en-us/power
azureadapplicationproxyapplicationconn
Application Get-AzureADApplicationProxyConnecto
azureadapplicationproxyconnector?view
azureadapplicationproxyconnectorgroup
azureadapplicationproxyconnectorgroup
azureadapplicationproxyconnectormemb
Application Get-AzureADApplicationServiceEndpoin
azureadapplicationserviceendpoint?view
Application Get-AzureADMSApplication
Application Get-AzureADMSApplicationExtensionPr
Application Get-AzureADMSApplicationOwner
Application Get-AzureADDeletedApplication
azureaddeletedapplication?view=azurea
Application Get-AzureADServiceAppRoleAssignedT
azureadserviceapproleassignedto?view=
Application Get-AzureADServiceAppRoleAssignmen
azureadserviceapproleassignment?view
8 of 24 10/15/23, 16:38
Application Get-AzureADGroupAppRoleAssignment
azureadgroupapproleassignment?view=
Authentication Get-AzureADMSIdentityProvider
azureadmsidentityprovider?view=azurea
Authentication Get-AzureADMSLifecyclePolicyGroup
azureadmslifecyclepolicygroup?view=az
Authentication Get-AzureADOAuth2PermissionGrant
azureadoauth2permissiongrant?view=az
Contact Get-MsolContact (https://docs.microsoft.com/en- Get-AzureADContact (https://docs.micro

us/powershell/module/msonline/get- /module/azuread/get-azureadcontact?vi
msolcontact?view=azureadps-1.0)
Contact Get-AzureADContactDirectReport
azureadcontactdirectreport?view=azure
Contact Get-AzureADContactManager
azureadcontactmanager?view=azuread
Contact Get-AzureADContactMembership
azureadcontactmembership?view=azure
Contact Get-AzureADContactThumbnailPhoto
azureadcontactthumbnailphoto?view=az
Contract Get-AzureADContract (https://docs.micr

/module/azuread/get-azureadcontract?v
Device Get-MsolDevice (https://docs.microsoft.com/en- Get-AzureADDevice (https://docs.micros

us/powershell/module/msonline/get- /module/azuread/get-azureaddevice?vie
msoldevice?view=azureadps-1.0)
Device Get-MsolDeviceRegistrationServicePolicy
(https://docs.microsoft.com/en-us/powershell/module
/msonline/get-
msoldeviceregistrationservicepolicy?view=azureadps-1.0)
Device Get-AzureADDeviceConfiguration
azureaddeviceconfiguration?view=azure
9 of 24 10/15/23, 16:38
Device Get-AzureADDeviceRegisteredOwner
azureaddeviceregisteredowner?view=az
Device Get-AzureADDeviceRegisteredUser
azureaddeviceregistereduser?view=azu
DirSync Get-MsolDirSyncConfiguration
/msonline/get-
msoldirsyncconfiguration?view=azureadps-1.0)
DirSync Get-MsolDirSyncFeatures (https://docs.microsoft.com/en-

us/powershell/module/msonline/get-
msoldirsyncfeatures?view=azureadps-1.0)
DirSync Get-MsolDirSyncProvisioningError
/msonline/get-
msoldirsyncprovisioningerror?view=azureadps-1.0)
DirSync Get-MsolHasObjectsWithDirSyncProvisioningErrors
/msonline/get-
msoldirsyncprovisioningerror?view=azureadps-1.0)
Domain Get-MsolDomain (https://docs.microsoft.com/en- Get-AzureADDomain (https://docs.micro

us/powershell/module/msonline/get- /module/azuread/get-azureaddomain?vi
msoldomain?view=azureadps-1.0)
Domain Get-MsolDomainVerificationDns Get-AzureADDomainVerificationDnsRec

(https://docs.microsoft.com/en-us/powershell/module /en-us/powershell/module/azuread/get-
/msonline/get- azureaddomainverificationdnsrecord?vie
msoldomainverificationdns?view=azureadps-1.0)
Domain Get-MsolDomainFederationSettings
/msonline/get-
msoldomainfederationsettings?view=azureadps-1.0)
Domain Get-AzureADDomainNameReference
azureaddomainnamereference?view=az
Domain Get-AzureADDomainServiceConfigurati
azureaddomainserviceconfigurationreco
Federation Get-MsolFederationProperty (https://docs.microsoft.com

/en-us/powershell/module/msonline/get-
msolfederationproperty?view=azureadps-1.0)
10 of 24 10/15/23, 16:38
Group Get-MsolGroup (https://docs.microsoft.com/en- Get-AzureADGroup (https://docs.micros

us/powershell/module/msonline/get- /azuread/get-azureadgroup?view=azure
msolgroup?view=azureadps-1.0)
Group Get-MsolGroup (https://docs.microsoft.com/en- Get-AzureADMSGroup (https://docs.mic

us/powershell/module/msonline/get- /module/azuread/get-azureadmsgroup?v
msolgroup?view=azureadps-1.0)
Group Get-MsolGroupMember (https://docs.microsoft.com/en- Get-AzureADGroupMember (

us/powershell/module/msonline/get- us/powershell/module/azuread/get-
msolgroupmember?view=azureadps-1.0) azureadgroupmember?view=azureadps
Group Get-AzureADGroupOwner (https://docs.

