EntraReaper transforms Claude Code and AADInterlas into a powerful, governed autonomous red team platform for Microsoft 365, including Entra ID. Built by the Guardz research team, this MCP server wraps 238 AADInternals PowerShell cmdlets into purpose-built tools. It enables safe, OPSEC-aware attack simulation across the full Microsoft 365 identity stack. With strong governance, adaptive kill chains, and detailed reporting, EntraReaper helps defenders understand real-world attack paths before adversaries exploit them.
EntraReaper Overview
EntraReaper is an autonomous red team platform for Microsoft Entra ID. It serves as an MCP server that connects Claude Code with 238 AADInternals PowerShell cmdlets. The tool wraps these cmdlets into 65 purpose-built tools. These tools cover recon, credential access, persistence, privilege escalation, lateral movement, collection, impact evasion, analysis, and reporting.
The platform includes 87 attack scenarios and 13 kill chains labeled A through M. It supports full, semi-auto, and manual engagement modes. Three hat modes exist: WHITE for authorized pentest, GRAY for red team, and BLACK for adversary simulation. Adaptive routing re-evaluates attack paths after each action based on tenant settings. It targets Entra ID Exchange, Online Teams, SharePoint, OneDrive, and Azure.
Note: EntraReaper is part of Cloud Red Agents, and GWSReaper will soon be available.
Architecture and Features
EntraReaper uses a four-layer architecture. Governance manages the noise budget and evasion. Execution runs over 50 attack tools safely via subprocess. Intelligence performs Conditional Access analysis and privilege pathfinding using BFS graphs. Reporting generates 12-section reports, MITRE ATT, and CK Navigator JSON evidence manifests and cleanup checklists. It stores data in 15 engagement folders. Every tool call checks the noise budget, applies jitter delays, rotates user agents, and automatically saves the output.
The noise budget starts at 100 points by default. Silent tools cost zero points while loud tools cost up to 50 points and require human approval. This prevents runaway operations during autonomous runs. Evasion engine rotates user agents across eight contexts and supports FOCI token cascade across 37 app pivots.
Note: Soon, the EntraRepaer will be available for the Windows client with GitHub Copilot.
The Scenarios
EntraReaper provides more than 70 tools grouped by MITRE ATT and CK phases. Recon tools include recon tenant, recon domains, recon dns, and recon openid. Credential tools include cred device code and cred token decode. Evasion tools include the FOCI evasion list and the audience switch. Specific scenarios include the following.
- Silent tenant reconnaissance runs recon on tenant recon domains, DNS, and OpenID at zero-noise cost to fingerprint tenant ID, federation type, domains, DNS records, and OpenID configuration.
- Device code phishing with FOCI pivot executes cred device code, cred token decode, evasion foci list, and evasion audience switch at three points, with a cost to obtain an admin token and cascade across Exchange, Teams, and Azure.
- Full kill chain A proceeds from external recon through user enumeration, device code phishing, insider recon, CA analysis, MFA audit, to Azure escalation toward Global Admin in semi-auto mode with adaptive path selection and set noise budget.
Hands-On
“AI Recon is the key, fuzz for the hole.”
Most engagements begin with reconnaissance, and that is where the real attack surface starts to take shape. With EntraReaper’s black box mode, AI-driven recon significantly accelerates this phase, uncovering a large volume of findings, mapping potential attack paths, and highlighting areas that would otherwise take much longer to identify manually.
Instead of relying solely on traditional enumeration, AI Recon continuously analyzes and correlates data to surface misconfigurations, weak points, and chaining opportunities. This creates a clearer picture of how an attacker might move through the environment.
From there, fuzzing becomes far more targeted. Rather than blindly probing, you are testing specific hypotheses derived from recon, making the process more efficient and more likely to uncover meaningful vulnerabilities.
In practice, AI Recon inside EntraReaper is not just about collecting data, it’s about turning reconnaissance into an actionable attack flow.
