Using Powershell to check a user’s tenant logon setting in Office 365 (without logging in)

I was interested in being able to see, for any given email, what type of authentication Microsoft requires for that user. This could be Office 365 (Azure AD) native, ADFS, etc.

Powershell can easily help you out:

Add-Type -AssemblyName System.Web
$uid = "YOUR EMAIL ADDRESS"
$uidEnc = [System.Web.HttpUtility]::HtmlEncode($uid)
$res = Invoke-WebRequest -Uri https://login.microsoftonline.com -SessionVariable cookies -Method Get -UseBasicParsing
$stsRequest = ($res.InputFields | where {$_.Name -eq "ctx"}).Value
$flowToken = ($res.InputFields | where {$_.Name -eq "flowToken"}).Value
$canary = ($res.InputFields | where {$_.Name -eq "canary"}).Value
$res = Invoke-WebRequest -Uri "https://login.microsoftonline.com/common/userrealm?user=$uidEnc&api-version=2.1&stsRequest=$stsRequest&checkForMicrosoftAccount=false" -WebSession $cookies -Method GET -UseBasicParsing

The response will contain a redirect to another authentication provider (ADFS) or Azure AD Native. This is an example JSON response:

{"NameSpaceType":"Managed","Login":"mymailaddress@domain.nl","DomainName":"lieben.nu","FederationBrandName":"Lieben Consultancy","TenantBrandingInfo":null,"cloud_instance_name":"microsoftonline.com"}

If you also wish to include Microsoft accounts, set the checkForMicrosoftAccount parameter in the second request to true

AzureAD Connect SSO
If you’re using AzureAD Connect SSO, you can use the above to check if this is correctly set in Office 365. The JSON response will contain a propert is_dsso_enabled, which will be set to True

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
hikmat
hikmat
1 year ago

I’ve using the script to check our staff office 365 logon , but the response showing nothing actually and $res.inputfield has nothing also

regards
Hikmat