from Hacker News

Does Company ‘X’ have an Azure Active Directory Tenant?

by curiousmindz on 10/1/22, 12:44 PM with 192 comments

by bob1029 on 10/1/22, 2:46 PM
I know how we feel about the Microsoft Death Star consuming all in its path, but there are some upsides to statistics like this.
For instance, we are a B2B software vendor in the banking space, and we have to survive all kinds of audits regarding the nature of our code & vendors. By keeping nearly all of our 3rd party items under the Microsoft umbrella, we can automagically skip over vast chunks of our due diligence process (according to the mutual trust equation).
None of our customers is F500 (so far), but we have yet to encounter one who didn't already have AAD, or a willingness to set this up. From a product development perspective, we really prefer having a few known-good ways to do things. Authentication & authorization is one area that I strongly dislike having a large variety of flavors on. Especially considering the nature of our business and ever-increasing demands for complex MFA flows (e.g. SAML). There's been so many fly-by-night operations in this space, and our customers do not have patience for trying new things.
by ascar on 10/1/22, 2:41 PM
Why was that title editorialized as "around 83.4%"?
83.4% of 500 is exactly 417. The article is also exact about these numbers. No need to add "around".
Edit: Why was the title editorialized to begin with?
Edit2: looks like the title was updated to the original. Thanks.
by sebazzz on 10/1/22, 7:10 PM
> We assume the first result is the homepage of that company, and the domain they would use for their tenant.
That is a big assumption though. A very well known big-four with two letters uses for instance [letters]gs.com ("Global Services") for instance.
by Terretta on 10/1/22, 10:41 PM
For the HN B2B startups here supporting Google Workspace SSO and not Microsoft Azure SSO, or offering Sign in with Google and not Sign in with Microsoft... why?
85% of big businesses are on the one you don't support.
"Results for the Fortune 500 [to see who's on Azure AD using a] CSV with a list of all the Company Names for all 500 companies. Running it through this script, I find that 417, or 83.4% of companies have AAD, which is just a little off from Microsoft’s public claim of 85%."
https://www.shawntabrizi.com/aad/does-company-x-have-an-azur...
See also this top comment: https://news.ycombinator.com/item?id=33046968
by haxxorfreak on 10/1/22, 3:50 PM
AADInternals[0] is an excellent set of PowerShell modules for pentesting and performing recon against Azure AD as both an outsider[1] and for someone who has been invited to a tenant.
It has similar functionality integrated for discovering if a domain has an associated Azure AD Tenant and enumerating information about users in the tenant, who the "Owner" is and their contact information. As with many Microsoft products there are many configuration options and plenty of them aren't secure by default.
[0] https://o365blog.com/aadinternals/ [1] https://o365blog.com/post/just-looking/
by fweimer on 10/1/22, 4:47 PM
Doesn't the end point show up once you have SSO with your own identity provider enabled for any Microsoft services? Maybe technically this means that you have an Active Directory tenant as well, but it doesn't necessarily imply that you are using those Active Directory services for anything beyond that SSO capability.
For Google Workspace, a similar URL is: https://www.google.com/a/example.com/ServiceLogin
by PaulWaldman on 10/1/22, 2:46 PM
Microsoft is traditionally great at bundling their products. This is reminiscent of bundling Internet Explorer with Windows.
Could an Okta have a claim against Microsoft similar to Netscape in the late 90's?
by curiousmindz on 10/1/22, 12:46 PM
This is based on a 2017 script that looks up if their domain names are attached to an Azure Active Directory Tenant.
by vinay_ys on 10/1/22, 1:45 PM
The way Microsoft does enterprise price bundling, this is not surprising at all.
by rootsudo on 10/1/22, 1:52 PM