No Slack account needed.
The EntraReaper console
I took a lab and ran on it an ai- recon, what was the result? Once I loaded EntraReaper and selected AI-Recon for a specific domain, the module ran in recon mode and offered many recon options. A few of them are as the image below.
Result and Findings
The AI-Recon on EntraReaper was run for about 25 minutes, with massive operations, and yielded great results. Below are massive results.
Attack Surface Score
External probing was performed with zero visibility and completed in approximately 25 minutes, resulting in a score of 70 out of 100, which falls within the high-risk range. The real impact comes from compound risk rather than individual findings, where an implicit grant enabled, an exposed device code endpoint, FOCI multi refresh token behavior, and missing DMARC at the apex align to create a pre-authentication attack surface.
Together, these signals unlock multiple attack chains before any authentication event occurs. The scoring is additive and transparent, with 50 points from primary findings and 20 from secondary indicators such as SharePoint version leakage, ActiveSync 451, and the onmicrosoft auth path, reduced by 25 due to existing defenses. Remediation requires four focused DNS and Conditional Access changes, cutting the score to 30 and quickly eliminating major exposure.
S89 AI-Reconnaissance is structured as a four-phase pipeline. Phase 1 runs eight unauthenticated recon primitives in parallel (S01-S08 concurrent). Phase 1+ extends to deep fuzzing across the M365 service mesh, federation metadata, and OAuth phishing URL pre-flight. The fusion stage normalizes outputs and ranks next-phase targets via LLM inference. Phase 2 is the auto-routed initial-access scenario, namely S17 Device Code Phish in this run.
The M365 Service Surface, with external probing, established what is reachable from the public internet. Twelve services were enumerated. Eight are fully exposed at the protocol level (Exchange Online, SharePoint, OneDrive, Teams, Microsoft Graph, Azure RBAC, Kerberos endpoint, OIDC). ActiveSync and EWS are policy-blocked but not removed, namely returning HTTP 451 and HTTP 401, respectively, rather than HTTP 404. Federation is disabled (managed-only tenant).
The Kill Chain Viability was evaluated against the findings. Seven chains are immediately viable (READY or ELEVATED), four require a token (POST-TOKEN), three are blocked by absent infrastructure (no federation, no hybrid sync), and one (Chain D, MSP Supply Chain) is indeterminate. Chain O is this run itself, namely the adaptive AI-routed chain that produced the ranked next-phase output.
Installation and Usage
The installation requires Python 3.11, PowerShell 7, and AADInternals. Clone the repo from Guardzcom Security Research Labs. Navigate to the EntraReaper folder. Run UV sync. Start the server with uv run python server.py. Add it to Claude Code using the mcp add command. The tool runs on macOS and Linux.
Usage starts with silent recon using tools like recon tenant, recon domains, and recon dns at zero noise cost. User enumeration targets C-suite accounts, with recon users at a one-time cost. Device code phishing with FOCI pivot uses the cred device code and evasion tools at a three-point cost.
Full kill chain A runs in semi-auto mode with a set noise budget toward Global Admin. EntraReaper is for authorized use only. Operators must own the tenant or have explicit written permission. Unauthorized testing violates laws.
The repository is at https://github.com/guardzcom/security-research-labs/tree/main/AI-Cloud-Tools/M365-Tools/EntraReaper.
More Tools
The AI-Cloud-Tools section offers OpenClaw Analyzer for AI configuration security analysis and SkillScan for scanning AI skills/files/URLs. It also includes an OAuth IOCs checker that helps organizations secure AI agents and detect supply-chain risks.
CloudAdversary is a dedicated place in the Guardz Security Research Labs repository that provides PowerShell-based red team and adversary emulation scripts focused on Microsoft 365 and Entra ID. These tools help authorized security teams test real attack techniques against cloud identities and productivity services.
For deeper technical insights and detailed breakdowns, visit the Guardz Blog
