SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain access tokens for Microsoft 365 services. This approach is primarily relevant for hybrid environments where organizations use both on-premises Active Directory and cloud-based Microsoft 365 (Azure AD) accounts.

It is often used alongside ROADTools, a set of tools for exploring and testing Microsoft 365 access, making it a valuable resource for penetration testers and security teams assessing hybrid environments.

Why SeamlessPass Matters in 2025

• Hybrid environments: Organizations with both on-premises AD and Microsoft 365 can still encounter scenarios where Kerberos-based token methods are relevant.
• Security testing: Red teams use SeamlessPass together with ROADTools to simulate attacks and assess security controls.
• Understanding legacy integration: Knowing older authentication methods helps security teams migrate safely to modern protocols like OAuth 2.0 and OpenID Connect.

⚠️ Note: For purely cloud-based environments, Microsoft now recommends modern authentication protocols. Kerberos ticket methods are mostly niche, advanced use cases.

Installation

You can install SeamlessPass via PyPI or directly from the source code.

Using PyPI:

pip install seamlesspass

From Source:

git clone https://github.com/Malcrove/SeamlessPass.git
cd SeamlessPass
pip install .
# Or install requirements separately
pip install -r requirements.txt
python run.py

Basic Usage

After installation, use the seamlesspass command to interact with Microsoft 365:

seamlesspass [-t tenant domain] [-r resource URI] [-c client_id] ...

Common options:

• -t/-tenant – Your Microsoft 365 tenant domain (e.g., example.com)
• -r/-resource – Target cloud service URI (default: https://graph.windows.net)
• -d/-domain – Local Active Directory domain
• -dc/-dc-ip – Domain controller IP or hostname
• -u/-username & -p/-password – Credentials (or hashed credentials for testing)
• -tgt / -tgs – Base64-encoded Kerberos tickets

Integration with ROADTools:
SeamlessPass tokens can be exported and used with ROADTools to further explore Microsoft 365 access, test permissions, and simulate attack paths in hybrid environments. This combination is especially valuable for security assessments and penetration testing.

Example usage in a hybrid environment:

seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -tgt <base64_encoded_TGT>

2025 Updates & Microsoft 365 Changes

Microsoft Entra Seamless SSO has evolved with modern authentication protocols. Key points:

• Hybrid AD + Microsoft 365 setups may still require Kerberos-based token access.
• Modern cloud-only environments rely on OAuth 2.0, OpenID Connect, and Microsoft Entra policies.
• Combining SeamlessPass with ROADTools is a current best practice for hybrid environment testing.
• Always consult the latest Microsoft documentation for compliance and security best practices: Microsoft Entra Seamless SSO

Summary

• SeamlessPass, combined with ROADTools, remains relevant for hybrid AD environments and security testing.
• For cloud-only environments, Microsoft’s modern authentication methods are recommended.
• Understanding legacy methods helps secure migrations and audits.

By keeping hybrid authentication knowledge up-to-date, security teams can safely manage both on-premises and cloud Microsoft 365 accounts in 2025.