Knowing the Microsoft Entra tenant ID may in some case be quite valuable, like when a Microsoft CSP partner need to transfer an Azure subscription from a customer’s existing CSP partner.
But how do you then get the tenant ID when you do not have a CSP relationship or access to the external tenant ?
You can ask off cause, but you may not know any contacts, and the contacts you may have may not have access to retrieve their tenant ID.
Fortunately there is a much simpler method available.
Microsoft Entra ID (Azure AD) is a highly versatile cloud-based identity and access management service that support a range of technologies and solutions to integrate modern authentication. This include OpenID Connect (OIDC) which is an authentication protocol based on the OAuth2 protocol.
For OAuth and OIDC to work they must first publish their configuration or metadata so external service providers can query the service requirements and access points. The content of the OAuth and the OIDC metadata, or the Well-known configuration, is fully standardized:
- OAuth Authorization Server Metadata: https://datatracker.ietf.org/doc/html/rfc8414#section-2
- OpenID Provider Metadata – https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
When Microsoft designed and built the original Azure AD, they used the GUID-based tenant ID as the name of the “tenant” container, basically an Organizational Unit in a huge directory service.
The tenant ID has since been used as a core reference for any tenant, and this also applies to various authentication protocols, where the tenant ID is the unique referencing element in locating the authentication endpoints.
So with this in mind, if we know the address of the OpenID connect metadata for a specific tenant, then we must be able to get the authentication endpoint address, which must include the tenant ID.
So how do we find the unique address of the OpenID connect metadata page for a specific Microsoft Entra tenant ?
Fortunately the OpenID configuration page address is also standardized, and available for each DNS domain registered and verified in a tenant.
We just have to know one of the domains (native or custom) that has been registered and verified in the foreign tenant. Most often we will be able to locate this information using a public search-engine or from an e-mail address.
When we have the domain we can locate the OpenID metadata page using this URI template:
https://login.microsoftonline.com/{tenant.domain}/.well-known/openid-configuration
- Replace {tenant.domain} with the full domain name (including any dot separators)
Example:
https://login.microsoftonline.com/adatum.dk/.well-known/openid-configuration
Opening this address in a browser reveals the OpenID metadata configuration for this tenant:
If we locate the ”issuer” parameter, the last part of the address without the HTTPS prefix and domain value, provide us the tenant ID associated with this particular tenant.
To simplify the tenant ID lookup process Microsoft have provided a public web service:
https://gettenantpartitionweb.azurewebsites.net/
Note
Although the domain field specify the domain to be the native onmicrosoft.com type, you may use any custom or vanity domain registered and verified in the tenant.
Example:
References: