AzureHound Community Edition Flags
AzureHound Community Edition has several optional flags that let you control scan scope, performance, output, and other behaviors.
Enumeration Commands and Options
list
The `list` command tells AzureHound to read all possible information from AzureAD and AzureRM. You can optionally limit the scope of what data AzureHound will collect by providing a scope option after the “list” command:
These are the most common options you’ll likely use:
- az-ad: Collect all information available at the AzureAD tenant level. In most tenants, all users can read all this information by default.
- az-rm: Collect all information available at the AzureRM subscription level. Users cannot read this by default.
You can also scope the collection to particular object types:
- apps Collects AzureAD application registration objects.
- devices Collects AzureAD devices regardless of join type.
- groups Collects AzureAD security-enabled groups, both role- and non-role-eligible.
- key-vaults Collects AzureRM key vaults.
- management-groups Collects AzureRM management group objects
- resource-groups Collects AzureRM resource group objects
- roles Collects AzureAD admin role objects
- service-principals Collects AzureAD service principals
- subscriptions Collects AzureRM subscriptions
- tenants Collects AzureAD tenant objects
- users Collects AzureAD users, including any guest users in the target tenant.
- virtual-machines Collects AzureRM virtual machines
You can even further scope collection to particular abuses against each object type. Here are a few examples:
- app-owners Collects explicitly set owners of AzureAD application registration objects
- management-group-user-access-admins Collects any principal with the User Access Admin role against any management group
- virtual-machine-avere-contributors Collects any principal with the Avere Contributor role assignment against any virtual machine
Authentication Flags
AzureHound supports several authentication options. You can control how AzureHound authenticates by using command line flags or the configuration file. Some flags should always be used together and are presented here in the context of their authentication use cases:
Authenticating with Username and Password
-uor--username- The user principal name of the AzureAD user you wish to authenticate as. UPN format is “username@domain.com”-por--password- The clear-text password of the AzureAD user.
Example:
You can skip proving the password on the command line, and AzureHound will interactively prompt you for the password instead.
Authenticating with Service Principal Secret
-aor--app- The Application ID that the Azure app registration portal assigned when the app was registered.-sor--secret- The Application Secret generated for the app in the app registration portal.
Example:
Authenticating with a JWT
-jor--jwt- An MS Graph or AzureRM scoped JWT. These JWTs last a maximum of 90 minutes, so you may need to get a new JWT to enumerate data with AzureHound later.
Example:
Authenticating with a Refresh Token
-ror--refresh-token- A refresh token. AzureHound will automatically exchange this for an appropriately scoped JWT when accessing the MS Graph and AzureRM APIs.
Example:
Additional Scoping and Output Flags
-tor--tenant- The directory tenant you want to request permission from. This can be in GUID or friendly name format.-b- Filter by one or more subscription IDs. AzureHound will automatically dedupe this list for you.-m- Filter by one or more management group IDs. AzureHound will automatically dedupe all descendent management groups and subscriptions for you.-oor--output- Instructs AzureHound to write its output to a specified file name.--log-file- Output logs to this file-vor--verbosity- AzureHound verbosity level (defaults to 0), a higher value gives more verbosity [Min: -1, Max: 2]