Entra ID
The goal of the Entra ID module is to allow enumeration from Entra ID using the Microsoft Graph API, mimicking some of the functionality in the Azure Portal or Entra ID Admin Center. For now, it has one submodule that lists the Entra ID users. In the future, this may be expanded with additional submodules that can query other types of objects and information (e.g. groups, devices, applications, roles, CA policies (privileged after AAD module retirement), settings, etc...)
Using a Microsoft Graph access token, any low-privileged user can obtain a list of all other Entra ID users and their basic properties. This will require the User or Directory read scopes in the access token.
If you just want a quick overview of all users with their display name, email address, mobile number, and AD sync state, then you can leave the default options.
To view the raw details of the user in JSON format, you can toggle the arrow button at the start of a user record in the table.
GraphSpy can automatically request the group and role memberships for every single user, and list the number of Entra ID Groups and Roles the user is a member of in the table if you check the "Include membership count" option.
However, note that querying this requires an additional API request to be sent for every single user! In large organizations, this could take up multiple seconds, or even a couple of minutes!
Note: Sadly, FOCI access tokens only allow active group and role memberships to be listed. Eligible group and role assignments can not be queried here with the Microsoft Graph API using any FOCI client.
The default fields that are returned by Microsoft are fairly limited. If you want to fetch additional details for all users, you can toggle the Customize Properies option, which will allow you to customize the properties to request. For a full list of available properties that can be requested, you can check out this Microsoft documentation page. GraphSpy also comes with some predefined examples that you can preselect if desired, however, you are free to customize this field to your liking of course.
Every property that is requested can also be toggled as a column as shown in the following screenshot. An export button is also available, which can export the enabled columns of all entries to a CSV or Excel file, or to copy the table to the clipboard. (Note: Only enabled columns will be exported.)
Clicking on the user icon with magnifying glass icon on a user entry in the user details table, will open an advanced user details page that will display the full user details (regardless of which properties were queried in the user table, the details pane will always query the full details about the user with additional API calls).
Note: For this to work, you will need to at least have requested the ID property in the table, since the User ID is used to retrieve the additional details about the user.
At the top, a quick overview is given with the most useful information about the user (SID, Email, Phone Numbers, Password Change Data, Sync state, etc...). The Full details dropdown can be opened to view the complete user details in JSON format with a lot more additional properties.
Right below the overview, all Entra ID Group Memberships for the user are listed. The arrow button can be toggled to view additional details of a specific Group.
Scrolling further down will list the Entra ID Roles the user is a member of, as well as a list of the devices owned by the user.
Note that once again, since the Microsoft Graph API has no FOCI client that allows regular users to list eligible role/group assignments, only currently active roles and groups can be listed.
At the very bottom of the user details, an overview of the App Role Assignments and API permissions is listed for the selected user.
Note that Microsoft sadly does not link these directly together by default, however, you can use this to check if the user has given some consent to certain applications. For example, in the following screenshot, the user has an app role assignment for the Microsoft Graph Command Line Tools. Matching the ID of that resource to the client ID under the API permissions, we can see that the user has provided consent for several permissions (scopes) to a specific resource/application. The App Object ID will sadly not tell you that much either, however, this is the Object ID of the target resource (Service Principal/Enterprise Application) within the tenant of the user. In this case, this is the unique Object ID of the Microsoft Graph API within this tenant, which will be different in another tenant (unlike the Client ID which is globally the same for applications).
In this case, you can quickly deduce that these permissions are for the Microsoft Graph API of course based on the well-known scopes, and the fact that the application that is granted consent is the Microsoft Graph Command Line Tools.
