Why You Might Need to Know Your Tenant Id
Every Microsoft 365 tenant is identified by a GUID, a globally unique identifier, which looks something like abf988bf-86f1-41af-91ab-2d7cd011db46. Applications use the tenant identifier to know which organization data belongs to. Occasionally, administrators need to know the identifier too:
- Microsoft support might ask for the tenant identifier as part of the information gathered for a support incident.
- If you participate in a test of new functionality, the Microsoft engineering group responsible for the feature will need the tenant identifier to enable (or “flight”) the software.
- Apps registered in Azure AD which use the Graph APIs to access tenant data must pass the tenant identifier along with the app identifier and app secret when requesting an access token. The combination of the three pieces of data allows Azure AD to grant the necessary token.
Applications like Teams include the tenant identifier in the links used to identify data. For instance, the deeplink used for a Teams meeting contains the tenant identifier.
Available to Allow Apps to Authenticate
Tenant identifiers are exposed publicly. If they were not, applications based on the Graph APIs or any others using OAuth 2.0 could not connect to a tenant. These apps use OpenID Connect, described by MVP Curtis Johnstone as “a simple identity layer that sits on top of OAuth 2.0. For Office 365 there is an OpenID Connect metadata document for each tenant which contains more of the information required for apps to perform sign-ins (including the tenant id).”
For instance, an app can find the information for Microsoft’s own tenant at https://login.microsoftonline.com/microsoft.com/.well-known/openid-configuration (Figure 1). Apps can fetch this information to receive the necessary data needed to navigate the OAuth 2.0 authentication process.
Finding the Tenant Identifier
Several methods exist to find the tenant identifier within Microsoft 365. Here are the most common, starting with PowerShell.
When you connect to Azure AD with PowerShell, the response contains tenant information, including the identifier.
Connect-AzureAD Account Environment TenantId TenantDomain ------- ----------- -------- Administrator@xxx.com AzureCloud a462313f-14fc-43a2-9a7a-d2e27f4f3478 xxxxxxxx.com
Much the same happens when connecting to Microsoft Teams with PowerShell. Again, the connection responds with tenant information with the tenant identifier shown for both the tenant name and identifier!
Connect-MicrosoftTeams Account Environment Tenant TenantId ------- ----------- ------ -------- Administrator@xxx.com AzureCloud a462313f-14fc-43a2-9a7a-d2e27f4f3478 a462313f-14fc-43a2-
If you have a PowerShell session connected to Azure AD, you can run the Get-AzureADTenantDetail cmdlet. This is the method I typically use.
Get-AzureADTenantDetail ObjectId DisplayName VerifiedDomain -------- ----------- -------------- A462313f-14fc-43a2-9a7a-d2e27f4f3478 Office 365 for IT Pros Office365ITPros.com
The Overview page of the Azure AD portal includes the tenant identifier and has the useful ability to copy the identifier to the clipboard (Figure 2).
ShareGate is an ISV specializing in SharePoint Online solutions. It offers a service at WhatIsMyTenantId.com which allows people to input a domain name, and have it checked to see if a matching Microsoft 365 tenant is found. Figure 3 shows the result after checking for Quest.com. Remember, the tenant information is public!
I don’t ever use WhatIsMyTenantId.com, but I’m sure others do, especially when you have a bunch of tenants to manage.
The detail makes the difference. Learn about the detail of managing your tenant by subscribing to the Office 365 for IT Pros eBook. Updated monthly to include those changing details which make all the difference…