🌩️

Azure Access Tokens

Recently I’ve been studying Cloud Penetration testing focusing on the Azure ecosystem.
Through my studies, one confusing point for me was access tokens, and what permissions they have. This post is meant to document my knowledge, as well as to share with the community!

Getting Azure Access Tokens

There are many ways to obtain Azure Access Tokens, but roughly these are the two main ways
  1. Azure CLI
  1. Azure PowerShell cmdlets
  1. Logging into Azure Portal using OAuth 2.0

Azure CLI

Login to the account using the user’s credentials. --allow-no-subscriptions is optional
az login -u "user@domian.com" -p "password123" --allow-no-subscriptions
Request for a token for the appropriate resource
az account get-access-token --resource https://management.azure.com
az account get-access-token --resource https://vault.azure.net
az account get-access-token --resource https://graph.windows.net

Azure PowerShell cmdlets

Login as the user using the cmdlet
$password = ConvertTo-SecureString 'password123' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('user@domain.com', $password)

Connect-AzAccount -Credential $creds
Set the scope of the token
$context = Get-AzContext
$token = Get-AzAccessToken -ResourceUrl https://management.azure.com/ -Context $context
Request for the token
$headers = @{ 'Authorization' = "Bearer $($token.Token)" }
Invoke-RestMethod -Uri 'https://management.azure.com/subscriptions?api-version=2020-01-01' -Headers $headers

Azure Portal

As a user, navigate to https://portal.azure.com and login using your credentials.
This is the only login method that uses OAuth 2.0 flow for authentication, and this is important, as it means the tokens obtained via this method will have additional permissions. More on this in the next section.

Difference between Tokens

Now here’s the important part. You have the tokens, what can you access? Tokens obtained from different methods have different scopes of resources they can access, such as
  • Azure Resources (Resource groups, Azure AD information, GraphAPI)
  • Microsoft 365 Resources (Outlook, Sharepoint)
Access token obtained from Azure CLI or Azure PowerShell cmdlets are specifically for accessing Azure services and resources, not for Outlook emails or other Microsoft 365 services. (e.g. you cannot query for Sharepoint or Outlook resources)
Only tokens that are obtained from users who authenticated via OAuth will have additional permissions to access Microsoft 365 Resources, and you can run commands to dump information from them.
Email Dumping
import-module TokenTactics-main\TokenTactics-main\TokenTactics.psd1
Dump-OWAMailboxViaMSGraphApi -AccessToken $AccessToken -mailFolder AllItems
SharePoint dumping
$AccessToken =
'eyJ0eXAiOiJKV1QiLCJub25jZSI6InNkZENGd2gzbDlqampfeXhjU0VtLTI1VUlRN0gzc29Ka
2tiZnVMR3BrT1kiLCJhbGciOiJSUzI1NiIsIn[...]RGpfNTJ2YndHTmd2UU8yVnpNYyIsImtp
ZCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyJ9.eyJhdWQiOiJod'
$URI = 'https://graph.microsoft.com/v1.0/me/drive/root/children'

$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{ 'Authorization' = "Bearer $Token" } }

(Invoke-RestMethod @RequestParams).value
To get these tokens that have additional permissions, you have to steal the user’s tokens through various means such as Phishing, Illicit Consent Attacks, or simpler ones like XSS.
Hope this post was useful in understanding the differences between the tokens obtained via different means!