Dirk-jan
@dirkjanm.io
Hacker at outsidersecurity.nl. Researches Entra ID, AD and occasionally Windows security. I write open source security tools and do blogs/talks to educate others on these topics. Blog: dirkjanm.io
Seems Microsoft is doing some app and permission cleanups and tenant restrictions lately. RIP Microsoft Planner FOCI client.
October 27, 2025 at 1:59 PM
Seems Microsoft is doing some app and permission cleanups and tenant restrictions lately. RIP Microsoft Planner FOCI client.
For those like me who prefer to stay in the terminal and want to call REST APIs like the Microsoft Graph without complicated commands or copy/pasting tokens: roadtx now has a graphrequest command to perform simple requests against these APIs and parse the JSON.
July 25, 2025 at 2:05 PM
For those like me who prefer to stay in the terminal and want to call REST APIs like the Microsoft Graph without complicated commands or copy/pasting tokens: roadtx now has a graphrequest command to perform simple requests against these APIs and parse the JSON.
Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.
May 30, 2025 at 9:37 AM
Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.
I'll be returning to #BHUSA @blackhatevents.bsky.social this summer for a brand talk about moving laterally from AD to Entra ID. I don't think I've ever been this excited about a talk, with lots of cool stuff to share 🎢 😄.
May 16, 2025 at 8:00 AM
I'll be returning to #BHUSA @blackhatevents.bsky.social this summer for a brand talk about moving laterally from AD to Entra ID. I don't think I've ever been this excited about a talk, with lots of cool stuff to share 🎢 😄.
Automatic browser SSO with a PRT on a victim device over an Outflank C2 implant 🥰 using ROADtools and some hackery from Max Grim.
March 27, 2025 at 11:52 AM
Automatic browser SSO with a PRT on a victim device over an Outflank C2 implant 🥰 using ROADtools and some hackery from Max Grim.
Small detour on the way to Insomni'hack! @1ns0mn1h4ck.bsky.social
March 9, 2025 at 12:44 PM
Small detour on the way to Insomni'hack! @1ns0mn1h4ck.bsky.social
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.
February 20, 2025 at 11:08 AM
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
February 18, 2025 at 1:12 PM
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
Since redirect URLs are tricky, roadtx now includes redirect URLs for many first-party apps and uses them automatically. Demo below shows the interactiveauth module being used for the complaint device CA bypass with the "interactiveauth" module and the "companyportal" client ID alias.
January 22, 2025 at 11:18 AM
Since redirect URLs are tricky, roadtx now includes redirect URLs for many first-party apps and uses them automatically. Demo below shows the interactiveauth module being used for the complaint device CA bypass with the "interactiveauth" module and the "companyportal" client ID alias.
After some time off to recharge outside, now back to work (and research) this week!
January 21, 2025 at 10:34 AM
After some time off to recharge outside, now back to work (and research) this week!
Off to a good start in the new year (Part 2). I was awarded the Microsoft MVP status a few days ago for my community contributions in the Microsoft security space. Super grateful for everyone who helped along the way to get me there! ❤️
January 7, 2025 at 11:06 AM
Off to a good start in the new year (Part 2). I was awarded the Microsoft MVP status a few days ago for my community contributions in the Microsoft security space. Super grateful for everyone who helped along the way to get me there! ❤️
Off to a good start in the new year! (Part 1). Thanks @msftsecresponse.bsky.social for the cool swag!
January 2, 2025 at 10:08 AM
Off to a good start in the new year! (Part 1). Thanks @msftsecresponse.bsky.social for the cool swag!
Bit of work on the go! It's not Starbucks, hope our cult leader @xpnsec.com approves anyway.
November 14, 2024 at 2:57 PM
Bit of work on the go! It's not Starbucks, hope our cult leader @xpnsec.com approves anyway.