Cheatsheet - Azure - User recon

Common goals

The following questions should be answered when performing reconnaissance on users within Azure.

Who is the user?

Is the user part of any group? If so, does this group has any role assigned to it?

Does the user have any Azure Entra ID roles assigned to them?

Which objects has this user created?

Is this user the owner of any service principal?

What resources can the user access?

Setup

Setup session:

az login
Install-Module Microsoft.Graph
Import-Module Microsoft.Graph.Users
Connect-MgGraph
Install-Module Az
Import-Module Az
Connect-AzAccount

Test session:

Get-MgContext
az account show

whoami

whoami of current user:

az ad signed-in-user show

Get-AzADUser -SignedIn | fl

Get-MgContext

Enumerate groups/roles/permissions

List user group memberships:

Get-MgUserMemberOf -userid "userid@email.tld" | select * -ExpandProperty additionalProperties | Select-Object {$_.AdditionalProperties["displayName"]}

Example output:

$_.AdditionalProperties["displayName"]
--------------------------------------
Directory Readers
Default Directory
All Company

Get permissions:

Get-AzRoleAssignment -Scope "/subscriptions/<sub-id>" | Select-Object DisplayName, RoleDefinitionName

Example output:

DisplayName              RoleDefinitionName
-----------              ------------------
Ian Austin               Key Vault Administrator
Marcus Hutch             Key Vault Reader
Marcus Hutch             Key Vault Secrets User
Josh Harvey (Consultant) Reader
CUSTOMER-DATABASE-ACCESS Customer Database Access
IT-HELPDESK              Reader
Security User            Storage Blob Data Reader
Security User            Reader

Get role definition:

az role definition list --custom-role-only true --query "[?roleName=='<role name>']" -o json

Example output:

[
  {
    "assignableScopes": [
      "/subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/resourceGroups/content-static-2"
    ],
    "createdBy": "18600f1a-3cee-434e-860f-aff4078da055",
    "createdOn": "2023-10-23T22:42:46.587891+00:00",
    "description": "Provides access to the Mega Big Tech customer list and information about customers",
    "id": "/subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/providers/Microsoft.Authorization/roleDefinitions/53c88309-94d8-4b15-9c6b-f64a166f4ef0",
    "name": "53c88309-94d8-4b15-9c6b-f64a166f4ef0",
    "permissions": [
      {
        "actions": [
          "Microsoft.Storage/storageAccounts/tableServices/tables/read"
        ],
        "condition": null,
        "conditionVersion": null,
        "dataActions": [
          "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
        ],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "Customer Database Access",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions",
    "updatedBy": "18600f1a-3cee-434e-860f-aff4078da055",
    "updatedOn": "2023-10-24T14:10:35.955569+00:00"
  }
]

In the example output we can see that we have permissions to read tables and their values within Azure Storage tables.

Enumerate accessible resources

Enumerate accessible resources:

# Given subscription ID
$CurrentSubscriptionID = "<sub id>"

# Set output format
$OutputFormat = "table"

# Set the given subscription as the active one
& az account set --subscription $CurrentSubscriptionID

# List resources in the current subscription
& az resource list -o $OutputFormat

Example output:

Name             ResourceGroup     Location    Type                       Status
---------------  ----------------  ----------  -------------------------  --------
ext-contractors  content-static-2  eastus      Microsoft.KeyVault/vaults

Enumerate Entra ID for user accounts

Enumerate Entra ID for user accounts - by given name:

az ad user list --query "[?givenName=='name1' || givenName=='name2' || givenName=='name3'].{Name:displayName, UPN:userPrincipalName, JobTitle:jobTitle}" -o table

Example output:

Name                      UPN                              JobTitle
------------------------  -------------------------------  ------------------------------------------
Josh Harvey (Consultant)  ext.josh.harvey@megabigtech.com  Consultant (Customer DB Migration Project)

Enumerate target user account

Get the objectID for the target account:

Get-MgUser -UserId <UPN>

Example output:

DisplayName              Id                                   Mail UserPrincipalName
-----------              --                                   ---- -----------------
Josh Harvey (Consultant) 6470f625-41ce-4233-a621-fad0aa0b7300      ext.josh.harvey@megabigtech.com

This can then be used to enumerate the user further.

Get group memberships and directory roles that the user is a member of:

$UserId = '<Object ID>'
Get-MgUserMemberOf -userid $userid | select * -ExpandProperty additionalProperties | Select-Object {$_.AdditionalProperties["displayName"], $_.Id, $_.AdditionalProperties["description"]} | ft

Example output:

$_.AdditionalProperties["displayName"], $_.Id, $_.AdditionalProperties["description"]
-------------------------------------------------------------------------------------
{CUSTOMER-DATABASE-ACCESS, 79b430a5-ea4d-4de6-855b-908bdfb052dc, Provides full read-only access to the Mega Big Tech...
{Directory Readers, 6b83e066-a070-4a2d-82c9-fcf55b76ccf4, Can read basic directory information. Commonly used to gra...
{Default Directory, fc185453-0e6c-4c47-829e-22608798785a, Default Directory}