Azure Active Directory (Azure AD), now rebranded as Microsoft Entra ID, is the backbone of identity and access management for thousands of organizations worldwide. It powers authentication for Microsoft 365, Azure workloads, third-party SaaS applications, and hybrid on-premises environments. Because of its central role, it has become one of the most targeted surfaces in modern cyberattacks.
What many security teams underestimate is how much information an attacker can gather about an Azure AD tenant without having any credentials at all. Before phishing a single employee or exploiting a single vulnerability, a skilled attacker performs extensive reconnaissance. This blog walks through the external enumeration techniques used against Azure AD, the specific commands and tools involved, and how organizations can reduce their exposure.
If your organization runs on Microsoft 365 or Azure, this post is directly relevant to your threat model. And if you want a real-world assessment of your exposure, Redfox Cybersecurity's penetration testing services are built to simulate exactly these attack chains.
External enumeration refers to reconnaissance conducted against an Azure AD tenant without authenticated access. Attackers leverage publicly exposed endpoints, APIs, and Microsoft's own infrastructure to gather tenant metadata, valid usernames, authentication configurations, and third-party integrations.
This phase is often called OSINT-meets-infrastructure-recon, and it is far more powerful against cloud-native environments than most defenders realize. The information collected during this phase directly feeds into credential attacks, phishing campaigns, OAuth abuse, and privilege escalation paths.
The first step an attacker takes is confirming that a target organization uses Azure AD and identifying the tenant details. Microsoft exposes several endpoints that return tenant-level metadata without any authentication.
Every Azure AD tenant exposes an OpenID Connect discovery endpoint. By visiting a URL constructed from the organization's domain, an attacker can retrieve the tenant ID, token endpoint, authorization endpoint, and supported authentication flows.
https://login.microsoftonline.com/<target-domain>/.well-known/openid-configuration
[cta]
Running this with curl:
curl -s "https://login.microsoftonline.com/targetcorp.com/.well-known/openid-configuration" | python3 -m json.tool
[cta]
The response reveals the issuer field, which contains the tenant ID in UUID format. This is foundational information for everything that follows.
Microsoft also exposes the GetUserRealm and getuserrealm.srf endpoints, which reveal whether a domain is managed (cloud-only) or federated (using ADFS or a third-party IdP like Okta or Ping).
curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=user@targetcorp.com&json=1"
[cta]
A response showing NameSpaceType: Federated tells the attacker that the organization is using a third-party identity provider, which opens a different set of attack paths compared to managed domains. This is critical intelligence.
Once the tenant is identified, the next target is valid usernames. Azure AD exposes several vectors that allow external attackers to enumerate valid user accounts, even without a successful login.
This is one of the most well-known and widely abused enumeration paths. Microsoft's sign-in flow uses this endpoint to determine what authentication options to show the user. An attacker can POST to this endpoint with a username and the response structure will differ depending on whether the account exists.
curl -s -X POST "https://login.microsoftonline.com/common/GetCredentialType" \
-H "Content-Type: application/json" \
-d '{"Username":"testuser@targetcorp.com"}' | python3 -m json.tool
[cta]
A field called IfExistsResult in the response returns 0 for valid accounts and 1 for accounts that do not exist. This allows for bulk username validation at scale without triggering account lockouts.
AADInternals is a PowerShell toolkit developed by Dr. Nestori Syynimaa that is widely used in Azure AD attack simulations. It wraps many of these enumeration techniques into convenient cmdlets.
# Install AADInternals
Install-Module AADInternals -Force
# Import the module
Import-Module AADInternals
# Enumerate a single user
Invoke-AADIntUserEnumerationAsOutsider -UserName "jsmith@targetcorp.com"
# Enumerate from a list
Get-Content userlist.txt | Invoke-AADIntUserEnumerationAsOutsider
[cta]
The output tells you whether each account exists, and for federated domains, it may also return the ADFS endpoint URL, which becomes a target for additional reconnaissance.
This level of unauthenticated enumeration is a serious concern for any organization, and it is exactly the type of technique that Redfox Cybersecurity's red team engagements use to map out your external attack surface before an adversary does.
Azure AD tenants can have multiple verified domains associated with them. Microsoft exposes this information through the tenant's OpenID configuration and through Office 365 DNS records.
MicroBurst is a PowerShell-based toolkit designed for Azure security assessments. One of its functions, Invoke-EnumerateAzureSubDomains, identifies Azure services registered under a target organization's namespace.
Import-Module MicroBurst.psm1
# Enumerate Azure subdomains
Invoke-EnumerateAzureSubDomains -Base "targetcorp" -Verbose
[cta]
This scans for resources like targetcorp.blob.core.windows.net, targetcorp.azurewebsites.net, targetcorp.onmicrosoft.com, and more. Each discovered subdomain can indicate storage accounts, web applications, or other services worth probing further.
The Office 365 autodiscover and MX record structure also leaks tenant information:
# Check for Microsoft mail routing
dig MX targetcorp.com
# Check autodiscover
dig CNAME autodiscover.targetcorp.com
# Check for Office 365 tenant linkage
curl -s "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/mex?mapiAddressType=smtp&emailAddress=user@targetcorp.com"
[cta]
If the MX record points to mail.protection.outlook.com, you have confirmed the organization uses Exchange Online, which ties directly to Azure AD for authentication.