/module/azuread/get-azureadgroupowne
Group Get-AzureADMSGroupLifecyclePolicy
azureadmsgrouplifecyclepolicy?view=az
Group Get-AzureADMSDeletedGroup
azureadmsdeletedgroup?view=azuread
License Get-MsolSubscription (https://docs.microsoft.com/en- Get-AzureADSubscribedSku (

Subscription us/powershell/module/msonline/get- us/powershell/module/azuread/get-
msolsubscription?view=azureadps-1.0) azureadsubscribedsku?view=azureadps
Object Get-AzureADMSDeletedDirectoryObject
azureadmsdeleteddirectoryobject?view=
Object Get-AzureADObjectByObjectId
azureadobjectbyobjectid?view=azuread
Partner Get-MsolPartnerContract (https://docs.microsoft.com/en-

msolpartnercontract?view=azureadps-1.0)
Partner Get-MsolPartnerInformation (https://docs.microsoft.com

msolpartnerinformation?view=azureadps-1.0)
Password Get-MsolPasswordPolicy (https://docs.microsoft.com/en-

msolpasswordpolicy?view=azureadps-1.0)
Role Group Get-MsolRole (https://docs.microsoft.com/en- Get-AzureADDirectoryRole (https://docs

us/powershell/module/msonline/get- /module/azuread/get-azureaddirectoryro
msolrole?view=azureadps-1.0)
11 of 24 10/15/23, 16:38
Role Group Get-MsolRoleMember (https://docs.microsoft.com/en- Get-AzureADDirectoryRoleMember

msolrolemember?view=azureadps-1.0) azureaddirectoryrolemember?view=azur
Role Group Get-MsolScopedRoleMember (https://docs.microsoft.com

msolscopedrolemember?view=azureadps-1.0)
Role Group Get-AzureADDirectoryRoleTemplate

azureaddirectoryroletemplate?view=azu
Service Get-MsolServicePrincipal (https://docs.microsoft.com/en- Get-AzureADServicePrincipal

Principal us/powershell/module/msonline/get- us/powershell/module/azuread/get-
msolserviceprincipal?view=azureadps-1.0) azureadserviceprincipal?view=azureadp
Service Get-MsolServicePrincipalCredential Get-AzureADServicePrincipalKeyCrede

Principal (https://docs.microsoft.com/en-us/powershell/module /en-us/powershell/module/azuread/get-
/msonline/get- azureadserviceprincipalkeycredential?vi
msolserviceprincipalcredential?view=azureadps-1.0)
Service Get-AzureADServicePrincipalCreatedOb
Principal /en-us/powershell/module/azuread/get-
azureadserviceprincipalcreatedobject?v
Service Get-AzureADServicePrincipalMembersh
azureadserviceprincipalmembership?vie
Service Get-AzureADServicePrincipalOAuth2Pe
Principal (https://docs.microsoft.com/en-us/power
azureadserviceprincipaloauth2permissio
Service Get-AzureADServicePrincipalOwnedOb
azureadserviceprincipalownedobject?vie
Service Get-AzureADServicePrincipalOwner
Principal us/powershell/module/azuread/get-
azureadserviceprincipalowner?view=azu
Service Get-AzureADServicePrincipalPasswordC
Principal (https://docs.microsoft.com/en-us/power
azureadserviceprincipalpasswordcreden
Session Get-AzureADCurrentSessionInfo
azureadcurrentsessioninfo?view=azurea
12 of 24 10/15/23, 16:38
Tenant Get-MsolCompanyAllowedDataLocation
/msonline/get-
msolcompanyalloweddatalocation?view=azureadps-1.0)
Tenant Get-MsolCompanyInformation
/msonline/get-
msolcompanyinformation?view=azureadps-1.0)
Tenant Get-AzureADTenantDetail (https://docs.

