Resolving Tenant Identifiers

Every Microsoft 365 tenant has a unique identifier (a GUID) that’s used within the Entra ID ecosystem to identify the tenant and its objects. This post is an update for a previous article published three years ago. Much has changed in the intervening period, including a renaming of Azure AD to be Entra ID and the introduction of new Graph APIs to resolve tenant identifiers in different ways.

The tenant identifier is used in many places, such as to identify the tenant to connect a Microsoft Graph PowerShell SDK to:

Connect-MgGraph -TenantId "72f988bf-86f1-41af-91ab-2d7cd011db47"

The identifier for your tenant is available in the Overview section of the Entra admin center (Figure 1). Usefully, you can copy the value from the admin center and keep it for other purposes.

To find the identifier for your tenant with PowerShell, run the Get-MgOrganization cmdlet after connecting to the Microsoft Graph PowerShell SDK.

Connect-MgGraph -Scopes Organization.Read.All -NoWelcome
Get-MgOrganization | Format-List Id, DisplayName

Id          : a662313f-14fc-43a2-9a7a-d2e27f4f3478
DisplayName : Office 365 for IT Pros

The responses for many Graph requests and PowerShell cmdlets return the GUID identifying the tenant. Usually, the tenant identifier points to your own tenant, and you’ll recognize it. Sometimes APIs return identifiers from other tenants. For instance, the Get-AssociatedTeam cmdlet from the Microsoft Teams module includes the identifier for external tenants that host shared channels that users have direct membership in. This is why it’s useful to resolve tenant identifiers programmatically.

Resolving a Tenant Identifier GUID

It’s useful to be able to resolve the GUID for a tenant identifier and find the display name. For example, few people will recognize 72f988bf-86f1-41af-91ab-2d7cd011db47, but most will understand “Microsoft.”

To resolve a tenant identifier, use the findTenantInformationByTenantId Graph API to look up the tenant information published on the internet. There doesn’t seem to be a cmdlet in the latest version of the Microsoft Graph PowerShell SDK, so it’s necessary to use the Invoke-MgGraphRequest cmdlet. This example takes a tenant identifier and calls the API to return the tenant information. The code then extracts the tenant display name from the information to use for reporting or other purposes.

$LookUpId = $TenantId.toString()
$Uri = ("https://graph.microsoft.com/V1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='{0}')" -f $LookUpId)
$ExternalTenantData = Invoke-MgGraphRequest -Uri $Uri -Method Get
$ExternalTenantName = $ExternalTenantData.displayName
Write-Host ("The tenant with identifier {0} is {1}" -f $LookupId, $ExternalTenantName)

Resolving a Tenant Display Name to the Tenant Identifier

To do the reverse and find the tenant identifier for a Microsoft 365 tenant using its domain name, use the findTenantInformationByDomainName API. The code is similar to resolving a tenant name by identifier:

$Domain = Read-Host "What domain should I lookup"
$Uri = ("https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByDomainName(domainName='{0}')" -f $Domain) 
[array]$DomainData = Invoke-MgGraphRequest -Uri $Uri -Method Get -ErrorAction SilentlyContinue
If (!($DomainData)) {
    Write-Host ("Whoops - can't find a Microsoft 365 tenant for {0}" -f $Domain)
} Else {
    Write-Host ("The tenant id for {0} is {1}" -f $DomainData.displayName, $DomainData.tenantId)
}
What domain should I lookup: Microsoft.com
The tenant id for Microsoft is 72f988bf-86f1-41af-91ab-2d7cd011db47

Both examples use the tenantRelationships Graph API to lookup tenant information by identifier or name. To gain access, the calling app (such as the Microsoft Graph PowerShell SDK) must have consent for the CrossTenantInformation.ReadBasic.All Graph permission.

The Graph APIs are relatively recent. It’s also possible to use the federationProvider web API to read the published information about tenants from the internet. Because this API is not part of the Graph APIs, use the Invoke-RestMethod cmdlet instead of Invoke-MgGraphRequest. For example:

$Domain = Read-Host "What domain should I lookup"
$Uri = ("https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain={0}" -f $domain)
$DomainId = Invoke-RestMethod -UseBasicParsing -Uri $Uri | Select-Object -ExpandProperty TenantId -ErrorAction SilentlyContinue

This is the approach used by websites like What is My Tenant Identifer (a ShareGate property – Figure 2).

