Summary
The az-ad collection tries to list tenants:
|
// Enumerate Tenants |
|
pipeline.Tee(ctx.Done(), listTenants(ctx, client), tenants) |
But the ListAzureADTenants function uses the resourceManager audience for its request:
|
// ListAzureADTenants https://learn.microsoft.com/en-us/rest/api/subscription/tenants/list?view=rest-subscription-2020-01-01 |
|
func (s *azureClient) ListAzureADTenants(ctx context.Context, includeAllTenantCategories bool) <-chan AzureResult[azure.Tenant] { |
|
var ( |
|
out = make(chan AzureResult[azure.Tenant]) |
|
path = "/tenants" |
|
params = query.RMParams{ApiVersion: "2020-01-01", IncludeAllTenantCategories: includeAllTenantCategories} |
|
) |
|
|
|
go getAzureObjectList[azure.Tenant](s.resourceManager, ctx, path, params, out) |
This leads to an error when using JWT auth because the az-ad collection needs the Graph API audience.
2025-05-13T10:52:37-05:00 INF collecting azure ad objects...
2025-05-13T10:52:37-05:00 ERR unable to continue processing tenants error="invalid audience"
The rest of the collection steps in az-ad work as expected because they all have the Graph API audience.
Steps to reproduce
$env:GRAPH_JWT = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com").Token
./AzureHound.exe --jwt $env:GRAPH_JWT --list az-ad --tenant "contoso.onmicrosoft.com" -o "./entraid.json"
Summary
The
az-adcollection tries to list tenants:AzureHound/cmd/list-azure-ad.go
Lines 101 to 102 in abfd482
But the
ListAzureADTenantsfunction uses theresourceManageraudience for its request:AzureHound/client/tenants.go
Lines 61 to 69 in abfd482
This leads to an error when using JWT auth because the
az-adcollection needs the Graph API audience.The rest of the collection steps in
az-adwork as expected because they all have the Graph API audience.Steps to reproduce