/module/azuread/get-azureadtenantdeta
Tenant Get-AzureADTrustedCertificateAuthority
azureadtrustedcertificateauthority?view=
Tenant Get-CrossCloudVerificationCode
crosscloudverificationcode?view=azurea
User Get-MsolUser (https://docs.microsoft.com/en- Get-AzureADUser (https://docs.microso

us/powershell/module/msonline/get- /azuread/get-azureaduser?view=azurea
msoluser?view=azureadps-1.0)
User Get-MsolUserByStrongAuthentication Get-AzureADUserAppRoleAssignment

(https://docs.microsoft.com/en-us/powershell/module us/powershell/module/azuread/get-
/msonline/get- azureaduserapproleassignment?view=a
msoluserbystrongauthentication?view=azureadps-1.0)
User Get-MsolUserRole (https://docs.microsoft.com/en- Get-AzureADUserCreatedObject

msoluserrole?view=azureadps-1.0) azureadusercreatedobject?view=azurea
User Get-AzureADUserDirectReport
azureaduserdirectreport?view=azureadp
User Get-AzureADUserExtension (
azureaduserextension?view=azureadps
User Get-AzureADExtensionProperty
azureadextensionproperty?view=azurea
User Get-AzureADUserLicenseDetail
azureaduserlicensedetail?view=azuread
User Get-AzureADUserManager (https://docs

/module/azuread/get-azureadusermanag
13 of 24 10/15/23, 16:38
User Get-AzureADUserMembership
azureadusermembership?view=azuread
User Get-AzureADUserOAuth2PermissionGra
azureaduseroauth2permissiongrant?vie
User Get-AzureADUserOwnedDevice
azureaduserowneddevice?view=azurea
User Get-AzureADUserOwnedObject
azureaduserownedobject?view=azuread
User Get-AzureADUserRegisteredDevice
azureaduserregistereddevice?view=azu
User Get-AzureADUserThumbnailPhoto
azureaduserthumbnailphoto?view=azure
User Get-MsolAccountSku (https://docs.microsoft.com/en-

msolaccountsku?view=azureadps-1.0)
In the table above, I categorize the cmdlets across the two Azure AD PowerShell module and attempt to link
the ones that provide the same or similar capability. I am planning to post more on these cmdlets in the
future.
Unfortunately, it isn’t a simple matter to single sign-on (SSO) to these modules. A credential can be
captured in PowerShell and reused across modules, but only if MFA isn’t enforced (which reduces account
security).
The Microsoft Cloud environment originally only supported username and password authentication. This
“legacy authentication” doesn’t include Multi-Factor Authentication (“MFA”) (https://docs.microsoft.com/en-
us/azure/active-directory/authentication/concept-mfa-howitworks), so for security reasons, legacy
authentication should be disabled (via Security Defaults (https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/concept-fundamentals-security-defaults), Conditional Access
(https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication),
etc).
The Azure Active Directory Authentication Library provides “modern authentication” which fully supports
MFA (and passwordless (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-
authentication-passwordless)!).
ADAL according to Microsoft: (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-

directory-authentication-libraries)
The Azure Active Directory Authentication Library (ADAL) v1.0 enables application developers to
authenticate users to cloud or on-premises Active Directory (AD), and obtain tokens for securing API calls.
14 of 24 10/15/23, 16:38
ADAL makes authentication easier for developers through features such as:
• Configurable token cache that stores access tokens and refresh tokens
• Automatic token refresh when an access token expires and a refresh token is available
• Support for asynchronous method calls
There is an ADAL PowerShell Module (Install-Module -Name adal.ps) which provides some level of SSO
across modules (that support it).
Once you have the ADAL module installed, run the following to load the ADAL token in the session:
$clientId = "1b730954-1685-4b74-9bfd-dac224a7b894" # Azure AD PowerShell

$redirectUri = [Uri]::new('urn:ietf:wg:oauth:2.0:oob')
$authority = "https://login.windows.net/common/oauth2/authorize"
$resourceUrl = "https://graph.windows.net"
$ADALresponse = get-adaltoken -Resource $resourceUrl -ClientId $clientId -Redire

ctUri $redirectUri -Authority $authority -PromptBehavior:Always
Once the $ADALResponse variable is captured, you can leverage this token in the Azure AD modules:
$ConnectAzureADInfo = connect-azuread -AadAccessToken $ADALresponse.AccessToken -

AccountId $ADALresponse.UserInfo.DisplayableId
$ConnectMsolInfo = connect-msolservice -AdGraphAccessToken $ADALresponse.AccessTo

ken
# Looks like the Microsoft Teams PowerShell module supports ADAL as well, though
I added a new variable that includes the signed-in user UPN.
Connect-MicrosoftTeams -AadAccessToken $ADALresponse -AccountId $AssessmentAccoun
tUPN
Access Rights to Azure Active Directory

