Enumerate Users and Domains
MS has a series of public APIs and DNS public suffixes that we can check during the enumeration phase.
Enumerating with Public APIs
These APIs can be used to find information about domain names, whether the domain is federated or not, if a specific user exists within the tenant and DNS records.
login.microsoftonline.com/<domain>/.well-known/openid-configuration
Login information, including tenant ID
Get-AADIntTenantID -Domain <domain>
autodiscover-s.outlook.com/autodiscover/autodiscover.svc
All domains of the tenant
Get-AADIntTenantDomains -Domain <domain>
login.microsoftonline.com/GetUserRealm.srf?login=<UserName>
Login information of the tenant, including tenant Name and domain authentication type
Get-AADIntLoginInformation -UserName <UserName>
login.microsoftonline.com/common/GetCredentialType
Login information, including Desktop SSO information
Get-AADIntLoginInformation -UserName <UserName>
AAD also has some pre-defined DNS suffixes we can use to verify whether a domain is using Azure: for example if something.blog.core.windows.net exists then we know that the something domain uses Azure. We can see more suffixes here.
Another way to figure out if a domain is using AAD is to visit https://login.microsoftonline.com/getuserrealm.srf?login=username@<domain>.onmicrosoft.com&xml=1.
If we know a tenant exists we can get its tenant ID by visiting https://login.microsoftonline.com/<domain>/.well-known/openid-configuration.
Subdomain enumeration
To perform subdomain enumeration we can use MicroBurst
Generating a username wordlist
A nice website to generate a wordlist is hunter.io which also returns the most common patterns used in the email structure.
Resource groups enumeration
If we have a subscription ID we are able to get more information about the resource groups contained in the subscription
Other good tools for AAD enumeration
Last updated