Gather information

Using AADInternals

# Starts tenant recon of the given domain. Gets all verified domains of the tenant and extracts information such as their type.
# Also checks whether Desktop SSO (aka Seamless SSO) is enabled for the tenant.
Invoke-AADIntReconAsOutsider -Domain company.com | Format-Table

#Checks whether the given user exists in Azure AD or not. Works also with external users! Supports three enumeration methods:
Invoke-AADIntUserEnumerationAsOutsider -UserName "[email protected]"
Get-Content .\\users.txt | Invoke-AADIntUserEnumerationAsOutsider

# Starts tenant recon of Azure AD tenant. Prompts for tenant. Retrieves information from Azure AD tenant, such as, the number of Azure AD objects and quota, and the number of domains (both verified and unverified).
Invoke-AADIntReconAsGuest

PingCastleCloud

Link: https://github.com/vletoux/PingCastleCloud

ADOutsider-py

This tool is a rewrite of the recon as outsider part of AADInternals.

Link: https://github.com/synacktiv/AADOutsider-py

Find Subdomains

Using MicroBurst search for a company subdomain

Import-Module .\\MicroBurst\\MicroBurst.psm1
Invoke-EnumerateAzureSubDomains -Base CompanyName

Find Azure Blobs (Storage)

Invoke-EnumerateAzureBlobs -Base adsikkerhed

Check if Credentials work and have 2FA or not

Import-Module .\\MFASweep\\MFASweep.ps1
Invoke-MFASweep -Username "[email protected]" -Password "PASSWORD"

TREVORspray

Link: https://github.com/blacklanternsecurity/TREVORspray

TREVORspray is a modular password sprayer with threading, SSH proxying, loot modules, and more!