explaingit

redbyte1337/credspy

Analysis updated 2026-05-18

132PythonAudience · ops devopsComplexity · 1/5Setup · easy

TLDR

CredSpy is a command-line tool that queries the Microsoft Entra ID login API to check if email accounts exist and reveal which authentication methods (password, FIDO2, passkey, certificate) each account has enrolled.

Mindmap

mindmap
  root((CredSpy))
    What it does
      Entra ID enumeration
      Auth method discovery
      Unauthenticated API
    Output types
      Account exists check
      Preferred auth method
      All enrolled methods
      CSV export
    Auth types found
      Password
      FIDO2 passkey
      Push notification
      Certificate
    Use cases
      Penetration testing
      Phishing assessment
      Attack surface audit
    Setup
      Python 3.10 plus
      pipx one command
      Proxy support
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Enumerate which email addresses have active Microsoft Entra ID accounts during an authorized penetration test.

USE CASE 2

Identify accounts still using password authentication for targeted phishing simulation planning.

USE CASE 3

Discover which accounts have passwordless (FIDO2, passkey, or push notification) authentication enrolled.

USE CASE 4

Export account authentication data to a CSV file for inclusion in a security assessment report.

What is it built with?

Pythonpippipx

How does it compare?

redbyte1337/credspynvlabs/isaaclabeurekajackson-video-resources/markov-hedge-fund-method
Stars132138120
LanguagePythonPythonPython
Last pushed2025-10-28
MaintenanceQuiet
Setup difficultyeasymoderateeasy
Complexity1/54/53/5
Audienceops devopsresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Install with one pipx command, no configuration needed. Only use against systems you have explicit written authorization to test.

In plain English

CredSpy is a Python command-line tool for security professionals testing Microsoft Entra ID environments, which is Microsoft's cloud identity platform (formerly called Azure Active Directory). Given a list of email addresses, it queries a public API that Microsoft's own login page uses to determine which accounts actually exist in a tenant and what authentication methods each account supports. The information it reveals for each email includes whether the account exists, what the account's preferred login method is (such as a password, a passwordless push notification, a passkey or FIDO2 hardware key, or a certificate), and a full list of every authentication method that account has enrolled. This is useful in security assessments to understand an organization's attack surface: knowing which accounts still rely on passwords, for example, is relevant when planning authorized phishing tests. The tool works without any credentials or authentication of its own. It replicates the same unauthenticated check the Microsoft login page performs when a user types their email before entering a password. Results stream to the terminal as each email is checked and can be exported to a CSV file. Filtered output lists (such as all existing accounts or all accounts using passwordless authentication) can be saved to separate text files for further use. Installation takes one command via pipx or pip. You run it from the terminal with a single email address or a text file containing many addresses. It supports routing traffic through a proxy, which is useful when working with interception tools during authorized tests. The README includes a clear disclaimer stating this tool is for authorized security testing only, against systems you own or have explicit written permission to test.

Copy-paste prompts

Prompt 1
I have a list of employee emails for a company I'm authorized to test. Show me how to run CredSpy against them and export results to CSV.
Prompt 2
How do I use CredSpy with a Burp Suite proxy to inspect the GetCredentialType API requests during an authorized Entra ID assessment?
Prompt 3
Show me how to use CredSpy's --save-password-preferred flag to extract accounts that still use password auth for a phishing simulation.
Prompt 4
What does RemoteNGC mean in CredSpy output, and how do I identify accounts with passwordless push notification enrolled?
Prompt 5
How do I filter CredSpy results to list only accounts with FIDO2 passkey authentication registered in Entra ID?

Frequently asked questions

What is credspy?

CredSpy is a command-line tool that queries the Microsoft Entra ID login API to check if email accounts exist and reveal which authentication methods (password, FIDO2, passkey, certificate) each account has enrolled.

What language is credspy written in?

Mainly Python. The stack also includes Python, pip, pipx.

How hard is credspy to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is credspy for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub redbyte1337 on gitmyhub

Verify against the repo before relying on details.