In the ever-evolving landscape of cybersecurity, tools that help security professionals enumerate and understand their environments are invaluable. ROADRecon, an open-source tool designed to enumerate Azure AD (now Entra) environments, has been a staple for many. However, with the impending deprecation of the Azure AD Graph API, ROADRecon faces a significant challenge.

The session will begin with an introduction to security assessments in Azure, highlighting the challenges and the role of automated tooling, specifically ROADRecon. A particular challenge that we will explore is ensuring continued operation of tools that previously made use of the Azure AD Graph API and enhancing them with support for different APIs that can provide security professionals with an accurate view of the tested environment.

The core of the presentation will focus on the implementation of the Microsoft Graph API in ROADRecon, including the hurdles encountered and the solutions developed. This will involve an in-depth discussion on Entra’s implementation of OAuth, first-party applications, and pre-consented permissions, which are crucial for understanding how attackers can bypass security protections.

As we explore legitimate usage of Microsoft Graph, we will demonstrate how lesser-known APIs (e.g. Ibiza API) can be used to enhance reconnaissance capabilities and provide an equivalent method for fetching tenant information that would not be logged. Lastly, we’ll finish with an explanation of possible preventative and detective controls available to organizations to try and mitigate the usage of these APIs for malicious activities.

What Attendees Will Take Away:

• Understanding of OAuth in Entra: Attendees will gain a foundational understanding of how OAuth is implemented in Entra and learn how first-party applications and the concept of pre-consented permissions can be used for offensive security purposes.

• Transition from Azure AD Graph to Microsoft Graph: - We will explore the impact of Microsoft’s deprecation of Azure AD graph in favor of Microsoft Graph to both offensive and defensive security teams. There are crucial differences between the APIs that affect how threat actors much approach Azure estates now and how defenders can detect such attacks

• Tool Enhancements: An introduction to the enhanced capabilities of the rebuilt ROADRecon tool, including its use of undocumented APIs like the Ibiza API.

• Detection strategies: How defenders can detect modern security tooling such as ROADRecon, the challenges of this at scale and the possibility of detecting undocumented APIs.