How to register an application in Azure AD (for use with my persistence actions reporting script)

These instructions are for registering an application in Azure AD so that my lateral movement reporting script can use the Graph API to access Azure AD audit logs and the list of applications granted access via user-based consent.

  1. Go to the Azure AD admin center.
  2. Click App registrations (Preview).
  3. Click +New registration.
  4. Enter a name (which can be anything), such as Lateral Movement Script.
  5. At the bottom, click Register.
  6. In the application’s Overview pane, copy the application’s ID by hovering just to the right of the GUID and click on the copy icon that appears.
  7. Paste the GUID into the script as the value for the $appId  variable.
  8. Back in the applications’ navigation pane, under Manage, click API permissions.
  9. Click +Add a permission.
  10. Under Commonly used Microsoft APIs, click Microsoft Graph.
  11. For the type of permission to add, click Application permissions.
  12. Expand AuditLog and check AuditLog.Read.All. (This allows the script to get the sign-in time of an application and members added to an Office 365 Group.)
  13. Expand Directory and check Directory.Read.All. (This allows the script to get the list of applications assigned to a user and when the consent was granted.)
  14. At the bottom, click Add permissions.
  15. Because the application (script) won’t be logging in as a user, in the list of permissions you can optionally choose to click User.Read, then Remove permission, then Yes, remove.
  16. The two permissions that you added require admin consent, so under Grant consent, click Grant admin consent for [Company], then Yes.
  17. If you also did step 15, your summary of permissions will look like this:
  18. In the navigation pane, under Manage, click Certificates & secrets.
  19. Under Client secrets, click +New client secret.
  20. Add a description (which can be anything) about who or what will be given this secret, such as John Doe.  (For example, you could choose to create a client secret for each admin that will run the lateral movement script. This gives you the flexibility to delete the secret for one admin without having to create a new one for the others if it were a shared secret.)
  21. Under Expires, you can leave the expiration as the default 1 year, or you may choose to set it one of the other choices.  (Regardless of the expiration, you can always delete the secret at any time.) Then click Add.
  22. Copy the secret by clicking the copy icon next to the value.  (It is important that you do this now, because once you leave the Certificates & secrets blade, you will never be able to see it again.)
  23. Paste the secret into the script as the value for the $clientSecret  variable.  (Because the secret is effectively a password that is used with the “username” that is the app ID, you may choose to store the secret securely in Windows via the DPAPI, and modify the script to get the encrypted secret, decrypt it, and assign it to the $clientSecret variable.)

Leave a Reply

Your email address will not be published. Required fields are marked *

*