I know how we feel about the Microsoft Death Star consuming all in its path, but there are some upsides to statistics like this.<p>For instance, we are a B2B software vendor in the banking space, and we have to survive all kinds of audits regarding the nature of our code & vendors. By keeping nearly all of our 3rd party items under the Microsoft umbrella, we can automagically skip over vast chunks of our due diligence process (according to the mutual trust equation).<p>None of our customers is F500 (so far), but we have yet to encounter one who didn't already have AAD, or a willingness to set this up. From a product development perspective, we really prefer having a few known-good ways to do things. Authentication & authorization is one area that I strongly dislike having a large variety of flavors on. Especially considering the nature of our business and ever-increasing demands for complex MFA flows (e.g. SAML). There's been so many fly-by-night operations in this space, and our customers do not have patience for trying new things.
Why was that title editorialized as "around 83.4%"?<p>83.4% of 500 is exactly 417. The article is also exact about these numbers. No need to add "around".<p>Edit: Why was the title editorialized to begin with?<p>Edit2: looks like the title was updated to the original. Thanks.
> We assume the first result is the homepage of that company, and the domain they would use for their tenant.<p>That is a big assumption though. A very well known big-four with two letters uses for instance [letters]gs.com ("Global Services") for instance.
For the HN B2B startups here supporting Google Workspace SSO and not Microsoft Azure SSO, or offering Sign in with Google and not Sign in with Microsoft... why?<p>85% of big businesses are on the one you don't support.<p><i>"Results for the Fortune 500 [to see who's on Azure AD using a] CSV with a list of all the Company Names for all 500 companies. Running it through this script, I find that 417, or 83.4% of companies have AAD, which is just a little off from Microsoft’s public claim of 85%."</i><p><a href="https://www.shawntabrizi.com/aad/does-company-x-have-an-azure-active-directory-tenant/" rel="nofollow">https://www.shawntabrizi.com/aad/does-company-x-have-an-azur...</a><p>See also this top comment: <a href="https://news.ycombinator.com/item?id=33046968" rel="nofollow">https://news.ycombinator.com/item?id=33046968</a>
AADInternals[0] is an excellent set of PowerShell modules for pentesting and performing recon against Azure AD as both an outsider[1] and for someone who has been invited to a tenant.<p>It has similar functionality integrated for discovering if a domain has an associated Azure AD Tenant and enumerating information about users in the tenant, who the "Owner" is and their contact information. As with many Microsoft products there are many configuration options and plenty of them aren't secure by default.<p>[0] <a href="https://o365blog.com/aadinternals/" rel="nofollow">https://o365blog.com/aadinternals/</a>
[1] <a href="https://o365blog.com/post/just-looking/" rel="nofollow">https://o365blog.com/post/just-looking/</a>
Doesn't the end point show up once you have SSO with your own identity provider enabled for any Microsoft services? Maybe technically this means that you have an Active Directory tenant as well, but it doesn't necessarily imply that you are using those Active Directory services for anything beyond that SSO capability.<p>For Google Workspace, a similar URL is: <a href="https://www.google.com/a/example.com/ServiceLogin" rel="nofollow">https://www.google.com/a/example.com/ServiceLogin</a>
Microsoft is traditionally great at bundling their products. This is reminiscent of bundling Internet Explorer with Windows.<p>Could an Okta have a claim against Microsoft similar to Netscape in the late 90's?
This is assuming the domain has it, but it's even easier actually - you can just DIG DNS records and see if what they run as MX, cnames, etc, if there is teams DNS records and the MX record points to *.onmicrosoft.com or $tenantname.mail.protection.outlook.com there you go, even easier than "querying" google and seeing what's index.<p>And much easier to script too. ;)
What I can’t understand is why Azure AD doesn’t have a stronger position in the consumer space. Authentication via Google, Apple, and even still Facebook are nearly always supported on customer-facing logins. I rarely see an option for Microsoft.<p>They have a commanding position in the enterprise. What’s keeping them from crossing those enterprise boundaries?
Assuming the #1 Google result on page 1 of search is the companies public domain is a flaw.<p>Some companies use a different domain for corporate use than their public domain name.<p>Like fb.com
I know next to nothing about AD, but my company appears to match against this merely because we have an Office 365 account (from which we do nothing except download Word and Excel every now and then) so it doesn't necessarily mean you're using whatever it is much.
So, I don't see anyone pointing it out here: This doesn't mean they use Azure AD! If you use any Microsoft cloud services at all, you get a "shadow tenant". One employee signs into Teams for a meeting once and there you have Azure AD.
Presumably this is the same thing whatismytenantid.com does under the hood.<p>Interesting (to me) is that the OpenID configuration endpoint provides the tenant ID for not only Commercial tenants but US Government (GCC & GCC-High) as well because the Azure AD portal has relatively new functionality to configure cross-tenant access settings by tenant ID or domain name but Gov tenants require you to obtain the tenant ID from the organization which is either security through obscurity or due to use of some Commercial-only Graph API call.
So Okta (their main conpetitor) uses Azure AD <a href="https://login.microsoftonline.com/okta.com/.well-known/openid-configuration" rel="nofollow">https://login.microsoftonline.com/okta.com/.well-known/openi...</a>
I never thought about how the "I'm Feeling Lucky" button on Google can double as an API to return the URL of the first search result before. That's pretty neat.