Entra ID User Reconnaissance and how to Protect against Entra ID User Recon
Entra ID (previous Azure Active Directory / Azure AD) is the Online version of Active Directory to access (authenticate and authorize) Cloud resources like Office 365 and Azure. Entra ID is the Security boundary of a Tenant (which can hold one Office 365 environment and/or one to many Azure Subscriptions).
Active Directory requires a domain-joined and domain-connected computer for reconnaissance. Entra ID is connected to the internet 24x7 and ‘only’ requires an authorized & authenticated account for reconnaissance.
Access to an Entra ID compromised account can be accomplished via:
- Password Spray attack; try an often used password against many accounts in the same Tenant, for example via MSOLSpray.
- Brute Force attack; try many password against one account (easy to detect and often blocked)
- Phishing attack; lure the user to a fake website (Adversary/Man-in-the-Middle) to steal the username and password (or session cookie), for example via EvilGinx
- Password re-use; re-use a compromised password from other hacks (e.g. LinkedIn 2012), for example via Dehashed
This blog describes different recoinnassance methods and how to prevent Entra ID User Reconnaissance and Microsoft Security tools to detect Entra ID attacks in general.
The account used for recconaissance has no Administrative roles assigned.
Method 1 — Portal Access
Access to Entra ID is available via the following portals: Entra, Azure and Office 365 Admin
All tenant information (users, groups, devices, etc.) can be viewed from the different portals.
Method 2 — Azure AD PowerShell
The 2nd method is Azure AD PowerShell.
# Connect to Azure AD using Powershell
Install-Module azuread
Import-Module azuread
Connect-AzureAD
# Get All Users
Get-AzureADUserThe output displays All User accounts in a list view.
Method 3 — Azure CLI
The 3th method is Azure CLI (Command-Line Interface).
# Connect to Azure CLI
az login --allow-no-subscriptions
# Get all Users
az ad user listThe output displays all user account in JSON format.
Method 4 — Azure RM
The 4th method is Azure RM (Resource Manager).
# Connect to Azure RM
Install-Module AzureRM
Import-Module AzureRM
Connect-AzureRmAccount
# Get all Users
Get-AzureRmADUserThe output displays all users.
Method 5 — ROADrecon
New let’s switch to reconnaissance tool. The tool we will use is ROADrecon (Rogue Office 365 and Azure (active) Directory) reconnaissance, but there are many more tools available like Monkey365, Stormspotter, AzureHound, MicroBurst, PowerZure, etc.
# Authenticate to Azure AD
roadrecon auth -u <user>@tenant.onmicrosoft.com -p <password>
# Gather all information
roadrecon gather
# Explore the data
roadrecon guiThe (browser) output, by connecting http://127.0.0.1:5000/, displays all information (user, group, device, etc.) in the local web browser.
ROADrecon Prevention
To prevent ROADtools/ROADrecon (specific Linux O.S.) to access Entra ID. Create a Conditional Access policy to block access from unsupported device platforms (Linux) and assign the policy to All users, see details below.
Always test any CA policy with a scoped set of users before assigning to All users (optionally exclude BTG or other recovery accounts)
Protection | Entra ID Read User information
To prevent (compromised) user account(s) from reading Entra ID user information, disable the following setting in Entra ID via the MSOnline PowerShell module.
# Disable User Read permissions
Install-Module MSOnline
Connect-MsolService
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
# Verify
Get-MsolCompanyInformationAlways test each Change and have a fall-back plan ready (Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $true) since the setting is tenant-wide.
After the setting is set to $false, access to Entra ID User information is denied access due to insufficient permissions.
Same results (access denied for user account information) in ROADrecon.
The (advanced) next layer of prevention is Entra ID | Conditional Access policies like Compliant Device, Compliant Network, Location-based, Token Protection, etc.
High impact due to work from home computers not possible anymore
Detection | Entra ID User Reconnaissance and how to Protect against Entra ID User Recon
Entra ID Identity Protection detects different Entra ID anomalies (Medium Risk; Anonymous IP address usage) and compromised user (High Risk; e.g. Leaked Credentials) during the Initial Access phase.
High risk (compromised credentials) are automatically mitigated by forced password reset (or block for passwordless accounts). Medium risks (anomalies) are verified via an Multi-Factor Authentication challenge.
What Entra ID Identity Protection doesn’t detect is the Reconnaisannce phase (e.g. read All User accounts, read Global Administrator role membership, etc.).
Microsoft Defender for Identity does a better job in the Reconnaissance phase (after initial compromise), see my previous blog on Active Directory Reconnaissance and Microsoft Defender for Identity
Detection | Microsoft Sentinel | Threat Intelligence
Threat Intelligence in Microsoft Sentinel (or basic hunting in Entra ID logs) can be used to detect unauthorized access in Entra ID.
The script below detects a succesful password spray attack (10 different user accounts from the same source IP with unsuccessful signins attempts and a successful singin) and outputs the user(s) and IP Address(es).
Exclude the corporate public IP address(es) in the query if applicable or adjust the # of different users for high(er) fidelity
let IPlist = SigninLogs
| where ResultType == '50076' or ResultType == '50126' or ResultType == '50053'
| summarize USERs = make_set(Identity) by Location, IPAddress
| where isnotempty(USERs[10]);
SigninLogs
| where IPAddress in (IPlist) and ResultType == '0'The malicious IP Address(es) can be ingested (manual or automated via Logic Apps) in Microsoft Sentinel | Threat Intelligence (Entra ID P1 required) and the Rule template TI Map IP Entity to SigninLogs enabled to detect any signin activity from the malicious IP address.
I hope this blogs gives insights in Entra ID User Reconnaissance and tips for to prevent or detect attacks or anomalies on Entra ID.
