Azure AD recon with OSINT tools

Microsoft Azure Active Directory (Azure AD) is used by 90 per cent of Fortune 500 organizations. During the past few years, we have witnessed several attacks against these organizations by nation-state adversaries. But how do adversaries find the weakest targets? The answer is OSINT!

Azure AD and other Microsoft cloud services expose a lot of information via public DNS records and various open APIs. In this talk, I’ll share what OSINT is available and how to gather it using AADInternals and other open-source tools.

The talk shows how to list all domains of the target organization registered to Azure AD, available authentication methods, how to enumerate users, what Microsoft services are used, and more!