{"id":3068,"date":"2014-11-18T22:03:21","date_gmt":"2014-11-19T06:03:21","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/?p=3068"},"modified":"2014-11-18T22:03:21","modified_gmt":"2014-11-19T06:03:21","slug":"from-domain-to-tenantid","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2014\/11\/18\/from-domain-to-tenantid\/","title":{"rendered":"From Domain to TenantID"},"content":{"rendered":"

Ha, I discovered that I kind of like to write short posts \"Smile\" so here there\u2019s another one.<\/p>\n

Azure AD endpoints can be constructed with both domain and tenantID interchangeably, \u201chttps:\/\/login.windows.net\/developertenant.onmicrosoft.com<\/strong>\/oauth2\/authorize\u201d<\/em> and \u201chttps:\/\/login.windows.net\/6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e<\/strong>\/oauth2\/authorize\u201d <\/em>are functionally equivalent \u2013 however the tenantID has some clear advantages. For example: it is immutable, globally unique and non-reassignable, while domains do indeed change hands on occasions. Moreover, you can have many domains associated to a tenant but only one tenantID. Really, the only thing that the domain has going for itself is that it is human readable and there\u2019s a reasonable chance a user can remember and type it.<\/p>\n

Per the above, there are times in which it can come in useful to find out the TenantID for a given domain. The trick is reeeeeally simple. You can use the domain to construct one of the AAD endpoints which return tenant metadata, for example the OpenId Connect one; such metadata will contain the tenantID. In practice: say that you know that the target domain is developertenant.onmicrosoft.com. How do I find out the corresponding tenantID, without even being authenticated?<\/p>\n

Easy. I do a GET of https:\/\/login.windows.net\/developertenant.onmicrosoft.com<\/strong>\/.well-known\/openid-configuration<\/em>.<\/p>\n

The result is a JSON file that has the tenantID all over it:<\/p>\n

{\n   \"authorization_endpoint\"<\/span> : \"https:\/\/login.windows.net\/6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e<\/font>\/oauth2\/authorize\"<\/span>,\n   \"check_session_iframe\"<\/span> : \"https:\/\/login.windows.net\/6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e<\/font>\/oauth2\/checksession\"<\/span>,\n   \"end_session_endpoint\"<\/span> : \"https:\/\/login.windows.net\/6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e<\/font>\/oauth2\/logout\"<\/span>,\n   \"id_token_signing_alg_values_supported\"<\/span> : [ \"RS256\"<\/span> ],\n   \"issuer\"<\/span> : \"https:\/\/sts.windows.net\/6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e<\/font>\/\"<\/span>,\n   \"jwks_uri\"<\/span> : \"https:\/\/login.windows.net\/common\/discovery\/keys\"<\/span>,\n   \"microsoft_multi_refresh_token\"<\/span> : true<\/span>,\n   \"response_modes_supported\"<\/span> : [ \"query\"<\/span>, \"fragment\"<\/span>, \"form_post\"<\/span> ],\n   \"response_types_supported\"<\/span> : [ \"code\"<\/span>, \"id_token\"<\/span>, \"code id_token\"<\/span>, \"token\"<\/span> ],\n   \"scopes_supported\"<\/span> : [ \"openid\"<\/span> ],\n   \"subject_types_supported\"<\/span> : [ \"pairwise\"<\/span> ],\n   \"token_endpoint\"<\/span> : \"https:\/\/login.windows.net\/6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e<\/font>\/oauth2\/token\"<\/span>,\n   \"token_endpoint_auth_methods_supported\"<\/span> : [ \"client_secret_post\"<\/span>, \"private_key_jwt\"<\/span> ],\n   \"userinfo_endpoint\"<\/span> : \"https:\/\/login.windows.net\/6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e<\/font>\/openid\/userinfo\"<\/span>\n}<\/pre>\n