Azure AD tenants register enterprise applications and service principals that represent third-party and internal tools. Some of this information is externally accessible.
ROADtools is a Python-based framework for Azure AD reconnaissance. Its roadrecon component can gather significant information once credentials are obtained, but even before that, the roadtx module supports OAuth-based reconnaissance flows.
# Install ROADtools
pip install roadtools
# Gather tenant information
roadrecon gather --tenant targetcorp.com
[cta]
Combined with phished credentials or tokens, ROADtools can map the entire application landscape of a tenant including permissions granted to third-party apps, which is a common path to privilege escalation through OAuth consent abuse.
Username enumeration directly enables password spraying, a technique where one or two common passwords are tested against many accounts to avoid lockout thresholds. Azure AD's Smart Lockout feature provides some protection, but it has known bypass conditions in hybrid environments and federated setups.
MSOLSpray is a PowerShell tool designed specifically for spraying against Microsoft Online endpoints.
Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList userlist.txt -Password "Winter2024!" -Verbose
Legacy authentication protocols (SMTP, IMAP, POP3, Basic Auth) bypass modern conditional access policies. Attackers often target the legacy endpoint directly:
curl -s -X POST "https://login.microsoftonline.com/common/oauth2/token" \
-d "grant_type=password&client_id=1b730954-1685-4b74-9bfd-dac224a7b894&username=user@targetcorp.com&password=Winter2024!&resource=https://graph.microsoft.com"
[cta]
If legacy authentication has not been disabled in your tenant, this endpoint accepts username/password combinations with no MFA prompt, and no conditional access enforcement in many configurations.
Organizations that have not audited their legacy authentication policies are at significant risk. Redfox Cybersecurity tests for exactly this class of vulnerability as part of cloud penetration assessments.
The Microsoft Graph API powers many of the features in Microsoft 365. Misconfigured tenants may allow unauthenticated or low-privilege access to sensitive directory information.
Without authentication, some Graph API endpoints return tenant-level metadata:
# Retrieve tenant details
curl -s "https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByDomainName(domainName='targetcorp.com')"
[cta]
This returns the tenant ID, display name, federation brand name, and default domain without any credentials.
Once a low-privilege token is obtained (through phishing or credential spraying), an attacker expands enumeration using Graph:
# List all users
curl -s -H "Authorization: Bearer <token>" \
"https://graph.microsoft.com/v1.0/users?$select=displayName,userPrincipalName,jobTitle,department"
# List groups
curl -s -H "Authorization: Bearer <token>" \
"https://graph.microsoft.com/v1.0/groups"
# List directory roles
curl -s -H "Authorization: Bearer <token>" \
"https://graph.microsoft.com/v1.0/directoryRoles"
[cta]
A low-privilege account with default permissions can often enumerate all users, groups, service principals, and directory roles in the tenant. This information is then used to identify high-value targets for lateral movement.
External enumeration is made significantly easier by common tenant misconfigurations. The following are consistently observed during cloud penetration testing engagements:
Each of these misconfigurations is something Redfox Cybersecurity's penetration testers actively check for during cloud security assessments, providing organizations with a prioritized remediation roadmap.
Understanding the attacker's perspective is the first step. The defensive response requires layering controls across identity, authentication, and monitoring.
While Microsoft does not offer a direct toggle to block the GetCredentialType endpoint, enabling Privacy settings in Azure AD to restrict user enumeration by non-admins reduces the blast radius. For federated environments, configure ADFS to return consistent responses regardless of whether the user exists.
Use Azure AD Conditional Access to block all legacy authentication protocols. Create a policy targeting all users, all cloud apps, with the condition set to legacy authentication clients, and the access control set to Block.
Conditional Access Policy:
Name: Block Legacy Authentication
Users: All users
Cloud apps: All cloud apps
Conditions: Client apps - Exchange ActiveSync clients + Other clients
Grant: Block access
[cta]
Azure AD sign-in logs capture both interactive and non-interactive sign-ins. Anomalies to watch for include high volumes of failed sign-ins across multiple usernames from a single IP (spraying), sign-ins from unexpected geographies, and sign-ins using legacy authentication protocols.
Use Azure AD PIM (Privileged Identity Management) to enforce just-in-time access for administrative roles. This limits the window of exposure for high-privilege accounts and forces time-bound, approved activation rather than persistent assignment.
Azure AD is a high-value target, and external attackers invest significant effort into reconnaissance before attempting access. The techniques covered in this post, from tenant discovery and username enumeration to legacy auth abuse and Graph API exploitation, represent the real playbook used against Microsoft cloud environments today.
The good news is that each of these attack paths has a defensive countermeasure. But identifying your specific gaps requires more than a checklist review. It requires simulating the attacker's perspective against your actual tenant configuration.
Redfox Cybersecurity specializes in cloud and Azure-focused penetration testing that mirrors the techniques described here. Our team of certified security professionals will enumerate your tenant the way an attacker would, identify exploitable misconfigurations, and deliver findings with clear remediation guidance.
Ready to see what attackers can learn about your Azure AD tenant before you do? Engage Redfox Cybersecurity's pentesting team and take control of your external attack surface today.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
