Red Team: Finding Single Page Applications with Secrets

Using Microsoft Graph to find Single Page Applications (SPAs) with defined credentials.

It is discouraged to associate SPA applications with Passwords or Certificate credentials. SPA’s are readable in the web browser. Exposed secrets can allow malicious actors to sign in and act as your application, granting all of the application permissions that are assigned.


Connect-MgGraph -Scopes @('Application.Read.All')
$allApplications = Get-MgApplication -All -PageSize 999
$allApplicationsWithPasswords = $allApplications | Where-Object { $_.PasswordCredentials -ne $null }
$allSpaApplicationsWithPasswords = $allApplicationsWithPasswords `
| Where-Object { $_.Spa.RedirectUris.Count -ne 0 }


Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force


Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
Connect-MgGraph @params