ROADrecon gather fails with HTTP 403 errors despite successful authentication

[InfoSecDev-sys]

Hello @dirkjanm,

I’m experiencing an issue with ROADtools (roadrecon gather) where the tool fails to collect data from Microsoft Graph API endpoints, returning multiple HTTP 403 Forbidden errors, even though authentication completes successfully.

Environment:

ROADtools version: latest from GitHub

Steps to reproduce:

Run roadrecon gather after authenticating.

Observe the following output:

Tokens were written to .roadtools_auth

Tokens were written to .roadtools_auth
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ roadrecon gather                                                 
Starting data gathering phase 1 of 2 (collecting objects)
Error 403 for URL https://graph.windows.net/tenantID/contacts?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/groups?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/settings?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/policies?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/directoryRoles?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/oauth2PermissionGrants?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/applications?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/servicePrincipals?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/administrativeUnits?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/tenantDetails?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/users?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/roleDefinitions?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/devices?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/tenantID/authorizationPolicy?api-version=1.61-internal

Starting data gathering phase 2 of 2 (collecting properties and relationships)
Error 403 for URL https://graph.windows.net/tenantID/servicePrincipals?api-version=1.61-internal&$expand=owners                                                                                             
                                                                                                                    
Error 403 for URL https://graph.windows.net/tenantID/applications?api-version=1.61-internal&$select=keyCredentials,objectId                                                                                 
                                                                                                                    
Error 403 for URL https://graph.windows.net/tenantID/servicePrincipals?api-version=1.61-internal&$select=keyCredentials,objectId                                                                            
                                                                                                                    
Error 403 for URL https://graph.windows.net/tenantID/devices?api-version=1.61-internal&$expand=registeredOwners

Error 403 for URL https://graph.windows.net/tenantID/applications?api-version=1.61-internal&$expand=owners

ROADrecon gather executed in 2.74 seconds and issued 19 HTTP requests.

Request:
Could you advise if additional configuration or API permissions are required, or if this is a potential bug with the current version?

Thank you for your help!

[Mauriceter]

You can run roadtx graphrequest https://graph.windows.net/tenantID/groups?api-version=1.61-internal for example to get more details on the error.

My guess is that the client is blocked for this resource so you can try roadrecon auth -c client_id with other client_ids

[dirkjanm]

the comment from @Mauriceter is accurate. the latest roadrecon from GitHub will also tell you this but it hasn't been pushed to pypi yet

[InfoSecDev-sys]

Thanks @Mauriceter & @dirkjanm for the response.

I used a public lab (https://pwnedlabs.io/labs/intro-to-azure-recon-with-bloodhound) for testing.
For this lab, just a few months ago, it was working

This problem has happened to me in different TenantIDs

`└─$ roadrecon auth -u Jose.Rodriguez@megabigtech.com -p 'Bigt3ch123!'
Tokens were written to .roadtools_auth

┌──(kali㉿kali)-[~/Desktop/Tools/CloudAzure]
└─$ roadrecon gather
Starting data gathering phase 1 of 2 (collecting objects)
Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/settings?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/directoryRoles?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/users?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/oauth2PermissionGrants?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/devices?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/administrativeUnits?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/authorizationPolicy?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/policies?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/tenantDetails?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/groups?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/servicePrincipals?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/applications?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/contacts?api-version=1.61-internal

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/roleDefinitions?api-version=1.61-internal

Starting data gathering phase 2 of 2 (collecting properties and relationships)
Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/servicePrincipals?api-version=1.61-internal&$expand=owners

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/applications?api-version=1.61-internal&$select=keyCredentials,objectId

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/servicePrincipals?api-version=1.61-internal&$select=keyCredentials,objectId

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/devices?api-version=1.61-internal&$expand=registeredOwners

Error 403 for URL https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/applications?api-version=1.61-internal&$expand=owners

ROADrecon gather executed in 1.36 seconds and issued 19 HTTP requests.

└─$ roadtx graphrequest https://graph.windows.net/2590ccef-687d-493b-ae8d-441cbab63a72/servicePrincipals?api-version=1.61-internal
403
{
"odata.error": {
"code": "Authentication_Unauthorized",
"codeForMetrics": "Authentication_Unauthorized",
"message": {
"lang": "en",
"value": "Access blocked to AAD Graph API for this application. https://aka.ms/AzureADGraphMigration."
}
}
}

`

[fsacer]

I am noticing the same error on my side as well, so roadrecon does not use the new MSGraph API @dirkjanm, as the URL on the Graph Explorer is https://graph.microsoft.com/v1.0/subscriptions?

package roadrecon 1.7.2, installed using Python 3.13.7
- roadrecon
- roadrecon-gui
package roadtx 1.21.1, installed using Python 3.13.7
- roadtx

I saw that the 1.7.3 version added an error message regarding Client IDs, so using the Client ID of Azure CLI fixed the issue roadrecon auth --device-code -c 04b07795-8ddb-461a-bbee-02f9e1bf7b46.

[Mayfly277]

Thank you using -c 04b07795-8ddb-461a-bbee-02f9e1bf7b46 do the job !

[InfoSecDev-sys]

@fsacer Thanks, it works while using roadrecon auth -u "" -p "" -c 04b07795-8ddb-461a-bbee-02f9e1bf7b46