In September 2024, I tweeted about my intentions to split AADInternals module in two as AVs and MDE was blocking its installation. In this blog, I’ll explain the what and the why of the new AADInternals-Endpoints 😈 module.| aadinternals.com
Last year I gave a presentation titled Dumping NTHashes from Azure AD at TROOPERS conference. The talk was about how the Microsoft Entra Domain Services (formerly Azure AD Domain Services) works and how it enabled dumping NTHashes from Entra ID (formerly Azure AD). In this blog, I’ll show how Microsoft Entra Domain Services (MEDS) can be (ab)used to exfiltrate NTHashes from on-prem Active Directory.| aadinternals.com
Multi-factor Authentication (MFA) and Conditional Access (CA) policies are powerful tools to protect Azure AD users’ identities. For instance, one may allow access only from compliant devices and require MFA from all users. However, because of Azure AD authentication platform architecture, users can bypass home tenant MFA and CA policies when logging in directly to resource tenants. This blog post tries to shed some light on how Azure AD authentication works under-the-hood. We’ll introduc...| aadinternals.com
In 13 September 2022, Secureworks published a Threat Analysis: Azure Active Directory Pass-Through Authentication Flaws. The vulnerabilities discovered by our team allows threat actors to gain persistent and undetected access to the target Azure AD tenant. In this blog post, I’ll show how the attack can be conducted using AADInternals and standalone Windows server.| aadinternals.com
Group Managed Service Accounts (gMSA’s) can be used to run Windows services over multiple servers within the Windows domain. Since the launch of Windows Server 2012 R2, gMSA has been the recommended service account option for AD FS. As abusing AD FS is one of my favourite hobbies, I wanted to learn how gMSAs work.| aadinternals.com
In August 2022, I’ll have several presentations regarding Azure AD security, open-source tools, and bug bounties. I’ll be presenting at TECHMENTOR, Black Hat Arsenal, DEF CON demo labs, and Cloud Village. If you like to have a chat on anything Azure AD related, want to say hi or get AADInternals sticker, check my schedule!| aadinternals.com
I’ve talked about AD FS issues for a couple years now, and finally, after the Solorigate/Sunburst, the world is finally listening 😉 In this blog, I’ll explain the currently known TTPs to exploit AD FS certificates, and introduce a totally new technique to export the configuration data remotely.| aadinternals.com
In October 2020, someone contacted me and asked whether it would be possible to create BPRTs using AADInternals. I hadn’t even heard of BPRTs, but was eventually able to help him to create BPRTs. Now this functionality is included in AADInternals v0.4.5. In this blog, I’ll explain what BPRTs are and how they can be used to join multiple devices to both Azure AD and Intune. I’ll also show the dark side of BPRTs: how they can be used to conduct DOS attacks against Azure AD, and how to det...| aadinternals.com
Administrators can use teams policies for controlling what users can do in Microsoft Teams. In this blog, I’ll show that these policies are applied only in client and thus can be easily bypassed.| aadinternals.com
The new AADInternals release v0.4.4 AADInternals Cloud Identity Summit 2020 edition is now released! Read on to see the list of updates and new features.| aadinternals.com
Lately we have seen great articles by @_dirkjan, @tifkin_, @rubin_mor, and @gentilkiwi about utilising Primary Refresh Token (PRT) to get access to Azure AD and Azure AD joined computers. In this blog, I’ll report my own findings regarding to PRT and introduce the new functionality added to AADInternals v0.4.1.| aadinternals.com
This post is part 3⁄5 of Azure AD and Microsoft 365 kill chain blog series. Azure AD and Office 365 are cloud services and most information is hidden to the members (or guests) of the tenant. However, there are plenty of information publicly available to anyone. In this blog, using AADInternals v0.4.5, I’ll show how to gather information of any Azure AD tenant as an insider.| aadinternals.com
This post is part 2⁄5 of Azure AD and Microsoft 365 kill chain blog series. When sharing SharePoint to people outside the organisations or inviting them to Teams, a corresponding guest account is created to Azure AD. Although the created guest account is not a pure insider, it has wide read-only access to organisation’s Azure AD information. In this blog, using AADInternals v0.4.0, I’ll show how to gather information from Azure AD tenant as a guest user.| aadinternals.com
This post is part 1⁄5 of Azure AD and Microsoft 365 kill chain blog series. Azure AD and Office 365 are cloud services and most information is available only to the members (or guests) of the tenant. However, there are plenty of information publicly available to anyone. In this blog, using AADInternals v0.4.0, I’ll show how to gather information of any Azure AD tenant as an outsider.| aadinternals.com
Sean Metcalf (@Pyrotek3) organised a great webcast at the end of the May 2020. Among other things, Sean introduced a new (to me, at least) attack-vector where an Azure AD administrator can easily get a system level access to any Azure virtual machine of the organisation. Naturally, I had to implement this functionality to| aadinternals.com
Microsoft has published a PowerShell module for their partners to ease and automate operations with their customers. This module is (quite intuitively) called Partner Center. While the module does well what it’s meant to do, it also tells Microsoft what the partners are doing.| aadinternals.com
In my earlier blog post I explained how to create a backdoor to Azure AD using an identity federation vulnerability feature I discovered in 2017. In this blog post, I’ll explain how to create a backdoor using Seamless SSO and how to exploit it using forged Kerberos tickets.| aadinternals.com
On October 25th, I’ll be talking at t2.fi infosec conference in Helsinki. In this blog, I’ll tell what to expect in my Abusing Azure Active Directory: Who would you like to be today? presentation.| aadinternals.com
I was honoured to hear that I was accepted to present my AADInternals toolkit at the most respected information security event in the world: Black Hat USA 2019. This is clearly one of my greatest professional achievements so far! In this blog, I’ll briefly introduce what to expect in my demo at Black Hat Arsenal.| aadinternals.com
Microsoft (finally!) announced in April 2019 the support for 8-256 character passwords in Azure AD/Office 365. This limit does not apply to users whose passwords are synced from the on-prem Active Directory (or for federated users). In this blog, I tell how to set insanely long passwords (64K+) also for cloud-only users!| aadinternals.com
On November 2018 Azure AD MFA was down over 12 hours preventing users from logging in to Office 365. Same happened in October 2019 in US data centers. As MFA is usually mandatory for administrators by company policy, they couldn’t log in either. In this blog, I’ll show how to create a backdoor to Azure AD so you can log in and bypass MFA.| aadinternals.com
I’ve recently noticed that many organisations moving to Office 365 are struggling with their current on-premises non-routable UPNs. In this blog, I’ll show how to use Office 365 without altering on-premises UPNs.| aadinternals.com
In June 2018 the existence of secret Office 365 forensics tool was confirmed. The tool refers to Microsoft’s undocumented Exchange Online Activities API. The API provides access to a granular mail activity events for up to six months old data! To provide administrators with easy access to the API, I created a PowerShell module (EXOMailActivity). In this blog, I’ll show you how to use the module to get access to mail activity data.| aadinternals.com
Office 365 groups is a great way to promote collaboration between people inside and outside organisations. By default, users are able to create groups freely, making their use easy. However, in many organisations, this has led to chaos. In this blog, I show how you can get back the control of Office 365 groups, Teams and Planner.| aadinternals.com
Did you know that you could get a free custom domain for your Office 365 or Azure AD tenant?| aadinternals.com
Azure AD PowerShell module was earlier installed by a standard .msi package. Now you can install it using one PowerShell command. However, installation requires PowerShell 5 or newer.| aadinternals.com
In this blog, I will describe a security vulnerability I discovered and reported to Microsoft in October. The vulnerability was disclosed in LIVE!360 TECHMENTOR event in Orlando on Nov 16th 2017.| aadinternals.com
LIVE!360 event started today at Loews Royal Pacific Resort in Orlando.| aadinternals.com
