Azurehound

Azurehound is great for...hounding around in...Azure. Here's a good doc on collecting data.

Conduct an Azure collection

azurehound list -u lowpriv@domain.com -p "Pass123" -o domain-azure-dump.json --tenant "domain.com"

I ran into issues putting the password in single ticks, so I'd say always do "Password123" instead of 'Password123'!

Conduct an Azure collection (with MFA enabled)

The doc on collecting data will have you first authenticate using a device code:

$body = @{
    "client_id" =     "1950a258-227b-4e31-a9cf-717495945fc2"
    "resource" =      "https://graph.microsoft.com"
}
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
$Headers=@{}
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$authResponse

Then finish the device-code-based auth and then do:

$body=@{
    "client_id" =  "1950a258-227b-4e31-a9cf-717495945fc2"
    "grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
    "code" =       $authResponse.device_code
}
$Tokens = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$Tokens

You'll need the refresh token for the next step:

$refreshToken = $Tokens.refresh_token
Write-Host $refreshToken

Then you can pass this directly to Azurehound:

azurehound -r "$refreshToken" list --tenant "yourtenant.onmicrosoft.com" -o output.json

Or just copy the token to clipboard and paste as an -r value:

# Copy to clipboard
$Tokens.refresh_token | clip

# Paste
azurehound -r "xyz123" list --tenant "yourtenant.onmicrosoft.com" -o output.json

Last updated on 2026-04-15