Revealing All About a Tenant Identifier
I must admit of being suspicious when I first heard about the https://www.whatismytenantid.com site. The site does one thing, and that’s to return the tenant identifier of an Azure or Office 365 tenant. The tenant identifier is a GUID (like 72f988bf-86f1-41af-91ab-2d7cd011db47) to mark the data belonging to a company within Microsoft’s cloud platforms. On the surface, it seems like a tenant identifier is a private piece of information that shouldn’t be easily accessible within the internet, but it is.
In the case of WhatIsMyTenantId.com, simply input the domain name for a company and the site will spit out the tenant identifier if one exists. You’re not limited to your own company. The site is quite happy to tell you the identifier for any company it can find, like Microsoft.com as shown in Figure 1.
First Impressions Were Bad
The first time I thought about this, I thought that it was bad that a site could reveal the identifier for any Office 365 or Azure tenant. The reaction is understandable because you’d imagine this data to be private and only accessible to those who need to know. But when you look under the covers, a different situation emerges.
An interesting discussion in the Microsoft technical community reveals that OAuth 2.0 is the reason why Microsoft publishes tenant identifiers. We learn that “OpenID Connect is a simple identity layer that sits on top of OAuth 2.0. For Office 365 there is an OpenID Connect metadata document for each tenant which contains more of the information required for apps to perform sign-ins (including the tenant id).”
Finding Tenant Identifiers
All Office 365 and Azure tenants make information available through a connect point. For instance, you can find the information for Microsoft’s tenant at https://login.microsoftonline.com/microsoft.com/.well-known/openid-configuration. A bunch of JSON-formatted data is returned to guide apps through the authentication process. Replace microsoft.com with your domain in the URL to see what’s returned for your tenant.
In a nutshell, if Microsoft didn’t publish tenant identifiers online, applications using OAuth 2.0 couldn’t authenticate. Administrators might not have been aware of this information, but programmers do, probably because they need to figure this stuff out.
How Administrators Find Tenant Identifiers
If administrators were to be asked how to find the tenant identifier, they’d probably follow the advice given by Microsoft and use the Azure AD PowerShell module to run a command like:
Another way to find the tenant identifier is to open the Azure portal. Your tenant identifier is in the URL. The problem with this approach is that you must connect a PowerShell session to a tenant to retrieve the information. Consultants and Service Providers who manage tenants on behalf of companies might not be easily able to run PowerShell using an account belong to the tenant, meaning that they need another method to get the tenant identifier.
Tenant Identifiers in the Open
Whether you like it or not, your tenant identifier is publicly available to all and sundry. All WhatIsMyTenantId.com does is to check if the information is available online and then strip the tenant identifier out from the JSON payload returned. The site is owned by ShareGate, a well-known ISV specializing in SharePoint migrations, who get the chance to advertise their wares. That’s probably fair compensation for providing a service that some find very valuable.