The Invisible Front Door: Is Your Azure Tenant Talking Too Much? Part 1

EVERY Security Pro Should Know This About Azure AD — And So Should Every Defender.

(Save this. Share this. Your team needs it.)

Before a red teamer fires a single payload, before a penetration tester touches a login page — there's a quiet, invisible phase happening against your organisation right now.

It's called Azure AD Reconnaissance. And it starts with a single HTTP request.

━━━━━━━━━━━━━━━━━━━━━━━
WHY THIS MATTERS FOR DEFENDERS & IT TEAMS
━━━━━━━━━━━━━━━━━━━━━━━

Microsoft exposes a public, unauthenticated endpoint:

🔗 https://login.microsoftonline.com/getuserrealm.srf

This endpoint was designed with a purpose — to allow Microsoft clients (Outlook, Teams, Office apps) to automatically discover how a domain is configured, so they can route authentication correctly.

The response tells you:

• Whether a domain is MANAGED (Azure AD / Entra ID)
• Whether it's FEDERATED (ADFS, Okta, Ping, etc.)
• Whether it's UNKNOWN (not on Azure at all)
• The cloud instance, federation brand, issuer URI

Example — checking a domain:

alichisom.com → NameSpaceType: Unknown (not on Azure)
microsoft.com → NameSpaceType: Managed (fully Azure AD managed)

For an IT admin, this is gold:

• Verify your own tenant is correctly configured
• Confirm federation is set up as expected
• Audit third-party domains before B2B collaboration
• Validate SSO configurations in hybrid environments

For a security engineer, this is your first stop in attack surface mapping.

━━━━━━━━━━━━━━━━━━━━━━━
TAKING IT FURTHER — User Enumeration (The Legitimate Use Case)
━━━━━━━━━━━━━━━━━━━━━━━

Once you confirm a domain is Azure AD Managed, Microsoft exposes ANOTHER unauthenticated endpoint:

🔗 https://login.microsoftonline.com/common/GetCredentialType

Send a POST request with a username in JSON format — and the API returns an IfExistsResult value:

• 0 = The account EXISTS ✅
• 1 = The account does NOT exist ❌

Legitimate uses:

• IT admins validating which accounts are active in a tenant
• Security teams running internal audits of deprovisioned users
• Pen testers scoping an authorised engagement
• Red teams simulating realistic adversary behaviour — with permission

This is the foundation of identity attack surface assessment. Knowing which accounts exist is step zero in understanding your exposure.

BUT HERE'S WHERE IT GETS DANGEROUS.

This endpoint is rate-limited to ~100 requests per session — but that's a soft guardrail, not a wall.

With a simple script, a wordlist of common usernames (firstname.lastname@company.com), and some patience — a lot can be discovered.

𝗣𝗔𝗥𝗧 𝟮 𝗖𝗢𝗠𝗜𝗡𝗚 𝗡𝗘𝗫𝗧 👇

How threat actors, APT groups, and red teamers weaponise exactly this — and what your organisation MUST do to detect and defend against it.