Table of Contents
Resolving Tenant Identifiers
Every Microsoft 365 tenant has a unique identifier (a GUID) that’s used within the Entra ID ecosystem to identify the tenant and its objects. This post is an update for a previous article published three years ago. Much has changed in the intervening period, including a renaming of Azure AD to be Entra ID and the introduction of new Graph APIs to resolve tenant identifiers in different ways.
The tenant identifier is used in many places, such as to identify the tenant to connect a Microsoft Graph PowerShell SDK to:
Connect-MgGraph -TenantId "72f988bf-86f1-41af-91ab-2d7cd011db47"
The identifier for your tenant is available in the Overview section of the Entra admin center (Figure 1). Usefully, you can copy the value from the admin center and keep it for other purposes.
To find the identifier for your tenant with PowerShell, run the Get-MgOrganization cmdlet after connecting to the Microsoft Graph PowerShell SDK.
Connect-MgGraph -Scopes Organization.Read.All -NoWelcome Get-MgOrganization | Format-List Id, DisplayName Id : a662313f-14fc-43a2-9a7a-d2e27f4f3478 DisplayName : Office 365 for IT Pros
The responses for many Graph requests and PowerShell cmdlets return the GUID identifying the tenant. Usually, the tenant identifier points to your own tenant, and you’ll recognize it. Sometimes APIs return identifiers from other tenants. For instance, the Get-AssociatedTeam cmdlet from the Microsoft Teams module includes the identifier for external tenants that host shared channels that users have direct membership in. This is why it’s useful to resolve tenant identifiers programmatically.
Resolving a Tenant Identifier GUID
It’s useful to be able to resolve the GUID for a tenant identifier and find the display name. For example, few people will recognize 72f988bf-86f1-41af-91ab-2d7cd011db47, but most will understand “Microsoft.”
To resolve a tenant identifier, use the findTenantInformationByTenantId Graph API to look up the tenant information published on the internet. There doesn’t seem to be a cmdlet in the latest version of the Microsoft Graph PowerShell SDK, so it’s necessary to use the Invoke-MgGraphRequest cmdlet. This example takes a tenant identifier and calls the API to return the tenant information. The code then extracts the tenant display name from the information to use for reporting or other purposes.
$LookUpId = $TenantId.toString()
$Uri = ("https://graph.microsoft.com/V1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='{0}')" -f $LookUpId)
$ExternalTenantData = Invoke-MgGraphRequest -Uri $Uri -Method Get
$ExternalTenantName = $ExternalTenantData.displayName
Write-Host ("The tenant with identifier {0} is {1}" -f $LookupId, $ExternalTenantName)
Resolving a Tenant Display Name to the Tenant Identifier
To do the reverse and find the tenant identifier for a Microsoft 365 tenant using its domain name, use the findTenantInformationByDomainName API. The code is similar to resolving a tenant name by identifier:
$Domain = Read-Host "What domain should I lookup"
$Uri = ("https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByDomainName(domainName='{0}')" -f $Domain)
[array]$DomainData = Invoke-MgGraphRequest -Uri $Uri -Method Get -ErrorAction SilentlyContinue
If (!($DomainData)) {
Write-Host ("Whoops - can't find a Microsoft 365 tenant for {0}" -f $Domain)
} Else {
Write-Host ("The tenant id for {0} is {1}" -f $DomainData.displayName, $DomainData.tenantId)
}
What domain should I lookup: Microsoft.com
The tenant id for Microsoft is 72f988bf-86f1-41af-91ab-2d7cd011db47
Both examples use the tenantRelationships Graph API to lookup tenant information by identifier or name. To gain access, the calling app (such as the Microsoft Graph PowerShell SDK) must have consent for the CrossTenantInformation.ReadBasic.All Graph permission.
The Graph APIs are relatively recent. It’s also possible to use the federationProvider web API to read the published information about tenants from the internet. Because this API is not part of the Graph APIs, use the Invoke-RestMethod cmdlet instead of Invoke-MgGraphRequest. For example:
$Domain = Read-Host "What domain should I lookup"
$Uri = ("https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain={0}" -f $domain)
$DomainId = Invoke-RestMethod -UseBasicParsing -Uri $Uri | Select-Object -ExpandProperty TenantId -ErrorAction SilentlyContinue
This is the approach used by websites like What is My Tenant Identifer (a ShareGate property – Figure 2).
Knowing Tenant Identifiers is a Good Thing
GUIDs are difficult to remember, and I don’t bother trying. When I think about the number of times I have had to find a tenant identifier over the years, the amount must be in the hundreds. Being able to find a tenant identifier without reverting to the Entra admin center is a good skill to have, especially if you want to use the information in a script.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.