Azure Enum & Recon Cheat Sheet

az-enum.sh

# Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted
# Insert your domain environment variable below
DOMAIN="microsoft.com"

# Check the getuserrealm.srf endpoint for domain information

# Check autodiscover.$DOMAIN DNS entry
host autodiscover.$DOMAIN
# Note:  Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com

# Test if domain is managed or not.  Check if it's a Azure/M365 tenant.  Returns 'Unknown', 'Federated', or 'Managed'
 curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1
# Note:  Look for NameSpaceType

# Return NameSpaceType - either "Unknown", "Managed", or "Federated"
curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 | jq -r '.NameSpaceType'

# Check for federation on the domain
curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\xml\=1
# Note:  Look at <NameSpaceType> and <IsFederated>

# Get the TenantID for a managed domain
curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-configuration
# Note:  Look for the token endpoint.  Example response:
# "token_endpoint":"https://login.microsoftonline.com/9d9817d9-f209-4430-8f4f-cc03332848cb/oauth2/v2.0/token
# '9d9817d9-f209-4430-8f4f-cc03332848cb' is the TenantId

# Check GetCredentialType endpoint for username enumeration
# Once on a managed domain, check individual users
# Credit and props to Brian Thomas for helping to validate this.  Thanks Brian!
# Verify that the getuserrealm.srf returns a "Managed" value for NameSpaceType
# If it does, the 0 or 1 below is correct.  IF it doesn't, unmanaged domains can return 0, leading to false positives
curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"user1@example.com"}' | jq '.IfExistsResult'
# Note:  Checking the user:  user1@example.com
# Response Codes
#-1 An unknown error
#0 The account exists, and uses that domain for authentication
#1 The account doesn’t exist
#2 The response is being throttled
#4 Some server error
#5 The account exists, but is set up to authenticate with a different identity provider. This could indicate the account is only used as a personal account
#6 The account exists, and is set up to use both the domain and a different identity provider



# ADFS Recon Google Dorks
inurl://adfs/ls/idpinitiatedsignon

inurl://adfs/oauth2/authorize

Hello, I want to contribute in this code, Is there any way for PR here.
If not, please add this at GitHub,
Thanks.

Hi @m14r41 great idea. I just created a repo for this. Feel free to send a PR:
https://github.com/iknowjason/azrecon

Thank you so much! Sure

IfExistsResult is described here.

-1 An unknown error
0 The account exists, and uses that domain for authentication
1 The account doesn’t exist
2 The response is being throttled
4 Some server error
5 The account exists, but is set up to authenticate with a different identity provider. This could indicate the account is only used as a personal account
6 The account exists, and is set up to use both the domain and a different identity provider

@Mike-Crowley I remember seeing this a while back. Would be great to get this added back in. That site you linked to seems to show connection refused for me. Are you seeing the same? Thanks @Mike-Crowley .

@Mike-Crowley I made the update to the gist. It's what I recall reading. But I still can't find an official reference.

I'm not sure what happened to their site, but yeah it looks like it went down over the weekend. Here is an archive:

https://web.archive.org/web/20231208161927/https://warroom.rsmus.com/enumerating-emails-via-office-com/

Though its not an official source, this aligns to some of the results I've seen in testing.