As the title says: Should I consider my Azure tenant ID (GUID) as a secret? Are there any security implications when someone knows about this id?
Asked
Active
Viewed 8,370 times
8
-
See https://stackoverflow.com/a/45663968/737393 – CrazyTim Mar 31 '21 at 00:13
1 Answers
5
The Azure Tenant ID is a key piece of information used for configuration, management, and identification of your Azure cloud architecture. As such it should be treated in the same way as other internal architecture information/documentation would be. The exact steps you take will vary depending upon your particular organizations policies.
However, having said that, as per this site https://www.whatismytenantid.com/ if someone has the domain name then they can also get your tenant ID.
This StackOverFlow thread also contains multiple ways (ex. curl) to access the tenant ID depending on other pieces of information in your possession: https://stackoverflow.com/questions/26384034/how-to-get-the-azure-account-tenant-id
At the end of the day it makes sense to make it harder for an attacker to discover information about your Cloud environment, while realizing that the information is discoverable and protecting yourself accordingly.
Dirk-jan Mollema's presentation https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Dirk-jan-Mollema-Im-in-your-cloud-pwning-your-azure-environment.pdf at Defcon 27 has examples where the tenant ID is part of the information used to exploit weaknesses in Azure.
jfran3
- 141
- 9
-
-
It seems quite easy to find out an organisation's tenant ID: https://www.whatismytenantid.com/ – Calum Sep 27 '22 at 16:51