Outbound AAD B2B Discovery

What is AAD B2B and why should I use it?

Before we get into the specific problem and its solution, I would like to give a short intro to B2B — imho one of the most powerful features of AAD. It enables collaboration across company boundaries and allows external access to apps connected in my tenant. Guests are usually invited by users or administrators and have their own lifecycle to manage.

Inbound B2B means that there are guests / externals in my tenant working on my resources.

For guests in my tenant, I have good options for control:

Outbound B2B means that users from my tenant work on resources in other tenants and are guests there.

Unfortunately, it is not yet possible to detect in which remote tenant a user is a guest and it is not possible to control whether and in which tenants a user can be a guest. Additionally, all the control options described above are not applicable in this scenario.

Why do you want to know / control outbound B2B anyway?

Personally, I don’t think it’s a good idea to restrict outbound B2B, as that will only lead to more accounts and more shadow IT (but I’m sure there are other opinions 😉 )

Evaluation of the sign-in logs

To find out where my users are I started to look at the sign-in logs and was very happy about the new fields HomeTenantID and RessourceTenantId.

SigninLogs
| where ResourceTenantId != HomeTenantId
| distinct UserPrincipalName, ResourceTenantId

Tenant Names and IDs

The result of my query is then a lot of Tenant IDs. Each tenant / each Azure Active Directory has a tenant ID and it is globally unique. For the own tenant there are several possibilities to determine this easily — for example on the start page of the AAD or via Powershell.

How can I do this for third-party tenants?

As I wrote in the introduction, my trigger was a review of a tenant that was to be replaced. This was a so-called unmanaged tenant not created by IT but by the users themselves. This can happen in the following situations:

  • Test licenses
  • Invitation to another tenant (or sharing)
  1. Export of data via GUI as JSON
  2. Import into Azure Data Explorer
  3. Evaluation via KQL

Deeplinks and Tenant Branding

With a long list of tenant IDs I started asking around if anyone had any ideas how to find out which tenants are behind them. Fortunately, Jos Lieben got in touch relatively quickly on Twitter and recommended a Powershell snippet by John Seerden. He showed me that it is possible to call the deep link to the login page of a tenant with the tenant id. It looks like this:

https://login.microsoftonline.com/resourceTenantId/oauth2/authorize?client_id=12345
XXSignIns
| where resourceTenantId != homeTenantId
| distinct userPrincipalName, resourceTenantId
| summarize count() by resourceTenantId
| extend link = strcat("https://login.microsoftonline.com/", resourceTenantId, "/oauth2/authorize?client_id=12345")
| order by count_ desc
| project-reorder count_, resourceTenantId, link

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Christopher Brumm

Christopher Brumm

ITSec Pro focussed on MS Cloud Stuff