If you are using Microsoft DNS for Office 365 DNS records, you can create the required records easily with PowerShell.| aadinternals.com
My recent talk at the great T2 conference on DoSing Azure AD gained a lot of attention. Unfortunately, the talk was not recorded, so I decided to write a blog for those who couldn’t attend. So here we go!| aadinternals.com
A couple of weeks ago a friend of mine asked would it be possible to pre-register MFA for users in Azure AD. For short, yes it is! In this blog, I’ll show how to pre-register OTP and SMS MFA methods using AADInternals’ Register‑AADIntMFAApp and Set‑AADIntUserMFA.| aadinternals.com
In my previous blog post I explained how Group Managed Service Accounts (gMSA) passwords are stored locally on the servers. In this blog, I’ll share how you can easily elevate yourself from the local administrator to gMSA without a need to know the account password. I’m already using this technique in AADInternals to execute code as AD FS service account.| aadinternals.com
In my previous blog posts I’ve covered details on PRTs, BPRTs, device compliance, and Azure AD device join. In this blog, I’ll show how to steal identities of existing Azure AD joined devices, and how to fake identies of non-AAD joined Windows devices with AADInternals v0.6.6.| aadinternals.com
In 2018, I blogged first time about risks related to Delegated Administrative Privileges (DAP) given to Microsoft partners. Now, in 2021, Microsoft blogged how NOBELIUM exploited DAP to compromise customers of some Microsoft partners. In this blog, I’ll explain why DAP is so dangerous, how to exploit it, how to detect exploitation, and how to view partner related information with AADInternals v0.6.5.| aadinternals.com
AADInternals toolkit is best known of its offensive or red teams tools. Its origins, however, is in administration - especially for tasks not supported by official tools. In this blog, I’ll introduce recent additions to the admin & blue team tools and also some old goodies!| aadinternals.com
Devices (endpoints) are a crucial part of Microsoft’s Zero Trust concept. Devices can be Registered, Joined, or Hybrid Joined to Azure AD. Conditional Access uses the device information as one of the decisions criteria to allow or block access to services. In this blog, I’ll explain what these different registration types are, what happens under-the-hood during the registration, and how to register devices with AADInternals v0.4.6.| aadinternals.com
Azure Cloud Shell is a browser-based shell for managing Azure resources using your favourite shell, Bash or PowerShell. Cloud Shell is typically used from Azure Portal. It provides an easy access to Azure CLI, Azure PowerShell and Azure AD PowerShell. In this blog, I’ll introduce a new way to access Cloud Shell from PowerShell (requires AADInternals v0.4.3 or newer).| aadinternals.com
In my previous blog I demonstrated how to create a Persistent Refresh Token (PRT) by joining imaginary device to Azure AD. In this blog, with AADInternals v0.4.2, I’ll show how to make those devices compliant, allowing bypassing compliance related conditional access (CA) policies.| aadinternals.com
Multi-factor Authentication (MFA) is nowadays a recommended method for providing extra protection for users. In most cases, it protects users from phishing attacks as the attackers can’t log in even they have user’s credentials. In this blog, I’ll report my findings on how the Azure AD MFA works under-the-hood, and how I built a custom authenticator app for Android. I also introduce some methods how the rogue administrator can bypass MFA when using user’s compromised credentials.| aadinternals.com
This post is part 5⁄5 of Azure AD and Microsoft 365 kill chain blog series. Although on-prem administrators doesn’t usually have admin rights to Azure AD, they can have access to crucial information, such as Azure AD Connect, ADFS, and Active Directory. Administrators of these services can easily get admin rights to Azure AD to manipulate and impersonate users. In this blog, using AADInternals v0.4.0, I’ll show how to get Global Admin access and how to impersonate users as an on-prem ad...| aadinternals.com