Knowing Tenant Identifiers is a Good Thing

GUIDs are difficult to remember, and I don’t bother trying. When I think about the number of times I have had to find a tenant identifier over the years, the amount must be in the hundreds. Being able to find a tenant identifier without reverting to the Entra admin center is a good skill to have, especially if you want to use the information in a script.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Why You Might Need to Know Your Microsoft 365 Tenant Identifier

Every Microsoft 365 tenant is identified by a GUID, a globally unique identifier, which looks something like abf988bf-86f1-41af-91ab-2d7cd011db46. Applications use the tenant identifier to know which organization data belongs to. Occasionally, administrators need to know the identifier too:

• Microsoft support might ask for the tenant identifier as part of the information gathered for a support incident.
• If you participate in a test of new functionality, the Microsoft engineering group responsible for the feature will need the tenant identifier to enable (or “flight”) the software.
• Apps registered in Azure AD which use the Graph APIs to access tenant data must pass the tenant identifier along with the app identifier and app secret when requesting an access token. The combination of the three pieces of data allows Azure AD to grant the necessary token.

Applications like Teams include the tenant identifier in the links used to identify data. For instance, the deeplink used for a Teams meeting contains the tenant identifier.

Available to Allow Apps to Authenticate

Tenant identifiers are exposed publicly. If they were not, applications based on the Graph APIs or any others using OAuth 2.0 could not connect to a tenant. These apps use OpenID Connect, described by MVP Curtis Johnstone as “a simple identity layer that sits on top of OAuth 2.0. For Office 365 there is an OpenID Connect metadata document for each tenant which contains more of the information required for apps to perform sign-ins (including the tenant id).”

For instance, an app can find the information for Microsoft’s own tenant at https://login.microsoftonline.com/microsoft.com/.well-known/openid-configuration (Figure 1). Apps can fetch this information to receive the necessary data needed to navigate the OAuth 2.0 authentication process.

Finding the Tenant Identifier

Several methods exist to find the tenant identifier within Microsoft 365. Here are the most common, starting with PowerShell.

When you connect to Azure AD with PowerShell, the response contains tenant information, including the identifier.

Connect-AzureAD

Account               Environment TenantId                            TenantDomain    
-------               ----------- --------                            
Administrator@xxx.com AzureCloud  a462313f-14fc-43a2-9a7a-d2e27f4f3478 xxxxxxxx.com 

Microsoft intends to deprecate the Azure AD module in June 2023. The equivalent cmdlet in the Microsoft Graph PowerShell SDK is Get-MgOrganization:

Get-MgOrganization | Select Id, DisplayName

Id                                   DisplayName
--                                   -----------
a462313f-14fc-43a2-9a7a-d2e27f4f3478 Office 365 for IT Pros

Much the same happens when connecting to Microsoft Teams with PowerShell. Again, the connection responds with tenant information with the tenant identifier shown for both the tenant name and identifier!

Connect-MicrosoftTeams

Account               Environment Tenant                               TenantId
-------               ----------- ------                               --------
Administrator@xxx.com AzureCloud  a462313f-14fc-43a2-9a7a-d2e27f4f3478 a462313f-14fc-43a2-

If you have a PowerShell session connected to Azure AD, you can run the Get-AzureADTenantDetail cmdlet. This is the method I typically use.

Get-AzureADTenantDetail

ObjectId                             DisplayName               VerifiedDomain
--------                             -----------               --------------
A462313f-14fc-43a2-9a7a-d2e27f4f3478 Office 365 for IT Pros    Office365ITPros.com

The Overview page of the Azure AD portal includes the tenant identifier and has the useful ability to copy the identifier to the clipboard (Figure 2).

Azure Where’s My Tenant

Azure operates a service to lookup using a tenant (Figure 3) to find details of a domain belonging to an Azure AD tenant (Figure 3). You can also input the Microsoft 365 tenant identifier.

ShareGate’s Service

ShareGate is an ISV specializing in SharePoint Online solutions. It offers a similar service to the Azure lookup at WhatIsMyTenantId.com. Figure 4 shows the result after checking for Quest.com. Remember, the tenant information is public!

I don’t ever use WhatIsMyTenantId.com, but I’m sure others do, especially when you have a bunch of tenants to manage.

The detail makes the difference. Learn about the detail of managing your tenant by subscribing to the Office 365 for IT Pros eBook. Updated monthly to include those changing details which make all the difference…