With Active Directory, just about everything can be viewed as a regular user. Azure AD users can view
information about users and groups, but there are some limitations as to what is accessible.
In Azure AD, privileged groups are called “roles” (which are groups) in order to identify special access.
There are several of these admin roles (https://docs.microsoft.com/en-us/azure/active-directory/users-
groups-roles/directory-assign-admin-roles) in Office 365 which provide admin-level rights to all of Office 365
or specific parts of it. (Assigning Roles (https://docs.microsoft.com/en-us/azure/active-directory
/fundamentals/active-directory-users-assign-role-azure-portal))
Many organizations have a reporting account in the Global Administrator (https://docs.microsoft.com/en-

us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#company-administrator-
permissions) (aka Tenant Administrator) role which is effectively Enterprise Admin, Domain Admin, and
Schema Admin wrapped up into a single group. Global Admin has full control to Azure AD and all Office 365
services. This is why many organizations have more than 5 Global Admins (Microsoft’s maximum
recommended number). Only cloud accounts should be added to roles so they can leverage Azure MFA (&
passwordless) as well as the role membership controlled by PIM.
Also strongly recommended is creating a “break-glass” administrator account (or two)
(https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access)to
ensure continued privileged access to the tenant.
15 of 24 10/15/23, 16:38
Microsoft published a document on how to secure privileged access (https://docs.microsoft.com/en-us/azure

/active-directory/users-groups-roles/directory-admin-roles-secure).
Privileged Identity Management (PIM) (https://docs.microsoft.com/en-us/azure/active-directory/privileged-

identity-management/pim-configure) is strongly recommended for controlling role membership and requires
Azure AD Premium 2 (P2) licenses for each account that will use PIM. PIM provides just in time access to
the admin role with the required rights. When an admin needs admin rights, they can request & gain access
through PIM (which can be sent for approval or auto-approved). Microsoft recommends all accounts in roles
are managed by PIM (and have AAD P2 licenses).
There is also a Powershell module for PIM which can be installed:
Install-Module -Name Microsoft.Azure.ActiveDirectory.PIM.PSModule
In Fall 2019, Microsoft added a new role called “Global Reader (https://docs.microsoft.com/en-us/azure
/active-directory/users-groups-roles/directory-assign-admin-roles#global-reader-permissions)” which has
read-only/view-only rights to all Azure AD/Office 365 services that Global Admin can see (with some
exceptions since Microsoft is still rolling out Global Reader read-only capability to all Office 365 services).
Membership in Global Reader should be provided to the security team or auditors that require view-only
access to the Microsoft Cloud (Azure AD & Office 365) environment.
Attacking Azure Active Directory

Office 365 services are accessible from the internet (by default, use Conditional Access
(https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) to restrict access)
which makes them attractive to attackers. Attackers leverage several attack methods against Azure AD &
Office 365.
Account Enumeration
With old school Active Directory, any Active Directory user can enumerate all user accounts & admin group
membership with network access to a Domain Controller.
Azure Active Directory users can enumerate all user accounts & admin group membership with access to
Office 365 services (the internet by default). User enumeration often possible without an account using
O365creeper which attempts to authenticate to O365 using a list of email addresses. Based on the
response code, the tool determines if the email address is a valid user account (or not).
Azure AD Enumeration Tools

O365 Creeper – Office 365 Authentication Page (https://github.com/LMGsec/o365creeper) (Python)
[Account Discovery]
OWA (https://github.com/busterb/msmailprobe)(Golang)
ActiveSync (https://bitbucket.org/grimhacker/office365userenum/src)(Python)
MSOnline/AzureAD PowerShell Module (https://github.com/nyxgeek/o365recon) (PowerShell)
Password Spraying
A common method attackers leverage as well as many penetration testers and Red Teamers is called
“password spraying”. Password spraying is interesting because it’s automated password guessing. This
automated password guessing against all users typically avoids account lockout since the logon attempts
with a specific password are performed against against every user and not one specific one which is what
account lockout was designed to defeat. The attacker starts with a list list of passwords they’re going to try
which starts with the most likely passwords (“Fall2017”, “Winter2018”, etc).
When password spraying begins, we start with the first password in the list. That first password is used in
an attempt to authenticate as every user (or a subset). This one password is attempted against each user
and once all users have been tested with that password, we move on to the next one.
16 of 24 10/15/23, 16:38
17 of 24 10/15/23, 16:38
Password Spraying is relatively trivial to perform and is extremely effective.

We have worked with many organizations with accounts that were compromised by password spraying their
cloud environment. Many customers that are Federated don’t realize it’s their job to look for this, not the
cloud’s. There is a real risk beyond the cloud with password spraying. If the same password is used for the
cloud account and on-prem and there is no MFA configured, it’s possible that an attacker could password
spray the cloud account and then gain access to the corporate network. This is not a theoretical or
hypothetical scenario and underscores the importance of MFA.
Office 365 Password Spraying Tools

Ruler (https://github.com/sensepost/ruler/wiki/Brute-Force)(Exchange) [Golang]
SprayingToolkit (https://github.com/byt3bl33d3r/SprayingToolkit)(Lync/Skype for Business/OWA) [Python]
LyncSniper (https://github.com/mdsecresearch/LyncSniper)(Lync/Skype for Business) [PowerShell]
MailSniper (https://github.com/dafthack/MailSniper)(OWA/EWS) [PowerShell]
Office 365 Password Spraying Mitigation

