Dliv3 · August 20, 2025 03:23
diff --git a/az-enum.sh b/az-enum.sh
 # Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted
 # Insert your domain environment variable below
 DOMAIN="microsoft.com"

 # Check the getuserrealm.srf endpoint for domain information

 # Check autodiscover.$DOMAIN DNS entry
 host autodiscover.$DOMAIN
 # Note:  Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com

 # Test if domain is managed or not.  Check if it's a Azure/M365 tenant.  Returns 'Unknown', 'Federated', or 'Managed'
 curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1
 # Note:  Look for NameSpaceType

 # Return NameSpaceType - either "Unknown", "Managed", or "Federated"
 curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 | jq -r '.NameSpaceType'

 # Check for federation on the domain
 curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\xml\=1
 # Note:  Look at <NameSpaceType> and <IsFederated>

 # Get the TenantID for a managed domain
 curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-configuration
 # Note:  Look for the token endpoint.  Example response:
 # "token_endpoint":"https://login.microsoftonline.com/9d9817d9-f209-4430-8f4f-cc03332848cb/oauth2/v2.0/token
 # '9d9817d9-f209-4430-8f4f-cc03332848cb' is the TenantId

 # Check GetCredentialType endpoint for username enumeration
 # Once on a managed domain, check individual users
 # Credit and props to Brian Thomas for helping to validate this.  Thanks Brian!
 # Verify that the getuserrealm.srf returns a "Managed" value for NameSpaceType
 # If it does, the 0 or 1 below is correct.  IF it doesn't, unmanaged domains can return 0, leading to false positives
 curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"[email protected]"}' | jq '.IfExistsResult'
 # Note:  Checking the user:  [email protected]
 # Response Codes
 #-1 An unknown error
 #0 The account exists, and uses that domain for authentication
 #1 The account doesn’t exist
 #2 The response is being throttled
 #4 Some server error
 #5 The account exists, but is set up to authenticate with a different identity provider. This could indicate the account is only used as a personal account
 #6 The account exists, and is set up to use both the domain and a different identity provider



 # ADFS Recon Google Dorks
 inurl://adfs/ls/idpinitiatedsignon

 inurl://adfs/oauth2/authorize
	# Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted
	# Insert your domain environment variable below
	DOMAIN="microsoft.com"

	# Check the getuserrealm.srf endpoint for domain information

	# Check autodiscover.$DOMAIN DNS entry
	host autodiscover.$DOMAIN
	# Note: Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com

	# Test if domain is managed or not. Check if it's a Azure/M365 tenant. Returns 'Unknown', 'Federated', or 'Managed'
	curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1
	# Note: Look for NameSpaceType

	# Return NameSpaceType - either "Unknown", "Managed", or "Federated"
	curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 \| jq -r '.NameSpaceType'

	# Check for federation on the domain
	curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\xml\=1
	# Note: Look at <NameSpaceType> and <IsFederated>

	# Get the TenantID for a managed domain
	curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-configuration
	# Note: Look for the token endpoint. Example response:
	# "token_endpoint":"https://login.microsoftonline.com/9d9817d9-f209-4430-8f4f-cc03332848cb/oauth2/v2.0/token
	# '9d9817d9-f209-4430-8f4f-cc03332848cb' is the TenantId

	# Check GetCredentialType endpoint for username enumeration
	# Once on a managed domain, check individual users
	# Credit and props to Brian Thomas for helping to validate this. Thanks Brian!
	# Verify that the getuserrealm.srf returns a "Managed" value for NameSpaceType
	# If it does, the 0 or 1 below is correct. IF it doesn't, unmanaged domains can return 0, leading to false positives
	curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"[email protected]"}' \| jq '.IfExistsResult'
	# Note: Checking the user: [email protected]
	# Response Codes
	#-1 An unknown error
	#0 The account exists, and uses that domain for authentication
	#1 The account doesn’t exist
	#2 The response is being throttled
	#4 Some server error
	#5 The account exists, but is set up to authenticate with a different identity provider. This could indicate the account is only used as a personal account
	#6 The account exists, and is set up to use both the domain and a different identity provider



	# ADFS Recon Google Dorks
	inurl://adfs/ls/idpinitiatedsignon

	inurl://adfs/oauth2/authorize