Red Team: Finding Global Administrators

An example of how to use directoryRoles to discover Global Administrator accounts.

This assumes acquisition of an access token from a standard member user logging into a resource such as the Azure Active Directory via the Azure Portal.

PowerShell

$params = @{
    'All'              = $true;
    'Filter'           = "DisplayName eq 'Global Administrator'";
}
$globalAdministratorRoleId = Get-MgDirectoryRole @params | Select-Object -ExpandProperty Id
<#
    Every tenant has unique ids for the instance of the built-in roles
    This first query finds the RoleId of the Global Administrator
#>
$globalAdministrators = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdministratorRoleId -All
$globalAdministrators.AdditionalProperties.userPrincipalName

Dependencies

Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force

Connect-MgGraph

Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
}
Connect-MgGraph @params