Public-Scripts/OSINT/Get-EntraCredentialInfo.ps1 at main · Mike-Crowley/Public-Scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
<#
.SYNOPSIS
    Queries Entra ID credential type and OpenID configuration for a given UPN (unauthenticated OSINT).

.DESCRIPTION
    Calls the Entra ID GetCredentialType and OpenID configuration endpoints to gather
    tenant information for a given email address. Returns user existence, domain type,
    federation status, tenant GUID, region, and preferred credential type.

    No authentication is required. This uses public Microsoft endpoints.

.PARAMETER Upn
    The email address (UPN) to query.

.EXAMPLE
    Get-EntraCredentialInfo -Upn user@example.com

.NOTES
    Author: Mike Crowley
    https://mikecrowley.us

.LINK
    https://mikecrowley.us
#>

function Get-EntraCredentialInfo {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [ValidateNotNullOrEmpty()]
        [string]$Upn
    )

    $Domain = ($Upn -split '@')[1]
    $Body = @{
        username            = $Upn
        isOtherIdpSupported = $true
    }
    $Body = $Body | ConvertTo-Json -Compress

    try {
        $CredentialResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/common/GetCredentialType" -Method Post -Body $Body -ContentType "application/json" -ErrorAction Stop
    }
    catch {
        Write-Warning "Failed to retrieve credential type for $Upn : $($_.Exception.Message)"
        return
    }

    try {
        $OpenidResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$Domain/.well-known/openid-configuration" -ErrorAction Stop
    }
    catch {
        Write-Warning "Failed to retrieve OpenID configuration for $Domain : $($_.Exception.Message)"
        $OpenidResponse = $null
    }

    $Output = [pscustomobject]@{
        Username                  = $CredentialResponse.Username
        Domain                    = $Domain
        UserFound                 = $CredentialResponse.IfExistsResult -ne 1

        #IfExistsResult = $CredentialResponse.IfExistsResult
        IfExistsResultDescription = switch ($CredentialResponse.IfExistsResult) {
            "-1" { "UNKNOWN" }
            "0" { "VALID_USER" }
            "1" { "INVALID_USER" }
            "2" { "THROTTLE" }
            "4" { "ERROR" }
            "5" { "VALID_USER-DIFFERENT_IDP" }
            "6" { "VALID_USER-ExistsBoth_IDP" } # causes pidpdisambiguation / accountpicker
            default { $CredentialResponse.IfExistsResult }
        } # https://github.com/BarrelTit0r/o365enum/blob/master/o365enum.py

        #PrefCredential            = $CredentialResponse.Credentials.PrefCredential
        PrefCredentialDescription = switch ($CredentialResponse.Credentials.PrefCredential) {
            "0" { "0" }
            "1" { "1" }
            "2" { "2" }
            "3" { "3" }
            default { $CredentialResponse.Credentials.PrefCredential }
        } # TO DO - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-system-preferred-multifactor-authentication#how-does-system-preferred-mfa-determine-the-most-secure-method

        FederatedDomain           = $null -ne $CredentialResponse.Credentials.FederationRedirectUrl

        #DomainType              = $CredentialResponse.EstsProperties.DomainType
        DomainTypeDescription     = switch ($CredentialResponse.EstsProperties.DomainType) {
            '1' { "UNKNOWN" }
            '2' { "COMMERCIAL" }
            '3' { "MANAGED" }
            '4' { "FEDERATED" }
            '5' { "CLOUD_FEDERATED" }
            default { $CredentialResponse.EstsProperties.DomainType }
        }

        #DesktopSsoEnabled       = $CredentialResponse.EstsProperties.DesktopSsoEnabled
        #UserTenantBranding      = $CredentialResponse.EstsProperties.UserTenantBranding
        TenantGuid                = if ($null -ne $OpenidResponse) { $OpenidResponse.userinfo_endpoint -replace 'https://login.microsoftonline.com/' -replace 'https://login.microsoftonline.us/' -replace '/openid/userinfo' } else {}
        tenant_region_scope       = if ($null -ne $OpenidResponse) { $OpenidResponse.tenant_region_scope } else {}
        tenant_region_sub_scope   = if ($null -eq $OpenidResponse.tenant_region_sub_scope) { "WW" } else { $OpenidResponse.tenant_region_sub_scope }
        #CredentialResponse        = if ($null -ne $OpenidResponse) { $OpenidResponse.cloud_instance_name } else {}
        FederationRedirectUrl     = $CredentialResponse.Credentials.FederationRedirectUrl
    }

    $Output

    if ($Output.DomainTypeDescription -eq "FEDERATED") {
        Write-Warning "[$($Output.Username)] All users in a FEDERATED domain return VALID_USER by this endpoint. You must confirm with the system referenced in the FederationRedirectUrl.`n"
    }
}