Rebuilding ROADRecon for the Modern Entra Environment
Thomas Byrne
fwd:cloudsec North America 2025 · Day 1 · Track 1 - Crystal
Thomas Byrne, a security consultant at Reverse, presents the work required to rebuild **ROADRecon** -- a widely used Python tool for enumerating Microsoft Entra ID (formerly Azure AD) tenants -- in response to the deprecation and imminent retirement of the **Azure AD Graph API** that ROADRecon has relied on since its creation. Byrne walks through the migration to the **Microsoft Graph API**, the challenge of finding first-party applications with sufficient **preconented permissions** to enumerate tenant objects, and the discovery of the undocumented **Ibiza API** used by the Azure portal that provides equivalent enumeration capabilities with **zero telemetry logging**. The talk serves as both a practical guide for offensive security practitioners performing Azure assessments and a defensive briefing on detection opportunities.
AI review
The ROADRecon migration to Microsoft Graph is necessary engineering work, but the Ibiza API discovery is the real gem here: an undocumented Azure portal REST API that provides full tenant enumeration with absolutely zero logging or telemetry. That's not a feature gap, that's a gift to every red teamer working Microsoft environments. Solid offensive tooling contribution.