Azure Login — logout methods
Azure CLI
az login -u "user.name@megabigtech.com" -p "password"
az login --use-device-code
az login -u "user.name@megabigtech.com" -p "password" --allow-no-subscription
- use Entra as login
----
az login --service-principal --username "<userID>" --password "<password>" --tenant <tenantID>
az logoutAz Powershell
Connect-AzAccount
$appsecret = ConverTo-SecureString "<secretValue>" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<userid?>', $appsecret)
Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant '<tenantId>'Microsoft Graph
Connect-MgGraphCAPs
Dumping CAPs to identify MFA enablement gaps
Graph Runner
This uses Azure AD API (older one)
Import_Module .\GraphRunner.ps1
Get-GraphTokens
PS> Invoke-DumpCAPS -Tokens $tokenRoadrecon
This uses Azure AD API (older one)
roadrecon auth -u audit@megabigtech.com -p '<password>'
We can also authenticate using tokens.
$ AADGraph=$(az account get-access-token --resource https://graph.windows.net/ --query accessToken --output tsv)
roadrecon auth --device-code
roadrecon gather
$ roadrecon plugin policies; firefox ./caps.htmlcurl
$aadgraphtoken is an Azure AD access token
graph.windows.net = old Azure AD Graph API
curl -sSf -H "Authorization: Bearer $aadgraphtoken" 'https://graph.windows.net/2590ccef-687d-493b-441cbab...'SPN Method — Use modern API.
#Authenticate as SPN
$ az login --service-principal --tenant <tenantID> --username <usernameID> --password <password> --allow-no-subscription
#Dump CAPs
$ az rest --method get --uri "https://graph.microsoft.com/v1.0/policies/conditionalAccessPolicies"