Lateral Movement Graph for Azure AD

How the tool works

The main page of the web tool after successful logon and consent to the application
  • Environment -Hybrid AD/AAD environment synced using pass-through authentication
  • API client -Microsoft Graph client (GraphServiceClient), a client to query Azure AD Graph
  • Identity to query -Azure Oauth Application, the identity of the GraphSerivceClient
  • DB -CosmosDB Graph, a place to store the content brought from the Microsoft Graph
  • UI -Graph Explorer, an open source visualizer for CosmosDB Graph
  • OOP objects -BloodHound UI and entities objects, thanks to @_wald0, @CptJesus, and @harmj0y
  • Devices - AAD joined Windows devices only and their owner
  • User - All AD or AAD users
  • Administrative roles and Groups -All memberships of roles and group
  • Local Administrators - The following roles are local admins in AAD joined device by default. Global administrator role, Device administrator role The user performing the Azure AD join
  • Sessions - All logins for Windows devices
The collected summary after the application has done pulling the data
Consent to AzureADLateralMovement collector
A view of all connections avilable
A view of the paths avilable from Terry Jeffords and Gina to Global Admin Raymond Holt)
TESTSPN is an Oauth application that grants permissions to impersonate all users in the directory




#MicrosoftEmplyoee, blogs are my own personal opinion

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tal Maor

Tal Maor

#MicrosoftEmplyoee, blogs are my own personal opinion

More from Medium

Integrating Prometheus with Azure Monitor to scrape Kafka Metrics

Azure AD Workload Identity federation with Keycloak

Azure Virtual Desktop — Azure AD (AAD) Join Guide

BYO Certs for TKG 1.5.3+ Auth