Hello security colleagues out there and welcome to another exciting topic. Today we will go on an information-gathering journey and try to gather as much data about a specific Azure AD user/organisation as possible. We will only use OSINT techniques that are available to all users without any authentication. This article is explicitly limited to the Azure cosmos, including O365 and the entire Microsoft SaaS landscape.
To do this, we need to take a step back. In order to display the data on a website like Azure or the Office portal, a lot of API calls have to be made in the background. There are basically two ways of doing this. One is that the whole thing is authenticated with a JWT (read what about: JWT) or other methods in the request itself. It’s harder to get the data here because we don’t have a token. The second variant, which is the one we are focusing on today, are EndPoints that do not require authentication at all, but already provide a lot of information. For example, we want to know which tenant a user belongs to, or we want to find out more information just from the email address.
Let’s get started. I am using Postman, but you can also do this with your favorite tool. For each request, I will show what the method is, what attributes are required, and on which endpoint it needs to be done. Then I highlight the information that needs to be highlighted in the response..
Please note that all EndPoints calls are snapshots and may have changed or become unavailable since this blog was published.
userrealm
The first EndPoint we look at is “userrealm“. This EndPoint can be used to check if a domain is assigned to an Azure AD tenant based on a user’s email address. If so, you can check if the domain is federated and what the login page looks like (logo, background image, color).
URL https://login.microsoftonline.com/common/userrealm/<upn>?api-version=2.0
Method GETThe following fields in the answer should be looked at closely and have the following meaning
| Claim | Description |
| NameSpaceType | if “unknown”, The domain is not assigned to any tenant if “managed”, The domain is assigned but not federated if “federated”, The domain is assigned and federated |
| AuthURL | If the domain is federated, it displays the Auth URL here (from an ADFS or other) |
| FederationBrandName | The Display Name on the Login Page |
| TenantBrandingInfo | Appearance for the login screen like logo, background or display name |
| is_dsso_enabled | Seamless SSO is active |
federationProvider
Now that it is clear that this is an Azure domain, it is time to gather more information about it. This can be done by querying the “federationProvider” endpoint. This will provide another important piece of information, namely which tenant ID the domain is assigned to, and in which region the tenant is located.
URL https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain=<domain>
Method GET| Claim | Description |
| tenantId | The 35 digit ID of the Azure AD tenant like “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”, this will use in later steps |
| telemetryRegion | The tenant region |
passwordreset
Another interesting endpoint is the “passwordreset” endpoint. As the name suggests, this is used to allow the users to reset their password. However, it can also be used to check whether a particular user exists or not. It also provides information about the 2nd factors used by the user. In order to use it, the headers “cookie” and “X-XSRF-TOKEN” have to be created first and then sent in the request. The easiest way to do this is to visit the website “https://passwordreset.microsoftonline.com/passwordreset#!/” and export the necessary values in DEV Tools (F12 in Chrome) from the “StartSession” request.
The header values “cookie” & “X-XSRF-TOKEN” and the payload value “<upn>” need to be adjusted
URL https://passwordreset.microsoftonline.com/passwordreset/SubmitUserId
Method POST
Header
cookie: value
X-XSRF-TOKEN: value
Payload (JSON)
{"jsonContext":"{\"userId\":\"<UPN>\"}"}If the response is “400 Bad Request” then the user does not exist.
If the response is “200 OK” then the user exists and the authentication details are displayed in the body.
Conclusion
A lot of important information can be gathered from the EndPoints shown. These EndPoints have all been found by analysing the behaviour of the web pages with the browser developer tools. The list is not complete and I am sure there are many more. As I find more, I will update this blog.
That’s it so far, stay tuned and see you soon!
** midjourney string βIn cyberspace , Canon, fr100mm, octane render, cinematic, 8k no blur, volumetric lightning , cinematic lighting βar 1:2 –q 2β