Disable Legacy authentication by enabling “Security Defaults (https://docs.microsoft.com/en-us/azure
/active-directory/fundamentals/concept-fundamentals-security-defaults)” or configuring a custom Conditional
Access (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview) policy. Also
requiring MFA for all users is strongly recommended.
Office 365 Password Spraying Detection

Assuming password spraying targets Office 365 services and federation is not configured (ADFS, Okta,
etc), then detection can be performed by referencing the Azure AD sign-in logs.
18 of 24 10/15/23, 16:38
Detect by correlating multiple events for the same user within a timeframe with the sign-in error code
“50126” and the Client app is “Other clients; Older Office clients” (which means legacy authentication was
performed).
19 of 24 10/15/23, 16:38
Account token theft & reuse

Since cloud authentication typically results in a token stored in the authenticated app or web browser, this is
the proof of authentication and could be reused. The web browser typically stores this auth token as a
cookie. If this data is stolen, an attacker could leverage this to spoof access and configure persistence for
continued access.
Azure AD Reviews
Microsoft’s Azure AD GitHub includes PowerShell code for reviewing Azure AD configuration
(https://github.com/AzureAD/AzureADAssessment (https://github.com/AzureAD/AzureADAssessment))
Trimarc also has a new service offering called the Microsoft Cloud Security Assessment (MCSA)
(https://www.trimarcsecurity.com/microsoftcloud-security-assessment) which is similar to the on-prem Active
Directory Security Assessment (https://www.trimarcsecurity.com/ad-security-assessment) but focused on
Azure AD & Office 365.
Additional Office 365 Service PowerShell Modules

Exchange Online Module (https://docs.microsoft.com/en-us/powershell/exchange/exchange-online
/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps)
Install-Module -Name ExchangeOnlineManagement
Microsoft SharePoint (https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-

sharepoint-online?view=sharepoint-ps)
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
Microsoft Teams (https://docs.microsoft.com/en-us/microsoftteams/teams-powershell-overview)

Install-Module -Name MicrosoftTeams
Microsoft Skype for Business Online (https://docs.microsoft.com/en-us/office365/enterprise/powershell

/manage-skype-for-business-online-with-office-365-powershell)
Microsoft InTune (https://github.com/microsoftgraph/powershell-intune-samples)

Install-Module -Name Microsoft.Graph.Intune -Force
(Requires an admin to provide Admin Consent: Connect-MSGraph -AdminConsent)
References:
• What is Azure Active Directory (https://docs.microsoft.com/en-us/azure/active-directory/fundamentals

/active-directory-whatis)
• What’s New in Azure Active Directory? (https://docs.microsoft.com/en-us/azure/active-directory
/fundamentals/whats-new)
• Azure Active Directory Feature Deployment Guide (https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/active-directory-deployment-checklist-p2)
• Conditional Access (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access
/overview)
• Start Using Privileged Identity Manager (PIM) (https://docs.microsoft.com/en-us/azure/active-
directory/privileged-identity-management/pim-getting-started)
• Azure Multi-Factor Authentication (MFA) (https://docs.microsoft.com/en-us/azure/active-directory
/authentication/concept-mfa-howitworks)
• Azure AD Identity Protection (https://docs.microsoft.com/en-us/azure/active-directory/identity-
protection/overview-identity-protection)
• Azure AD Self Service Password Reset (SSPR) (https://docs.microsoft.com/en-us/azure/active-
directory/authentication/concept-sspr-howitworks)
• Securing privileged access for hybrid and cloud deployments in Azure AD (https://docs.microsoft.com
20 of 24 10/15/23, 16:38
/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure)
• Black Hat USA 2019 – “Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)”
(https://www.blackhat.com/us-19/briefings/schedule/#attacking-and-defending-the-microsoft-cloud-
office-365--azure-ad-14553)
Slides (PDF) (https://adsecurity.org/wp-content/uploads/2019/08/2019-BlackHat-US-Metcalf-
Morowczynski-AttackingAndDefendingTheMicrosoftCloud.pdf)
Presentation Video (YouTube) (https://www.youtube.com/watch?v=SG2ibjuzRJM&feature=youtu.be&
list=PLH15HpR5qRsWrfkjwFSI256x1u2Zy49VI)
• Azure AD Password Protection (for on-prem Active Directory) (https://docs.microsoft.com/en-
us/azure/active-directory/authentication/concept-password-ban-bad)
(Visited 23,109 times, 3 visits today)
•  AAD (https://adsecurity.org/?tag=aad), AccountTokenTheft (https://adsecurity.org

