Documentation Index
Fetch the complete documentation index at: https://specterops-enable-tls-feedback.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
AzureHound Community Edition has several optional flags that let you control scan scope, performance, output, and other behaviors.
Enumeration Commands and Options
list
The `list` command tells AzureHound to read all possible information from AzureAD and AzureRM. You can optionally limit the scope of what data AzureHound will collect by providing a scope option after the “list” command: These are the most common options you’ll likely use:- az-ad: Collect all information available at the AzureAD tenant level. In most tenants, all users can read all this information by default.
- az-rm: Collect all information available at the AzureRM subscription level. Users cannot read this by default.
- apps Collects AzureAD application registration objects.
- devices Collects AzureAD devices regardless of join type.
- groups Collects AzureAD security-enabled groups, both role- and non-role-eligible.
- key-vaults Collects AzureRM key vaults.
- management-groups Collects AzureRM management group objects
- resource-groups Collects AzureRM resource group objects
- roles Collects AzureAD admin role objects
- service-principals Collects AzureAD service principals
- subscriptions Collects AzureRM subscriptions
- tenants Collects AzureAD tenant objects
- users Collects AzureAD users, including any guest users in the target tenant.
- virtual-machines Collects AzureRM virtual machines
- app-owners Collects explicitly set owners of AzureAD application registration objects
- management-group-user-access-admins Collects any principal with the User Access Admin role against any management group
- virtual-machine-avere-contributors Collects any principal with the Avere Contributor role assignment against any virtual machine
Authentication Flags
AzureHound supports several authentication options. You can control how AzureHound authenticates by using command line flags or the configuration file. Some flags should always be used together and are presented here in the context of their authentication use cases:Authenticating with Username and Password
-uor--username- The user principal name of the AzureAD user you wish to authenticate as. UPN format is “username@domain.com”-por--password- The clear-text password of the AzureAD user.-tor--tenant- The directory tenant to authenticate to (GUID or friendly name format).
Authenticating with Service Principal Secret
-aor--app- The Application (client) ID that the Azure app registration portal assigned when the app was registered.-sor--secret- The Application Secret generated for the app in the app registration portal.-tor--tenant- The directory tenant to authenticate to (GUID or friendly name format).
Authenticating with Service Principal Certificate
-aor--app- The Application (client) ID that the Azure app registration portal assigned when the app was registered.--cert- The path to the certificate uploaded to the app registration portal (PEM format).-kor--key- The path to the private key file for the certificate (PEM format).--keypass(optional) - The passphrase to use if the private key is encrypted.-tor--tenant- The directory tenant to authenticate to (GUID or friendly name format).
Authenticating with Azure Managed Identity
--managed-identity- Use Azure Managed Identity to authenticate. Use this when running AzureHound on an Azure resource (VM, App Service, etc.) with a managed identity assigned.--managed-identity-client-id(optional) - Client ID of a user-assigned managed identity. If not provided, uses system-assigned identity.-tor--tenant- The directory tenant to authenticate to (GUID or friendly name format).
Authenticating with a JWT
-jor--jwt- An MS Graph or AzureRM scoped JWT. These JWTs last a maximum of 90 minutes, so you may need to get a new JWT to enumerate data with AzureHound later.
Authenticating with a Refresh Token
-ror--refresh-token- A refresh token. AzureHound will automatically exchange this for an appropriately scoped JWT when accessing the MS Graph and AzureRM APIs.-tor--tenant- The directory tenant to authenticate to (GUID or friendly name format).
Additional Scoping and Output Flags
-b- Filter by one or more subscription IDs. AzureHound will automatically dedupe this list for you.-m- Filter by one or more management group IDs. AzureHound will automatically dedupe all descendant management groups and subscriptions for you.-oor--output- Instructs AzureHound to write its output to a specified file name. Accepts either a bare filename (azurehound.json, written to the current working directory) or an absolute path (~/azurehound.json).--log-file- Write logs to the specified file. Accepts either a bare filename (log.txt, written to the current working directory) or an absolute path (~/azurehound.log).--json- Emit logs as structured JSON instead of the default line-based format. Requires--log-fileto be set.-vor--verbosity- AzureHound verbosity level (defaults to 0), a higher value gives more verbosity [Min: -1, Max: 2]--version- Print the AzureHound version and exit.
Custom User-Agent
-U or --user-agent - Set a custom User-Agent header for all HTTP requests. This can be useful for evasion purposes or for debugging and identification. If not specified, AzureHound uses the default User-Agent value.
Example: