ROADTools

RoadRecon (https://github.com/dirkjanm/ROADtools) is a tool for enumerating Entra ID environments! RoadRecon uses a different version '1.61-internal' of AADGraph API that provides more information. numeration using RoadRecon includes three steps

1. Authentication

2. Data Gathering

3. Data Exploration

roadrecon supports username/password, access and refresh tokens, device code flow (sign-in from another device) and PRT cookie.

cd C:\AzAD\Tools\ROADTools
.\venv\Scripts\activate
roadrecon auth -u test@defcorphq.onmicrosoft.com -p SuperVeryEasytoGuessPassword@1234

Once authentication is done, use the below command to gather data (ignore the errors)

roadrecon gather

Use roadrecon GUI to analyse the gathered information (starts a web server on port 5000)

roadrecon gui

Note that it is possible to enumerate Conditional Access Policies as a normal user using RoadRecon. This is due to the “internal-1.61” AAD Graph API version.

Use the below command from virtual environment after authenticating as test user:

roadrecon plugin policies

Open caps.html (from C:\AzAD\Tools\ROADTools)to find Conditional Access Policies in the target environment: