Terms of Service There is no service level agreement (SLA) with any of the tools. They are provided as-is and may cease to exist without notice at any time.
Privacy Statement What personal data is collected and how? The data is collected through interactions with you. Some data is provided directly, and some is collected from your interactions and use of the tools. As with all web-based services, your IP address may always be collected.
Last year I gave a presentation titled Dumping NTHashes from Azure AD at TROOPERS conference.
The talk was about how the Microsoft Entra Domain Services (formerly Azure AD Domain Services) works and how it enabled dumping NTHashes from Entra ID (formerly Azure AD).
In this blog, I’ll show how Microsoft Entra Domain Services (MEDS) can be (ab)used to exfiltrate NTHashes from on-prem Active Directory.
My recent talk at the great T2 conference on DoSing Azure AD gained a lot of attention.
Unfortunately, the talk was not recorded, so I decided to write a blog for those who couldn’t attend. So here we go!
In my previous blog post I explained how Group Managed Service Accounts (gMSA) passwords are stored locally on the servers.
In this blog, I’ll share how you can easily elevate yourself from the local administrator to gMSA without a need to know the account password.
I’m already using this technique in AADInternals to execute code as AD FS service account.
Multi-factor Authentication (MFA) and Conditional Access (CA) policies are powerful tools to protect Azure AD users’ identities.
For instance, one may allow access only from compliant devices and require MFA from all users.
However, because of Azure AD authentication platform architecture, users can bypass home tenant MFA and CA policies when logging in directly to resource tenants.
This blog post tries to shed some light on how Azure AD authentication works under-the-hood.
We’ll introduce the issue, describe how to exploit it, show how to detect exploitation, and finally, how to prevent the exploitation.
The blog is co-authored with @SravanAkkaram and is based on his findings.
Tenant information Due to massive automated request attacks, the original anonymous OSINT service had to be permanently closed in September 2025.
The new OSINT tool requiring authentication is available at https://osint.aadinternals.com. To use the tool, you need an Entra ID account with a non-default (.onmicrosoft.com) domain name.
Terms of Service and Privacy Statement
Group Managed Service Accounts (gMSA’s) can be used to run Windows services over multiple servers within the Windows domain.
Since the launch of Windows Server 2012 R2, gMSA has been the recommended service account option for AD FS.
As abusing AD FS is one of my favourite hobbies, I wanted to learn how gMSAs work.
In this blog, I’ll show how to steal identities of existing Azure AD joined devices, and how to fake identies of non-AAD joined Windows devices with AADInternalsv0.6.6.
In 2018, I blogged first time about risks related to Delegated Administrative Privileges (DAP) given to Microsoft partners.
Now, in 2021, Microsoft blogged how NOBELIUM exploited DAP to compromise
customers of some Microsoft partners.
In this blog, I’ll explain why DAP is so dangerous, how to exploit it, how to detect exploitation, and how to view partner related information with AADInternals v0.6.5.
AADInternals toolkit is best known of its offensive or red teams tools. Its origins, however, is in administration - especially for tasks not supported by official tools.
In this blog, I’ll introduce recent additions to the admin & blue team tools and also some old goodies!
Azure AD Connect Health is a feature that allows viewing the health of on-prem hybrid infrastructure components, including Azure AD Connect and AD FS servers.
Health information is gathered by agents installed on each on-prem hybrid server. Since March 2021, also AD FS sign-in events are gathered and sent to Azure AD.
In this write-up (based on a Threat Analysis report by Secureworks), I’ll explain how anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log.
Moreover, I’ll show how Global Administrators can register fake agents to Azure AD - even for tenants not using AD FS at all.
I’ve talked about AD FS issues for a couple years now, and finally, after the Solorigate/Sunburst, the world is finally listening 😉
In this blog, I’ll explain the currently known TTPs to exploit AD FS certificates, and introduce a totally new technique to export the configuration data remotely.
Devices (endpoints) are a crucial part of Microsoft’s Zero Trust concept. Devices can be Registered, Joined, or Hybrid Joined to Azure AD.
Conditional Access uses the device information as one of the decisions criteria to allow or block access to services.
In this blog, I’ll explain what these different registration types are, what happens under-the-hood during the registration, and how to register devices with AADInternalsv0.4.6.
In October 2020, someone contacted me and asked whether it would be possible
to create BPRTs using AADInternals. I hadn’t even heard of BPRTs, but was eventually able to help him to create BPRTs. Now this
functionality is included in AADInternals v0.4.5.
In this blog, I’ll explain what BPRTs are and how they can be used to join multiple devices to both Azure AD and Intune.
I’ll also show the dark side of BPRTs: how they can be used to conduct DOS attacks against Azure AD, and how to detect and prevent this.
The new AADInternals release v0.4.4 AADInternals Cloud Identity Summit 2020 edition is now released! Read on to see the list of updates and new features.
The ongoing global phishing campaings againts Microsoft 365 have used various phishing techniques.
Currently attackers are utilising forged login sites and OAuth app consents.
In this blog, I’ll introduce a new phishing technique based on Azure AD device code authentication flow.
I’ll also provide instructions on how to detect usage of compromised credentials and what to do to prevent phishing using the new technique.
Azure Cloud Shell is a browser-based shell for managing Azure resources using your favourite shell, Bash or PowerShell.
Cloud Shell is typically used from Azure Portal. It provides an easy access to Azure CLI, Azure PowerShell and Azure AD PowerShell.
In this blog, I’ll introduce a new way to access Cloud Shell from PowerShell (requires AADInternals v0.4.3 or newer).
In my previous blog I demonstrated how to create
a Persistent Refresh Token (PRT) by joining imaginary device to Azure AD.
In this blog, with AADInternals v0.4.2, I’ll show how to make those devices compliant, allowing bypassing compliance related conditional access (CA) policies.
Lately we have seen great articles by @_dirkjan,
@tifkin_,
@rubin_mor,
and @gentilkiwi
about utilising Primary Refresh Token (PRT) to get access to Azure AD and Azure AD joined computers.
In this blog, I’ll report my own findings regarding to PRT and introduce the new functionality added to AADInternals v0.4.1.
Multi-factor Authentication (MFA) is nowadays a recommended method for providing extra protection for users.
In most cases, it protects users from phishing attacks as the attackers can’t log in even they have user’s credentials.
In this blog, I’ll report my findings on how the Azure AD MFA works under-the-hood, and how I built a custom authenticator app for Android.
I also introduce some methods how the rogue administrator can bypass MFA when using user’s compromised credentials.
Although on-prem administrators doesn’t usually have admin rights to Azure AD, they can have access to crucial information, such as Azure AD Connect, ADFS, and Active Directory.
Administrators of these services can easily get admin rights to Azure AD to manipulate and impersonate users.
In this blog, using AADInternals v0.4.0, I’ll show how to get Global Admin access and how to impersonate users as an on-prem administrator.
Global Admin role is the most powerfull administrator role in Azure AD. It is (almost) equivalent to the local system rigths in traditional Windows environment: If you are a Global Admin, there is no security!
As a Global Admin, there are no limits what you are allowed to do. For instance, one can easily access others’ data. But why bother, if you can as easily impersonate users?
In this blog, using AADInternals v0.4.0, I’ll show how (as an Global Administrator) to gather information of Azure subscriptions, gather users’ credentials, get system level access to Azure VMs, and how to impersonate users.
Azure AD and Office 365 are cloud services and most information is hidden to the members (or guests) of the tenant.
However, there are plenty of information publicly available to anyone.
In this blog, using AADInternals v0.4.5, I’ll show how to gather information of any Azure AD tenant as an insider.
When sharing SharePoint to people outside the organisations or inviting them to Teams, a corresponding guest account is created to Azure AD.
Although the created guest account is not a pure insider, it has wide read-only access to organisation’s Azure AD information.
In this blog, using AADInternals v0.4.0, I’ll show how to gather information from Azure AD tenant as a guest user.
imageMapResize(); Introduction According to Verizon’s Data Breach Investigations Report 2020, externals attackers are considerable more common than internal attackers. In the cloud era, attacking the organisation from the outside is much more difficult, if not impossible. Therefore, to be able to access organisation’s data, one must gain some level of legitimate access to the organisation.
The Azure AD and Microsoft 365 kill chain is a collection of recon techniques and hacking tools I’ve discovered and built during the last 10+ years while working with Microsoft cloud services.
Azure AD and Office 365 are cloud services and most information is available only to the members (or guests) of the tenant.
However, there are plenty of information publicly available to anyone.
In this blog, using AADInternals v0.4.0, I’ll show how to gather information of any Azure AD tenant as an outsider.
Sean Metcalf (@Pyrotek3) organised a great webcast at the end of the May 2020.
Among other things, Sean introduced a new (to me, at least) attack-vector where an Azure AD administrator can easily get a system level access to any Azure virtual machine of the organisation.
Naturally, I had to implement this functionality to AADInternals.
In this blog, using AADInternals v0.3.3, I’ll show how a Global Administator can gain access to any Azure VM of the organisation.
Microsoft changed the location of ADSync encryption keys in Azure AD Connect version 1.4.x. These keys are used to encrypt and decrypt the passwords of “service accounts” used for syncing
data from AD to Azure AD. Earlier versions saved the keys in the registry, but currently, it is using DPAPI. Thus, AADInternals couldn’t decrypt the passwords anymore.
Luckily, Dirk-jan Mollema described in his great article how the encryption keys
could be extracted and used to decrypt the passwords. Using Dirk-jan’s article as a starting point, I decided to implement this to AADInternals.
In my earlier blog, I explained how Azure AD identity federation works under-the-hood.
In this post, I’ll be doing the same with Azure AD pass-through authentication (PTA).
Microsoft has published a PowerShell module for their partners to ease and automate operations with their customers.
This module is (quite intuitively) called Partner Center.
While the module does well what it’s meant to do, it also tells Microsoft what the partners are doing.
OneDrive has a security option to allow syncing only from PCs joined to specific domains.
In this blog, using the latest AADInternals toolkit (announced at Black Hat Europe 2019), I’ll show how the domain restrictions can be easily bypassed.
In my earlier blog post I explained how to create a backdoor to Azure AD using an identity federation vulnerability feature I discovered in 2017.
In this blog post, I’ll explain how to create a backdoor using Seamless SSO and how to exploit it using forged Kerberos tickets.
In 2017, Oliver Morton introduced a feature he found in Office 365 Active Sync,
allowing enumerating the existence of the users based on http status codes. (Update: The “feature” was fixed by Microsoft on mid November 2019).
In this blog, I’ll introduce my similar findings on using Microsoft API to enumerate users when Seamless SSO is enabled in Azure AD tenant.
I was honoured to hear that I was accepted to present my AADInternals toolkit at the most respected information security event in the world: Black Hat USA 2019.
This is clearly one of my greatest professional achievements so far!
In this blog, I’ll briefly introduce what to expect in my demo at Black Hat Arsenal.
Identity federation is regarded as the most secure way to authenticate users to Azure AD. In this blog, I’ll deep-dive to identity federation implementation of Azure AD and point out some serious security issues.
Microsoft (finally!) announced in April 2019 the support for 8-256 character passwords in Azure AD/Office 365.
This limit does not apply to users whose passwords are synced from the on-prem Active Directory (or for federated users).
In this blog, I tell how to set insanely long passwords (64K+) also for cloud-only users!
On November 2018 Azure AD MFA was down over 12 hours preventing users from logging in to Office 365. Same happened in October 2019 in US data centers.
As MFA is usually mandatory for administrators by company policy, they couldn’t log in either.
In this blog, I’ll show how to create a backdoor to Azure AD so you can log in and bypass MFA.
For the last couple months I’ve used most of my free time on studying and hacking Azure AD admin APIs. As a result, I’m finally
publishing the first (beta) version of the AADInternals PowerShell module.
By default, any user of Office 365 or Azure AD tenant can read the content of Azure AD using PowerShell and Graph API Explorer.
This is a serious security issue because users have undetectable access to other users’ personal data,
which violates for instance GDPR. In this blog, I’ll tell how to prevent the access.
I’ve recently noticed that many organisations moving to Office 365 are struggling with their current on-premises non-routable UPNs. In this blog, I’ll show how to use Office 365 without altering on-premises UPNs.
In June 2018 the existence of secret Office 365 forensics tool was confirmed.
The tool refers to Microsoft’s undocumented Exchange Online Activities API.
The API provides access to a granular mail activity events for up to six months old data!
To provide administrators with easy access to the API, I created a PowerShell module (EXOMailActivity).
In this blog, I’ll show you how to use the module to get access to mail activity data.
Office 365 groups is a great way to promote collaboration between people inside and outside organisations.
By default, users are able to create groups freely, making their use easy. However, in many organisations, this has led to chaos.
In this blog, I show how you can get back the control of Office 365 groups, Teams and Planner.
Have you ever faced a situation, where a user takes a longer than 30-day leave, and you would like to
save money spent on Office 365 licenses but still preserve user’s mailbox?
It still surprises me how few know that Office 365 includes a full-fledged email encryption solution, Office Message Encryption (OME).
A “new OME”, built on top of Azure Information Protection, has been available for some time now. In this blog, I’ll tell you how to setup and customise the new OME.
Azure AD PowerShell module was earlier installed by a standard .msi package. Now you can install it using one PowerShell command. However, installation requires PowerShell 5 or newer.
In this blog, I will describe a security vulnerability I discovered and reported to Microsoft in October. The vulnerability was disclosed in LIVE!360 TECHMENTOR event in Orlando on Nov 16th 2017.