Azure & M365 Checklist

TODO: Add notes

Post Compromise - Enumeration

Device Registration with Azure AD (EntraID)

dnsregcmd

We can see if the device is joined, and is using a Primary Refresh Token (PRT).

PS> dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : YES
              DomainJoined : YES
           Virtual Desktop : NOT SET
               Device Name : DESKTOP-30DTGNU
               ...
+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+

                AzureAdPrt : YES

Last updated