External recon
Discover public resources (blob, apps, etc...)
Using cloud_enum:
https://github.com/initstring/cloud_enum
Using azsubenum:
https://github.com/yuyudhn/AzSubEnum
python3 azsubenum.py -b companyname -t 10 -p permutations.txt
python3 azsubenum.py -b companyname --thread 10
Federation info
curl -s 'https://login.microsoftonline.com/getuserrealm.srf?login=domain.com' | jq
Get tenantID and OpenID configuration info
curl -s https://login.microsoftonline.com/domain.com/.well-known/openid-configuration | jq
With AADInternals
Install-Module AADInternals
Import-Module AADInternals
Get-AADIntLoginInformation -Domain domain.com
Just tenantID
Get-AADIntTenantID -Domain domain.com
Public configuration enumeration
Invoke-AADIntReconAsOutsider -DomainName megabigtech.com
Determine Azure Region
curl --silent 'https://azservicetags.azurewebsites.net/api/iplookup?ipAddresses=20.75.112.13' | jq