Pentest Documentation

Appearance

πŸͺŸ Active Directory ​

Azure Active Directory (Azure AD) / Microsoft Entra ID is Microsoft's enterprise cloud-based identity and access management (IAM) solution. It is designed to provide secure and efficient identity management and access control for applications in the cloud and on-premises. Azure AD is a critical component of the Office 365 system and offers robust features for integrating with on-premises Active Directory environments and providing authentication to other cloud-based systems via OAuth.

πŸ›Έ Azure AD Objects ​

Each Azure AD object has a unique identifier associated with it, known as the object ID. These objects are the building blocks of Azure AD and each object type has its own set of properties. The primary types of Azure AD objects are :

  • Users: Individuals who have accounts in the directory.
  • Groups: Collections of users or other groups, used to manage permissions and access collectively.
  • Devices: Physical or virtual devices registered in the directory.
  • Applications: Applications that are integrated with Azure AD for authentication and authorization.

Each object type in Azure AD has specific properties and attributes that define its characteristics and control its behavior within the directory.

πŸ§‘ Azure AD Directory Roles ​

Azure AD directory roles are a set of predefined roles that grant permissions to perform specific administrative tasks within an Azure AD tenant. These roles simplify the management of permissions and help ensure that users have the necessary access to perform their duties without over-provisioning.

Types of Azure AD Roles ​

Built-in Directory Roles

Built-in directory roles are predefined roles provided by Azure AD. Some of the key built-in roles include :

  • Global Administrator: Has access to all administrative features in Azure AD.
  • Application Administrator: Can manage application registrations and settings.
  • User Administrator: Can manage users and groups, including creating and deleting users.

Custom Directory Roles

Custom directory roles allow organizations to define their own roles with specific permissions tailored to their unique requirements. These roles provide flexibility in managing access and ensuring that permissions align with organizational policies and workflows.

πŸ“ˆ Microsoft Graph API ​

The Microsoft Graph API is a powerful endpoint for interacting with Azure AD and other Microsoft services programmatically. It allows developers to access and manage directory resources, such as users, groups, and applications, through a unified REST API.

Example Endpoint ​

To use the Microsoft Graph API, you construct HTTP requests to the following endpoint structure :

bash
{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}