Stephan van Rooij

Software architect with a passion for home automation.

Extract all Azure AD admin accounts


Powershell is pretty powerful for all kind of administrative tasks, especially if you load some extra modules. We use the AzureAD module for a lot of tasks that can be (semi-)automated with the use of some script. In this post I described how to extract all users from Azure AD as a regular user, and what you should do about it.

Extracting users isn’t the only thing you can do with Azure AD powershell and this page shows how to export all Azure AD global admins (which can be executed by ANY user in your tenant unless you take action against that.)

Install AzureAD module

Installing a module should be a breeze, for completeness, here is the command:

Install-Module AzureAD
# or just importing if previously installed
# Import-Module AzureAD

Get all Global Admins

Let’s say you want all the available users in your tenant “safely” stored in a CSV file on your local machine.

# This will open a Microsoft login screen and save the resulting session
$session = Connect-AzureAD

# Load the correct role (change name for other role)
# or Get-AzureADDirectoryRole for all roles
$role = get-azureaddirectoryrole -Filter "DisplayName eq 'Global Administrator'"
$admins = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

# Show admins
$admins | Format-Table

That was easy, 4 lines of “code” and you know which user accounts have access to all Azure AD resources in your organization.

Get all admins single line of code

For faster copy/pasting, here is the same code as a one-liner.

$session = Connect-AzureAD; $role = get-azureaddirectoryrole -Filter "DisplayName eq 'Global Administrator'"; Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Format-Table

Other roles

Finding a global admin account might be really useful. If you’re targeting some specific application, members of a different role might also be enough. Azure AD built-in roles describes all the roles that Azure AD has built-in.

The Application Administrator is interesting since it can add additional applications which might grant access to other parts of the directory.

Extract all users with powershell and what to do about it part two


In a previous post I showed how to extract all users from a Microsoft 365 tenant, and what you should do about that. If you followed along that leak got restricted. The Azure AD module isn’t the only way to extract user information from a tenant. This post will show you how to do the same (extract all users to csv file) with the Graph PowerShell modules and what you should do about that.

Proof of concept: Multi tenant managed identity


Ever since Microsoft created managed identities, people are asking how/if they work for multi-tenant applications. They even spend a faq on it.

In my previous post I wrote that it was possible to use a managed identity to get access tokens for some multi tenant application, if you haven’t seen that post be sure to check it out since this post uses the knowlage from that post to demo the process.

Hacking Primary refresh tokens, oops created a virus


Windows has some cleaver ways to handle SSO in combination with Azure AD. They use this so called Primary Refresh Token. These highly sensitive key materials, are usually stored in the systems TPM (trusted platform module), a hardware device that can protect keys. And are “unlocked” when the user logs in.

A post, by Lee Christensen and the accompanying RequestAADRefreshToken source, inspired me to check out what he had found.

Like what you're seeing? Consider Sharing on Twitter or Sponsoring me