/?tag=accounttokentheft), ActiveDirectory (https://adsecurity.org/?tag=activedirectory),
ActiveSync (https://adsecurity.org/?tag=activesync), AD (https://adsecurity.org/?tag=ad), ADAL
(https://adsecurity.org/?tag=adal), ADALPowerShell (https://adsecurity.org
/?tag=adalpowershell), AttackingMicrosoftCloud (https://adsecurity.org
/?tag=attackingmicrosoftcloud), AttackingOffice365 (https://adsecurity.org
/?tag=attackingoffice365), Azure AD Account Enumeration (https://adsecurity.org/?tag=azure-
ad-account-enumeration), AzureActiveDirectory (https://adsecurity.org
/?tag=azureactivedirectory), AzureAD (https://adsecurity.org/?tag=azuread),
AzureADPasswordSpray (https://adsecurity.org/?tag=azureadpasswordspray),
AzureADPowerShellModule (https://adsecurity.org/?tag=azureadpowershellmodule), AzurePIM
(https://adsecurity.org/?tag=azurepim), CloudAD (https://adsecurity.org/?tag=cloudad),
ExchangeOnlineModule (https://adsecurity.org/?tag=exchangeonlinemodule), GlobalAdmin
(https://adsecurity.org/?tag=globaladmin), GlobalReader (https://adsecurity.org
/?tag=globalreader), MicrosoftCloud (https://adsecurity.org/?tag=microsoftcloud),
MicrosoftCloudSecurity (https://adsecurity.org/?tag=microsoftcloudsecurity), MSOnline
(https://adsecurity.org/?tag=msonline), O365 (https://adsecurity.org/?tag=o365), O365Creeper
(https://adsecurity.org/?tag=o365creeper), O365PasswordSpray (https://adsecurity.org
/?tag=o365passwordspray), Office365 (https://adsecurity.org/?tag=office365),
Office365PasswordSpray (https://adsecurity.org/?tag=office365passwordspray),
Office365security (https://adsecurity.org/?tag=office365security), OWA (https://adsecurity.org
/?tag=owa), PasswordSprayDetection (https://adsecurity.org/?tag=passwordspraydetection),
PasswordSpraying (https://adsecurity.org/?tag=passwordspraying), PIM (https://adsecurity.org
/?tag=pim), PrivilegedIdentityManagement (https://adsecurity.org
/?tag=privilegedidentitymanagement), WhatIsAzureActiveDirectory (https://adsecurity.org
/?tag=whatisazureactivedirectory), WhatIsAzureAD (https://adsecurity.org/?tag=whatisazuread)
•
(https://adsecurity.org/?author=2)
21 of 24 10/15/23, 16:38
Sean Metcalf
I improve security for enterprises around the world working for TrimarcSecurity.com
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8
•  (mailto:sean@adsecurity.org)
Recent Posts
• Attacking Active Directory Group Managed Service Accounts (GMSAs) (https://adsecurity.org
/?p=4367)
• From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path (https://adsecurity.org
/?p=4277)
• What is Azure Active Directory? (https://adsecurity.org/?p=4211)
• Slides Posted for Black Hat USA 2019 Talk: Attacking & Defending the Microsoft Cloud
(https://adsecurity.org/?p=4179)
• AD Reading: Windows Server 2019 Active Directory Features (https://adsecurity.org/?p=4187)
Trimarc Active Directory Security Services

Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security
posture.
Find out how... (http://trimarcsecurity.com/security-services) TrimarcSecurity.com
Popular Posts
• Attack Methods for Gaining Domain Admin Rights in… (https://adsecurity.org/?p=2362)
• PowerShell Encoding & Decoding (Base64) (https://adsecurity.org/?p=478)
• Kerberos & KRBTGT: Active Directory’s… (https://adsecurity.org/?p=483)
• Finding Passwords in SYSVOL & Exploiting Group… (https://adsecurity.org/?p=2288)
• Securing Domain Controllers to Improve Active… (https://adsecurity.org/?p=3377)
• Securing Windows Workstations: Developing a Secure Baseline (https://adsecurity.org/?p=3299)
• Mimikatz DCSync Usage, Exploitation, and Detection (https://adsecurity.org/?p=1729)
• Detecting Kerberoasting Activity (https://adsecurity.org/?p=3458)
• Scanning for Active Directory Privileges &… (https://adsecurity.org/?p=3658)
• The Most Common Active Directory Security Issues and… (https://adsecurity.org/?p=1684)
Categories
• ActiveDirectorySecurity (https://adsecurity.org/?cat=565)
• Apple Security (https://adsecurity.org/?cat=55)
• Cloud Security (https://adsecurity.org/?cat=431)
• Continuing Education (https://adsecurity.org/?cat=17)
• Entertainment (https://adsecurity.org/?cat=396)
• Exploit (https://adsecurity.org/?cat=347)
• Hacking (https://adsecurity.org/?cat=1039)
• Hardware Security (https://adsecurity.org/?cat=168)
• Hypervisor Security (https://adsecurity.org/?cat=172)
• Linux/Unix Security (https://adsecurity.org/?cat=126)
• Malware (https://adsecurity.org/?cat=343)
• Microsoft Security (https://adsecurity.org/?cat=11)
22 of 24 10/15/23, 16:38
• Mitigation (https://adsecurity.org/?cat=819)
• Network/System Security (https://adsecurity.org/?cat=48)
• PowerShell (https://adsecurity.org/?cat=7)
• RealWorld (https://adsecurity.org/?cat=698)
• Security (https://adsecurity.org/?cat=21)
• Security Conference Presentation/Video (https://adsecurity.org/?cat=234)
• Security Recommendation (https://adsecurity.org/?cat=1045)
• Technical Article (https://adsecurity.org/?cat=24)
• Technical Reading (https://adsecurity.org/?cat=4)
• Technical Reference (https://adsecurity.org/?cat=2)
• TheCloud (https://adsecurity.org/?cat=156)
• Vulnerability (https://adsecurity.org/?cat=930)
Tags
ActiveDirectory (https://adsecurity.org
/?tag=activedirectory) Active Directory (https://adsecurity.org/?tag=active-directory)
ActiveDirectorySecurity
ActiveDirectoryAttack (https://adsecurity.org/?tag=activedirectoryattack)
(https://adsecurity.org/?tag=activedirectorysecurity) Active Directory Security

(https://adsecurity.org/?tag=active-directory-security) ADReading (https://adsecurity.org
/?tag=adreading) ADSecurity (https://adsecurity.org/?tag=adsecurity) AD Security (https://adsecurity.org
/?tag=ad-security) DCSync (https://adsecurity.org/?tag=dcsync) DEFCON (https://adsecurity.org/?tag=defcon)
DomainController (https://adsecurity.org/?tag=domaincontroller) EMET5
(https://adsecurity.org/?tag=emet5) GoldenTicket (https://adsecurity.org/?tag=goldenticket) HyperV
(https://adsecurity.org/?tag=hyperv) Invoke-Mimikatz (https://adsecurity.org/?tag=invoke-mimikatz) KB3011780
(https://adsecurity.org/?tag=kb3011780) KDC (https://adsecurity.org/?tag=kdc) Kerberos
(https://adsecurity.org/?tag=kerberos) KerberosHacking (https://adsecurity.org

/?tag=kerberoshacking) KRBTGT (https://adsecurity.org/?tag=krbtgt) LAPS (https://adsecurity.org/?tag=laps)
LSASS (https://adsecurity.org/?tag=lsass) MCM (https://adsecurity.org/?tag=mcm)
MicrosoftEMET (https://adsecurity.org/?tag=microsoftemet) MicrosoftWindows (https://adsecurity.org
/?tag=microsoftwindows) mimikatz (https://adsecurity.org/?tag=mimikatz)

MS14068 (https://adsecurity.org/?tag=ms14068) PassTheHash (https://adsecurity.org/?tag=passthehash)
PowerShell (https://adsecurity.org/?tag=powershell)
PowerShellCode (https://adsecurity.org/?tag=powershellcode) PowerShellHacking
PowerSploit
(https://adsecurity.org/?tag=powershellhacking) PowerShellv5 (https://adsecurity.org/?tag=powershellv5)
(https://adsecurity.org/?tag=powersploit) Presentation (https://adsecurity.org/?tag=presentation) Security
(https://adsecurity.org/?tag=security) SIDHistory (https://adsecurity.org/?tag=sidhistory) SilverTicket (https://adsecurity.org
/?tag=silverticket) SneakyADPersistence (https://adsecurity.org/?tag=sneakyadpersistence) SPN (https://adsecurity.org
/?tag=spn) TGS (https://adsecurity.org/?tag=tgs) TGT (https://adsecurity.org/?tag=tgt) Windows10
(https://adsecurity.org/?tag=windows10) WindowsServer2008R2 (https://adsecurity.org/?tag=windowsserver2008r2)
WindowsServer2012 (https://adsecurity.org/?tag=windowsserver2012) WindowsServer2012R2
(https://adsecurity.org/?tag=windowsserver2012r2)
23 of 24 10/15/23, 16:38
Copyright
Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no
rights. Script samples are provided for informational purposes only and no guarantee is provided as to
functionality or suitability. The views shared on this blog reflect those of the authors and do not represent
the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and
under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.
Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no
rights. Script samples are provided for informational purposes only and no guarantee is provided as to
functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the
views of any companies mentioned.
Made with  by Graphene Themes (https://www.graphene-theme.com/).
24 of 24 10/15/23, 16:38

What Is Azure Active Directory - Active Directory Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

What Is Azure Active Directory - Active Directory Security

Uploaded by

Copyright:

Available Formats

What is Azure Active Directory? – Active Directory Security https://adsecurity.org/?

