Az PowerShell

Need credentials or some kind or token from here on out.

Az PowerShell

Az PowerShell is a module from Microsoft for managing Azure resources. Please note that if the module is not present on your machine, you can use Install-Module Az command (needs internet).

Install-Module Az

"The Azure Az PowerShell module is a rollup module. Installing it downloads the generally available Az PowerShell modules, and makes their cmdlets available for use."

Using credentials from command line (PSCredential object and access tokens can be used too)

$passwd = ConvertTo-SecureString "SuperVeryEasytoGuessPassword@1234" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@defcorphq.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds

Az PowerShell can enumerate both Entra ID and Azure Resources. All the Entra ID cmdlets have the format -AzAD.

Get-Command *azad*
Get-AzADUser

Cmdlets for other Azure resources have the format Az

Get-Command *az*
Get-AzResource

Find cmdlets for a particular resource. For example, VMs

Get-Command *azvm*
Get-Command -Noun *vm* -Verb Get
Get-Command *vm*

Az PowerShell — Enumeration

1

Get the information about the current context (Account, Tenant, Subscription etc.)

Get-AzContext
2

List all available contexts

Get-AzContext -ListAvailable
3

Enumerate subscriptions accessible by the current user

Get-AzSubscription
4

Enumerate all resources visible to the current user

Get-AzResource
5

Enumerate all Azure RBAC role assignments

Get-AzRoleAssignment

Az PowerShell — AAD Users

1

Enumerate all users

Get-AzADUser
2

Enumerate a specific user

Get-AzADUser -UserPrincipalName test@defcorphq.onmicrosoft.com
3

Search for a user based on string in first characters of DisplayName (wildcard not supported)

Get-AzADUser -SearchString "admin"
4

Search for users who contain the word “admin” in their Display name:

Get-AzADUser |?{$_.Displayname -match "admin"}

Az PowerShell — AAD Groups

1

List all groups

Get-AzADGroup
2

Enumerate a specific group

Get-AzADGroup -ObjectId 783a312d-0de2-4490-92e4-539b0e4ee03e
3

Search for a group based on string in first characters of DisplayName (wildcard not supported)

Get-AzADGroup -SearchString "admin" | fl *
4

To search for groups which contain the word "admin" in their name

Get-AzADGroup |?{$_.Displayname -match "admin"}
5

Get members of a group

Get-AzADGroupMember -ObjectId 783a312d-0de2-4490-92e4-
539b0e4ee03e

Az PowerShell — AAD Apps

1

Get all the application objects registered with the current tenant (visible in App Registrations in Azure portal). An application object is the global representation of an app.

Get-AzADApplication
2

Get all details about an application

Get-AzADApplication -ObjectId a1333e88-1278-41bf-8145-155a069ebed0
3

Get an application based on the display name

Get-AzADApplication | ?{$_.DisplayName -match "app"}
4

The Get-AzADAppCredential will show the applications with an application password, but password value is not shown. List all the apps with an application password.

Get-AzADApplication | %{if(Get-AzADAppCredential -ObjectID $_.ID){$_}}

Az PowerShell — AAD Service Principals

Enumerate Service Principals (visible as Enterprise Applications in Azure Portal). Service principal is local representation for an app in a specific tenant, and it is the security object that has privileges. This is the 'service account'! Service Principals can be assigned Azure roles.

1

Get all service principals

Get-AzADServicePrincipal
2

Get all details about a service principal

Get-AzADServicePrincipal -ObjectId cdddd16e-2611-4442-8f45-053e7c37a264
3

Get a service principal based on the display name

Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}

Az PowerShell — Using Tokens with CLI

Both Az PowerShell and AzureAD modules allow the use of Access tokens for authentication. Usually, tokens contain all the claims (including that for MFA and Conditional Access etc.) so they are useful in bypassing such security controls.

If you are already connected to a tenant, request an access token for resource manager (ARM)

Get-AzAccessToken
(Get-AzAccessToken).Token

Request an access token for Microsoft Graph to access Entra ID. Supported tokens - AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse

Get-AzAccessToken -ResourceTypeName MSGraph

From older versions of Az PowerShell, get a token for Microsoft Graph

(Get-AzAccessToken -Resource "https://graph.microsoft.com").Token

1

Use the access token

Connect-AzAccount -AccountId test@defcorphq.onmicrosoft.com -AccessToken eyJ0eXA..
2

Get all details about a service principal

Get-AzADServicePrincipal -ObjectId cdddd16e-2611-4442-8f45-053e7c37a264
3

Use other access tokens. In the below command, use the one for MSGraph (access token is still required) for accessing Entra ID

Connect-AzAccount -AccountId test@defcorphq.onmicrosoft.com -AccessToken eyJ0eXA... -MicrosoftGraphAccessToken eyJ0eXA...

Az PowerShell — Stealing Tokens

Az PowerShell (older versions) stores access tokens in clear text in TokenCache.dat in the directory C:\Users[username].Azure. It also stores ServicePrincipalSecret in clear-text in AzureRmContext.json if a service principal secret is used to authenticate. Another interesting method is to take a process dump of PowerShell and looking for tokens in it! Users can save tokens using Save-AzContext, look out for them! Search for Save-AzContext in PowerShell console history!

Always use Disconnect-AzAccount!!

Disconnect-AzAccount

If you are already connected to a tenant, request an access token for resource manager (ARM)

Get-AzAccessToken
(Get-AzAccessToken).Token

Request an access token for Microsoft Graph to access Entra ID. Supported tokens - AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse

Get-AzAccessToken -ResourceTypeName MSGraph

From older versions of Az PowerShell, get a token for Microsoft Graph

(Get-AzAccessToken -Resource "https://graph.microsoft.com").Token

1

Use the access token

Connect-AzAccount -AccountId test@defcorphq.onmicrosoft.com -AccessToken eyJ0eXA..
2

Get all details about a service principal

Get-AzADServicePrincipal -ObjectId cdddd16e-2611-4442-8f45-053e7c37a264
3

Use other access tokens. In the below command, use the one for MSGraph (access token is still required) for accessing Entra ID

Connect-AzAccount -AccountId test@defcorphq.onmicrosoft.com -AccessToken eyJ0eXA...
PreviousMG ModuleNextAzure CLI

Last updated