Tokens
Various ways to steal and request tokens. In older versions, tokens are stored in clear text in user directories. They can also be find in powershell history. This is various tools and ideas to steal and request tokens, sometimes two different tools do the same thing. Each section is not necessarily unique in what it does.
Az PowerShell — Using Tokens with CLI
Both Az PowerShell and AzureAD modules allow the use of Access tokens for authentication. Usually, tokens contain all the claims (including that for MFA and Conditional Access etc.) so they are useful in bypassing such security controls.
If you are already connected to a tenant, request an access token for resource manager (ARM)
Request an access token for Microsoft Graph to access Entra ID. Supported tokens - AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
From older versions of Az PowerShell, get a token for Microsoft Graph
Use the access token
Get all details about a service principal
Use other access tokens. In the below command, use the one for MSGraph (access token is still required) for accessing Entra ID
Az PowerShell — Stealing Tokens
Az PowerShell (older versions) stores access tokens in clear text in TokenCache.dat in the directory C:\Users[username].Azure. It also stores ServicePrincipalSecret in clear-text in AzureRmContext.json if a service principal secret is used to authenticate. Another interesting method is to take a process dump of PowerShell and looking for tokens in it! Users can save tokens using Save-AzContext, look out for them! Search for Save-AzContext in PowerShell console history!
Always use Disconnect-AzAccount!!
If you are already connected to a tenant, request an access token for resource manager (ARM)
Request an access token for Microsoft Graph to access Entra ID. Supported tokens - AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
From older versions of Az PowerShell, get a token for Microsoft Graph
Use the access token
Get all details about a service principal
Use other access tokens. In the below command, use the one for MSGraph (access token is still required) for accessing Entra ID
Azure CLI — Using Tokens with CLI
az cli can request a token but cannot use it! (Actually you can)
Request an access token (ARM)
Request an access token for aad-graph. Supported tokens - aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
az cli (before 2.30.0 – January 2022) stores access tokens in clear text in accessTokens.json in the directory C:\Users[username].Azure. We can read tokens from the file, use them and request new ones too! azureProfile.json in the same directory contains information about subscriptions. You can modify accessTokens.json to use access tokens with az cli but better to use with Az PowerShell module. To clear the access tokens, always use az logout
Azure AD Module — Using Tokens with CLI
AzureAD module cannot request a token but can use one for AADGraph or Microsoft Graph!
Use the AAD Graph token
Use the MS Graph token with Mg module
APIs — Using Tokens
The two REST APIs endpoints that are most widely used are
Azure Resource Manager - management.azure.com
Microsoft Graph - graph.microsoft.com (AADGraph which is deprecated is graph.windows.net)
Get an access token and use it with ARM API. For example, list all the subscriptions
Get an access token for MS Graph. For example, list all the users
Use the AAD Graph token
Use the MS Graph token with Mg module
Last updated