What is Azure Active Directory?

Azure AD is highly available and globally deployed.

Azure AD is deployed in over 30 datacenters around the world

For durability, any piece of data written to Azure AD is

This approach gives us both durability of the data and

To validate this, we regularly exercise fault injection and

Azure AD B2C which powers some of the world’s largest

Azure Active Directory is Not Cloud AD

Primary Management Tools

Interfacing with Azure Active Directory

Azure AD PowerShell Modules & Cmdlets Comparison

Category MSOnline AzureAD

Administrative Get-MsolAdministrativeUnit (https://docs.microsoft.com

Application Get-AzureADApplication (https://docs.m

Contact Get-MsolContact (https://docs.microsoft.com/en- Get-AzureADContact (https://docs.micro

Contract Get-AzureADContract (https://docs.micr

Device Get-MsolDevice (https://docs.microsoft.com/en- Get-AzureADDevice (https://docs.micros

DirSync Get-MsolDirSyncFeatures (https://docs.microsoft.com/en-

Domain Get-MsolDomain (https://docs.microsoft.com/en- Get-AzureADDomain (https://docs.micro

Domain Get-MsolDomainVerificationDns Get-AzureADDomainVerificationDnsRec

Federation Get-MsolFederationProperty (https://docs.microsoft.com

Group Get-MsolGroup (https://docs.microsoft.com/en- Get-AzureADGroup (https://docs.micros

Group Get-MsolGroup (https://docs.microsoft.com/en- Get-AzureADMSGroup (https://docs.mic

Group Get-MsolGroupMember (https://docs.microsoft.com/en- Get-AzureADGroupMember (

Group Get-AzureADGroupOwner (https://docs.

License Get-MsolSubscription (https://docs.microsoft.com/en- Get-AzureADSubscribedSku (

Partner Get-MsolPartnerContract (https://docs.microsoft.com/en-

Partner Get-MsolPartnerInformation (https://docs.microsoft.com

Password Get-MsolPasswordPolicy (https://docs.microsoft.com/en-

Role Group Get-MsolRole (https://docs.microsoft.com/en- Get-AzureADDirectoryRole (https://docs

Role Group Get-MsolRoleMember (https://docs.microsoft.com/en- Get-AzureADDirectoryRoleMember

Role Group Get-MsolScopedRoleMember (https://docs.microsoft.com

Role Group Get-AzureADDirectoryRoleTemplate

Service Get-MsolServicePrincipal (https://docs.microsoft.com/en- Get-AzureADServicePrincipal

Service Get-MsolServicePrincipalCredential Get-AzureADServicePrincipalKeyCrede

Tenant Get-AzureADTenantDetail (https://docs.

User Get-MsolUser (https://docs.microsoft.com/en- Get-AzureADUser (https://docs.microso

User Get-MsolUserByStrongAuthentication Get-AzureADUserAppRoleAssignment

User Get-MsolUserRole (https://docs.microsoft.com/en- Get-AzureADUserCreatedObject

User Get-AzureADUserManager (https://docs

User Get-MsolAccountSku (https://docs.microsoft.com/en-

ADAL according to Microsoft: (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-

$clientId = "1b730954-1685-4b74-9bfd-dac224a7b894" # Azure AD PowerShell

$ADALresponse = get-adaltoken -Resource $resourceUrl -ClientId $clientId -Redire

$ConnectAzureADInfo = connect-azuread -AadAccessToken $ADALresponse.AccessToken -

$ConnectMsolInfo = connect-msolservice -AdGraphAccessToken $ADALresponse.AccessTo

Access Rights to Azure Active Directory

Many organizations have a reporting account in the Global Administrator (https://docs.microsoft.com/en-

Microsoft published a document on how to secure privileged access (https://docs.microsoft.com/en-us/azure

Privileged Identity Management (PIM) (https://docs.microsoft.com/en-us/azure/active-directory/privileged-

Attacking Azure Active Directory

Azure AD Enumeration Tools

Password Spraying is relatively trivial to perform and is extremely effective.

Office 365 Password Spraying Tools

Office 365 Password Spraying Mitigation

Office 365 Password Spraying Detection

Account token theft & reuse

Additional Office 365 Service PowerShell Modules

Microsoft SharePoint (https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-

Microsoft Teams (https://docs.microsoft.com/en-us/microsoftteams/teams-powershell-overview)

Microsoft Skype for Business Online (https://docs.microsoft.com/en-us/office365/enterprise/powershell

Microsoft InTune (https://github.com/microsoftgraph/powershell-intune-samples)