This is assuming the domain has it, but it's even easier actually - you can just DIG DNS records and see if what they run as MX, cnames, etc, if there is teams DNS records and the MX record points to *.onmicrosoft.com or $tenantname.mail.protection.outlook.com there you go, even easier than "querying" google and seeing what's index.
And much easier to script too. ;)
by wsjeffro on 10/1/22, 3:10 PM
What I can’t understand is why Azure AD doesn’t have a stronger position in the consumer space. Authentication via Google, Apple, and even still Facebook are nearly always supported on customer-facing logins. I rarely see an option for Microsoft.
They have a commanding position in the enterprise. What’s keeping them from crossing those enterprise boundaries?
by tluyben2 on 10/1/22, 1:40 PM
I thought it would be 100%; everyone switched to AD after Novell. What are the 16.6% using is the interesting part?
by mberning on 10/1/22, 2:37 PM
They have it in some capacity. Most places still have a very significant on-prem or self hosted instance of AD.
by unreal37 on 10/1/22, 1:49 PM
Assuming the #1 Google result on page 1 of search is the companies public domain is a flaw.
Some companies use a different domain for corporate use than their public domain name.
Like fb.com
by OrvalWintermute on 10/1/22, 1:57 PM
And still, in 2022, we don't have Azure AD replicating the full functionality of an on-premise AD.
by pid-1 on 10/1/22, 1:37 PM
Which products are used by large companies that don't have a AAD / AD structure?
by chayesfss on 10/1/22, 1:39 PM
I’d bet 100% have tenants but only some with names you know? Why wouldn’t they have a tenant, assess the technology and decide how to incorporate?
by idiocrat on 10/1/22, 1:47 PM
So many eggs in a basket!
by petercooper on 10/1/22, 7:14 PM
I know next to nothing about AD, but my company appears to match against this merely because we have an Office 365 account (from which we do nothing except download Word and Excel every now and then) so it doesn't necessarily mean you're using whatever it is much.
by ocdtrekkie on 10/1/22, 7:22 PM
So, I don't see anyone pointing it out here: This doesn't mean they use Azure AD! If you use any Microsoft cloud services at all, you get a "shadow tenant". One employee signs into Teams for a meeting once and there you have Azure AD.
by kn8 on 10/1/22, 2:20 PM
What is Azure AD used for?
by dan000892 on 10/1/22, 4:23 PM
Presumably this is the same thing whatismytenantid.com does under the hood.
Interesting (to me) is that the OpenID configuration endpoint provides the tenant ID for not only Commercial tenants but US Government (GCC & GCC-High) as well because the Azure AD portal has relatively new functionality to configure cross-tenant access settings by tenant ID or domain name but Gov tenants require you to obtain the tenant ID from the organization which is either security through obscurity or due to use of some Commercial-only Graph API call.
by ZiiS on 10/1/22, 2:52 PM
Bet nearly 100% have a fax machine too.
by altdataseller on 10/1/22, 7:48 PM
So Okta (their main conpetitor) uses Azure AD https://login.microsoftonline.com/okta.com/.well-known/openi...
by simonw on 10/1/22, 8:15 PM
I never thought about how the "I'm Feeling Lucky" button on Google can double as an API to return the URL of the first search result before. That's pretty neat.
by cloudking on 10/1/22, 5:14 PM
I wrote a similar script once that took company domain names and then looked up their MX records to see if they were using Google Workspace.
by computerfriend on 10/1/22, 3:00 PM
I genuinely don't know what AD is used for. If you need SSO, why not just use a SSO/SAML IdP?
by vondur on 10/1/22, 5:16 PM
I’m assuming if you were a heavy user of on prem AD, the moving to Azure AD is a logical choice.
by parkingrift on 10/1/22, 2:54 PM
Bundling is anticompetitive and illegal. The MS ecosystem deserves close antitrust scrutiny.
by sabujp on 10/1/22, 2:28 PM
even apple's business manager is compatible with AD
by not_enoch_wise on 10/1/22, 2:20 PM
This is the answer to the question “why can’t we get rid of passwords?”