{"id":28412478,"url":"https://github.com/zh54321/graphpreconsentexplorer","last_synced_at":"2025-06-24T12:31:11.756Z","repository":{"id":280113488,"uuid":"929476350","full_name":"zh54321/GraphPreConsentExplorer","owner":"zh54321","description":"A comprehensive list of usable Entra ID first-party clients with pre-consented Microsoft Graph scopes, in a simple YAML-file explorable with a simple HTML GUI.","archived":false,"fork":false,"pushed_at":"2025-03-26T19:14:31.000Z","size":1027,"stargazers_count":107,"open_issues_count":0,"forks_count":7,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-09T18:09:17.406Z","etag":null,"topics":["azuread","entra","entraid","graph","graphapi","msgraph","msgraphapi","pentesting","securityresearch"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zh54321.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-08T16:31:46.000Z","updated_at":"2025-05-23T22:09:02.000Z","dependencies_parsed_at":"2025-03-01T10:43:06.751Z","dependency_job_id":null,"html_url":"https://github.com/zh54321/GraphPreConsentExplorer","commit_stats":null,"previous_names":["zh54321/graphpreconsentexplorer"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/zh54321/GraphPreConsentExplorer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zh54321%2FGraphPreConsentExplorer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zh54321%2FGraphPreConsentExplorer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zh54321%2FGraphPreConsentExplorer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zh54321%2FGraphPreConsentExplorer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zh54321","download_url":"https://codeload.github.com/zh54321/GraphPreConsentExplorer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zh54321%2FGraphPreConsentExplorer/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261675331,"owners_count":23192569,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azuread","entra","entraid","graph","graphapi","msgraph","msgraphapi","pentesting","securityresearch"],"created_at":"2025-06-02T22:18:23.912Z","updated_at":"2025-06-24T12:31:11.725Z","avatar_url":"https://github.com/zh54321.png","language":"HTML","readme":"# GraphPreConsentExplorer 🔍\n\nDuring security assessments, I often rely on various pre-consented scopes for the Microsoft Graph API. To use these scopes, I need to know which Client IDs have specific pre-consented scopes on the Graph API. Additionally, as more organizations restrict the Device Code Flow, it is crucial to identify which clients allow authentication via the OAuth Code Flow. This requires knowing which clients support different authentication methods, including:\n- Device Code Flow\n- OAuth Code Flow\n- Special Refresh Flows (FOCI / BRK)\n\nTo address this, I used [EntraTokenAid](https://github.com/zh54321/EntraTokenAid) to perform thousands of authentication attempts using ~1200 first party clients. This process helped identify which clients work with specific authentication flows and their corresponding pre-consented scopes on the Microsoft Graph API.\n\nThe result is a fairly large list of nearly 200 Client IDs that have pre-consented scopes on the Graph API and can be used to authenticate without a client secret.  \nAll the information is stored in a YAML file, and there is a simple HTML GUI for easy search and filter navigation. It also provides easy copy-and-paste authentication commands for use with [EntraTokenAid](https://github.com/zh54321/EntraTokenAid).\n\nIf you know of additional first-party clients or authentication methods, feel free to contribute!  \nNote: The goal is not to list every valid redirect URL, but to have at least one usable example for each client.\n\n## 🚀 Features\n\n**Data:**\n- Around 1350 enabled clients\n- Around 265 clients with usable pre-consented scopes for the Microsoft Graph API\n- Around 250 unique pre-consented scopes\n- Total 51 FOCI clients\n\n\n**GUI**:\n- Load and visualize Entra ID first party clients from YAML files\n- Display pre-consented Graph API scopes assigned to each application\n- Filter, search and sorting capabilities (by name, client ID, FOCI, Auth Flow, etc.)\n- [EntraTokenAid](https://github.com/zh54321/EntraTokenAid) authentication command generator (OAuth, Device Code, BrkRefresh, etc.)\n- No external dependencies (All local, simple HTML + JavaScript)\n\n\n## 📷 Screenshots\nMain table:\n\n![alt text](images/mainview.png)\n\nDetail view of the app. Includes copy and paste authentication commands:  \n![alt text](images/appdetails.png)\n\nUsage of the copy and paste commands to use with [EntraTokenAid](https://github.com/zh54321/EntraTokenAid):  \n![alt text](images/EntraTokenAid.png)\n\n## 📥 Installation\n\n\n### Clone the Repository\n```bash\ngit clone https://github.com/yourusername/GraphPermExplorer.git\n```\n\n## 📌 Usage\n1. **Open the HTML File**\n2. **Load a YAML File:** Click on `📂 Load YML File` to load the YAML file.\n\n\n\n## 📖 YAML Format\n```yaml\napps:\n  - name: \"App One\"\n    client_id: \"1234-5678-9101\"\n    enabled: \"True\"\n    graph_api_permissions: [\"User.Read\", \"Directory.Read.All\"]\n    auth_code: \"Yes\"\n    device_code: \"Yes\"\n    brk_refresh: \"Yes\"\n    foci: \"True\"\n    reply_addresses:\n      - \"https://whatever/callback\"\n    single_page_app: \"True\"\n    notes: \"This property is optional\"\n```\n\n## Changelog\n### 2025-03-26\nClient list:\n- Added 97 first-party clients. However, no usable pre-consents on MS Graph were identified (some apps lack pre-consent, while others are confidential clients).\nMisc:\n- Added a new folder `lists` which contains the data as CSV and JSON file as well.\n\n### 2025-03-01\nClient list:\n- Added approximately 31 first-party clients. However, no usable pre-consents on MS Graph were identified (some apps lack pre-consent, while others are confidential clients).\n\n### 2025-02-12\nData structure:\n- Added the *single_page_app* property for SPA applications, as they require the -origin parameter for authentication.\n\nClient list:\n- Added approximately 100 clients:\n  - The total number of clients with pre-consented MS Graph scopes is now around 265.\n  - In total there are now 50 FOCI clients (enabled). \n\nCredits: Many of the additional clients were sourced from Dirk-Jan’s [ROADTools](https://github.com/dirkjanm/ROADtools).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzh54321%2Fgraphpreconsentexplorer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzh54321%2Fgraphpreconsentexplorer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzh54321%2Fgraphpreconsentexplorer/lists"}