This post is part 4⁄5 of Azure AD and Microsoft 365 kill chain blog series. Global Admin role is the most powerfull administrator role in Azure AD. It is (almost) equivalent to the local system rigths in traditional Windows environment: If you are a Global Admin, there is no security! As a Global Admin, there are no limits what you are allowed to do. For instance, one can easily access others’ data. But why bother, if you can as easily impersonate users? In this blog, using AADInternals v...| aadinternals.com
Microsoft changed the location of ADSync encryption keys in Azure AD Connect version 1.4.x. These keys are used to encrypt and decrypt the passwords of “service accounts” used for syncing data from AD to Azure AD. Earlier versions saved the keys in the registry, but currently, it is using DPAPI. Thus, AADInternals couldn’t decrypt the passwords anymore. Luckily, Dirk-jan Mollema described in his great article how the encryption keys could be extracted and used to decrypt the passwords. ...| aadinternals.com
In my earlier blog, I explained how Azure AD identity federation works under-the-hood. In this post, I’ll be doing the same with Azure AD pass-through authentication (PTA).| aadinternals.com
OneDrive has a security option to allow syncing only from PCs joined to specific domains. In this blog, using the latest AADInternals toolkit (announced at Black Hat Europe 2019), I’ll show how the domain restrictions can be easily bypassed.| aadinternals.com
In 2017, Oliver Morton introduced a feature he found in Office 365 Active Sync, allowing enumerating the existence of the users based on http status codes. (Update: The “feature” was fixed by Microsoft on mid November 2019). In this blog, I’ll introduce my similar findings on using Microsoft API to enumerate users when Seamless SSO is enabled in Azure AD tenant.| aadinternals.com
Identity federation is regarded as the most secure way to authenticate users to Azure AD. In this blog, I’ll deep-dive to identity federation implementation of Azure AD and point out some serious security issues.| aadinternals.com
For the last couple months I’ve used most of my free time on studying and hacking Azure AD admin APIs. As a result, I’m finally publishing the first (beta) version of the AADInternals PowerShell module.| aadinternals.com
By default, any user of Office 365 or Azure AD tenant can read the content of Azure AD using PowerShell and Graph API Explorer. This is a serious security issue because users have undetectable access to other users’ personal data, which violates for instance GDPR. In this blog, I’ll tell how to prevent the access.| aadinternals.com
Microsoft Teams has been available for free since July 2018. In this blog, I’ll deep dive to its technical details.| aadinternals.com
Have you ever faced a situation, where a user takes a longer than 30-day leave, and you would like to save money spent on Office 365 licenses but still preserve user’s mailbox? In this blog, I tell you how!| aadinternals.com
It still surprises me how few know that Office 365 includes a full-fledged email encryption solution, Office Message Encryption (OME). A “new OME”, built on top of Azure Information Protection, has been available for some time now. In this blog, I’ll tell you how to setup and customise the new OME.| aadinternals.com
In short, no it’s not. In this blog, I’ll tell you three reasons why.| aadinternals.com
PowerShell profile makes connecting to Office 365 a lot easier!| aadinternals.com
By default, AD FS only supports SSO with Internet Explorer. However, you can easily enable support for Google Chrome, Firefox, and Edge.| aadinternals.com
Welcome to Office 365 blogs| aadinternals.com
Azure AD Connect Health is a feature that allows viewing the health of on-prem hybrid infrastructure components, including Azure AD Connect and AD FS servers. Health information is gathered by agents installed on each on-prem hybrid server. Since March 2021, also AD FS sign-in events are gathered and sent to Azure AD. In this write-up (based on a Threat Analysis report by Secureworks), I’ll explain how anyone with a local administrator access to AD FS server (or proxy), can create arbitrary...| aadinternals.com
The ongoing global phishing campaings againts Microsoft 365 have used various phishing techniques. Currently attackers are utilising forged login sites and OAuth app consents. In this blog, I’ll introduce a new phishing technique based on Azure AD device code authentication flow. I’ll also provide instructions on how to detect usage of compromised credentials and what to do to prevent phishing using the new technique.| aadinternals.com