Find tenantId by domain name and vice versa by leveraging the Graph API

I’m back from vacation and catching up on stuff, including the Graph API changelog. One interesting bit that caught my attention was the addition of the tenantInformation resource type and two methods related to it, namely: findTenantInformationByDomainName and findTenantInformationByTenantId. The first method can be used to quickly find out whether a given domain is in use within Microsoft 365 and which organization it belongs to, along with the tenant ID. Similarly, you can use a previously obtained tenant ID value to fetch some basic information about the organization, including its display name and the default domain name. In other words you can use either method to fetch a tenantInformation object, with the following properties exposed:

Property Type Description
defaultDomainName String Primary domain name of an Azure AD tenant.
displayName String Display name of an Azure AD tenant.
federationBrandName String Name shown to users that sign in to an Azure AD tenant.
tenantId String Unique identifier of an Azure AD tenant.

Until now, it was possible to obtain similar data by querying the Azure AD metadata documents, which are all publicly available, being a public cloud service and all. Some third-party sites made the process quite simpler, but having an officially supported method (once it reaches GA) is of course appreciated. On the negative, you do need to have certain permissions assigned in order to query the relevant endpoints, which are in turn tied to user or application credentials. In other words, you do need to have a valid Azure AD tenant and cannot perform those queries “anonymously”.

Speaking of permissions, the documentation currently lists CrossTenantInformation.ReadBasic.All as the only supported one, in either the delegate or application permission model. You might be surprised to find out that the queries work with other permissions granted, for example Directory.AccessAsUser.All might also work, depending on the permissions the user you’re logged in with. But given the beta status, some uncertainty is to be expected.

Without further ado, here’s how to actually use the two endpoints. First, if we have the domain name, say office365itpros.com, we can use the /beta/tenantRelationships/findTenantInformationByDomainName endpoint to find the matching tenant. Here’s an example:

GET https://graph.microsoft.com/beta/tenantRelationships/findTenantInformationByDomainName(domainName='office365itpros.com')

 

The output will contain the tenant ID, the display name of the organization and the default domain name, which in this case is redmondassociates.org. Similarly, we can start from the tenant ID, and obtain the same data:

GET https://graph.microsoft.com/beta/tenantRelationships/findTenantInformationByTenantId(tenantId='b662313f-14fc-43a2-9a7a-d2e27f4f3478')

As expected, the exact same object data is returned. Before closing this article, it’s worth mentioning that the default domain name value does not represents the initial “service” domain you’re given when creating a new tenant, but the actual domain you’ve designated as default. In other words, you will only see the tenant.onmicrosoft.com domain in situations where the organization has not verified their vanity domain(s) and designated one of them as a default one.

This entry was posted in Azure AD, Graph API, Microsoft 365, Office 365. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.