Stephan van Rooij

Software architect with a passion for home automation.

Extract all Azure AD admin accounts

E

Powershell is pretty powerful for all kind of administrative tasks, especially if you load some extra modules. We use the AzureAD module for a lot of tasks that can be (semi-)automated with the use of some script. In this post I described how to extract all users from Azure AD as a regular user, and what you should do about it.

Extracting users isn’t the only thing you can do with Azure AD powershell and this page shows how to export all Azure AD global admins (which can be executed by ANY user in your tenant unless you take action against that.)

Install AzureAD module

Installing a module should be a breeze, for completeness, here is the command:

Install-Module AzureAD
# or just importing if previously installed
# Import-Module AzureAD

Get all Global Admins

Let’s say you want all the available users in your tenant “safely” stored in a CSV file on your local machine.

# This will open a Microsoft login screen and save the resulting session
$session = Connect-AzureAD

# Load the correct role (change name for other role)
# or Get-AzureADDirectoryRole for all roles
$role = get-azureaddirectoryrole -Filter "DisplayName eq 'Global Administrator'"
$admins = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

# Show admins
$admins | Format-Table

That was easy, 4 lines of “code” and you know which user accounts have access to all Azure AD resources in your organization.

Get all admins single line of code

For faster copy/pasting, here is the same code as a one-liner.

$session = Connect-AzureAD; $role = get-azureaddirectoryrole -Filter "DisplayName eq 'Global Administrator'"; Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Format-Table

Other roles

Finding a global admin account might be really useful. If you’re targeting some specific application, members of a different role might also be enough. Azure AD built-in roles describes all the roles that Azure AD has built-in.

The Application Administrator is interesting since it can add additional applications which might grant access to other parts of the directory.

Federated credentials, wait what?

F

Workflow identity federation of “federated credentials” as they are called in the Azure Portal are brand new in the Microsoft identity suite. As of writing they are still in preview.

What are they and how does it work? This will all be explained in the post below.

federated credentials on Azure portal

Protect against certificate extraction - Client credentials

P

You have this multi-tenant application that is protected with Azure AD, great! How about the certificate you’re using as a client credential? If you followed the Microsoft samples it’s probably stored in the Azure Key Vault. This seems really secure, but there is one thing no one thought about Certificate Extraction.

undraw image

Like what you're seeing? Consider Sharing on Twitter or Sponsoring me