Get Tenant ID For Given Domain

//This query will return the tenant ID for a domain. This has little use-case today but if externaldata allowed variables then this could be quite useful as a function let OIDC = externaldata(token_endpoint: string)["https://login.microsoftonline.com/google.com/.well-known/openid-configuration"] with (format="csv", ignoreFirstRecord=False); //replace "google.com" with domain you want to search OIDC | extend TenantID = replace_string(replace_string(token_endpoint,"{\"token_endpoint\":\"https://login.microsoftonline.com/",""),"/oauth2/token\"","") | project-away token_endpoint

Explanation

This query is designed to extract the tenant ID associated with a specific domain using Microsoft's OpenID Connect configuration. Here's a simplified breakdown:

Data Retrieval: The query uses the externaldata function to fetch OpenID Connect configuration data from a specified URL. In this case, it's fetching data related to the domain "google.com". You can replace "google.com" with any domain you want to investigate.
Data Processing:
- The extend function is used to create a new column called TenantID.
- It extracts the tenant ID from the token_endpoint URL by removing unnecessary parts of the string. This is done using the replace_string function twice to clean up the URL and isolate the tenant ID.
Data Presentation:
- The project-away function is used to remove the original token_endpoint column from the output, leaving only the TenantID.

In summary, this query extracts and displays the tenant ID for a specified domain by processing data from Microsoft's OpenID Connect configuration endpoint.

KQL Search

Get Tenant ID For Given Domain

Query

Explanation

Details

Actions