OSINT

Tenant information This Open-source Intelligence (OSINT) tool will extract openly available information for the given tenant. The tool is using APIs mentioned in my previous blog post and in MS Graph API documentation. Domain details is returned only for the 20 first domains. For complete recon information, please use AADInternals PowerShell module. Note: CBA status is valid ONLY if email of an existing user is given. Using tenant id, domain name, or email of non-existing user may show false negatives.
Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent

Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent

Azure AD Connect Health is a feature that allows viewing the health of on-prem hybrid infrastructure components, including Azure AD Connect and AD FS servers. Health information is gathered by agents installed on each on-prem hybrid server. Since March 2021, also AD FS sign-in events are gathered and sent to Azure AD.

In this write-up (based on a Threat Analysis report by Secureworks), I’ll explain how anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log. Moreover, I’ll show how Global Administrators can register fake agents to Azure AD - even for tenants not using AD FS at all.

How to create over 256 character long passwords for cloud-only users

How to create over 256 character long passwords for cloud-only users

Microsoft (finally!) announced in April 2019 the support for 8-256 character passwords in Azure AD/Office 365. This limit does not apply to users whose passwords are synced from the on-prem Active Directory (or for federated users). In this blog, I tell how to set insanely long passwords (64K+) also for cloud-only users!

Documentation

Tools

Tools for hacking and administering Azure AD & Microsoft 365