Entra ID Master Key (EIDMK)

Bypass Microsoft Entra ID (prev. Azure Active Directory) restrictions and do everything you are allowed to do on CLI but on the UI. EIDMK allows you to bypass Azure and Microsoft Entra ID portal UI restrictions by tricking your client (web browser) to send (legit and allowed by Microsoft) requests to Microsoft endpoints and thus receiving information that, usually, you would not be allowed to access through UI - but you are 100% allowed by Microsoft to access through CLI, Graph API, PowerShell or any other application/method - which is the case of this extension. Meaning that in fact this is not a bypass, but just another way to retrieve data that you ALREADY have access to. Keep in mind that you do not gain any new permissions by using this extension. Your user keeps exactly same roles, privileges and permissions - as documented here: https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions If you are responsible for managing an Entra ID tentant remember that "Using the Restrict access to Microsoft Entra administration portal switch is NOT a security measure."(https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions). It works similar to AzureHound by BloodHoundAD, except you don't need to use a terminal for this and can run it directly on your Google Chrome. In fact, even Microsoft official documentation states that the UI restriction does not restrict anyone, who has access to a tenant, from retrieving the information from Entra ID - find out more on this article, which was written after reporting to Microsoft a strange UI behaviour on Azure portal: https://www.linkedin.com/pulse/microsoft-azure-active-directory-authorization-bypass-vlad-yultyyev/. This extension may be handy if you are a security professional who needs a quick solution to analyze Microsoft Entra ID tenant. You need to be a user of particular tenant to view the content of that tenant. What can you expect to access using this extension? - Exactly same features/information that you can access through Graph API, CLI or PowerShell - List all groups that exist on the tenant - List all users and retrieve their information - List Application Registrations (names, URI, exposed APIs, roles, secret IDs, etc) - List Enterprise applications - List devices (names, operating system version, etc) - Create new tenants (an active Azure subscription is required for this action. Depending on your organization settings, only Azure AD B2C tenants may be allowed)