auditing-entra-id-with-aadinternals

Installation
SKILL.md

Auditing Entra ID with AADInternals

Legal Notice: This skill is for authorized security testing, red-team engagements, and educational purposes only. AADInternals can forge SAML tokens and install federation backdoors that grant persistent impersonation of any tenant user. Use only against tenants you own or have explicit written authorization (rules of engagement) to test. Unauthorized use violates the Computer Fraud and Abuse Act and equivalent laws.

Overview

AADInternals is the most comprehensive offensive/administrative PowerShell toolkit for Microsoft Entra ID (formerly Azure AD), Azure AD Connect, and Active Directory Federation Services (AD FS), authored by Dr. Nestori Syynimaa (Gerenios / Secureworks). It exposes hundreds of cmdlets (all prefixed AADInt) covering unauthenticated outsider reconnaissance, access-token acquisition for every Microsoft API, directory manipulation, AD FS/PTA attacks, and the technique it is most famous for: federation backdoors that abuse the Set-MsolDomainFederationSettings / ConvertTo-AADIntBackdoor path so an attacker who controls a federated domain's IssuerUri can mint SAML tokens for arbitrary users — mapping to MITRE ATT&CK T1606.002 (Forge Web Credentials: SAML Tokens), the same class of technique used in the SolarWinds (Golden SAML) intrusions.

The toolkit separates capabilities by required position. Invoke-AADIntReconAsOutsider and Get-AADIntLoginInformation require no credentials — they query public endpoints (getuserrealm, OpenID configuration, autodiscover) to reveal verified domains, tenant ID, federation type, brand, and whether Desktop/Seamless SSO is enabled. With a foothold, Get-AADIntAccessTokenFor* cmdlets acquire tokens for Azure AD Graph, Microsoft Graph, Exchange Online, SharePoint, Azure Core Management, and more, optionally caching them so subsequent cmdlets reuse them. With Global Administrator (or a synced AD Connect account), the toolkit can read directory secrets, manipulate users, and establish the federation backdoor.

This skill drives AADInternals through a defensive-validation lens: confirm what an external attacker can learn, what a low-privileged token reaches, and whether federation/AD FS configuration would allow Golden SAML — then produce evidence and hardening recommendations.

When to Use

  • During an authorized Entra ID / Microsoft 365 red-team or assumed-breach assessment
  • To enumerate external attack surface (verified domains, federation type, SSO) before credential attacks
  • To validate that federation and AD FS token-signing certificates are protected against Golden SAML
  • To test token acquisition and replay across Microsoft first-party APIs
  • When building detections (pair with the blue-team Graph-log hunting skill) and you need real AADInternals telemetry
Installs
36
GitHub Stars
24.2K
First Seen
11 days ago
auditing-entra-id-with-aadinternals — mukul975/anthropic-cybersecurity-skills