Azure Discovery and Recon Cheatsheet

Azure Tenant Discovery

Azure Tenant Discovery refers to the enumeration of publicly accessible information related to an organization’s Azure tenant. It’s typically one of the first steps in cloud recon because it allows an attacker, red teamer, or bug bounty hunter to gather critical details without needing direct access.

You can get certain tenant information by hitting certain URLs. The following URLs are worth checking if you have basic information, such as the username or domain.

You can check if Azure tenant is in use by calling the following URL:

https://login.microsoftonline.com/getuserrealm.srf?login=[USERNAME@DOMAIN]&xml=1

To get the tenant ID, you should call this endpoint:

https://login.microsoftonline.com/[DOMAIN]/.well-known/openid-configuration

Tools such as AADInterals can help you in the process by automating most of the calls. First of all, it needs to be imported into PowerShell:

Import-Module C:\AADInternals.psd1 -Verbose

Next, you can get the tenant name, authentication, brand name, and domain name, if you have the domain and username:

Get-AADIntLoginInformation -Username [USERNAME]@[ORG].onmicrosoft.com

With the following command you can get the tenant ID:

Get-AADIntTenantID -Domain [ORG].onmicrosoft.com