Configuration issues with Microsoft tenants.

2025-12-04 • #security, #microsoft, #sso

Exploring a basic configuration oversight with Microsoft Tenants.

Note:

While i am unsure if this is still being abused in the wild today is unknown, but it has been documented in the past as a very popular initial access method.

Validating SSO portals

One of the most important precursor steps for this misconfiguration comes in the form of validation, tl;dr password resets but spicy. Abusing a microsoft endpoint used to display custom tenant login page information / branding we can validate a few key things:

1. Email Validity - If it exists.
2. SSO Status - If the chosen tenant uses native login (Microsoft) or rely on a 3rd party (Okta)

Forging a request to login.microsoftonline.com/common/GetCredentialType with the specified domain / email (A valid email is not required for SSO Status to be validated) we get a few key values:

1. IfExistsResult - 0 = Exists, 1 = Doesnt exist
2. UserTenantBranding - An array containing branding info for the tenant
3. FederationRedirectUrl - A redirect link to the managing SSO provider, if empty SSO is managed on-platform

If the Federation url is empty, but the user tenant branding also is then the domain likely does not have a microsoft tenant. If the Federation url doesnt exist but branding info does, congratulations we can move onto the next step.

Password Reset Configuration

Password resets for Microsoft Tenants are handled on passwordreset.microsoftonline.com, entering the identified email and solving the text captcha you may be hit with a "Managed off-platform" message meaning the Tenant handles password resets externally.

The downfall of humanity

If password resets are not handled off-platform, you will be greeted with "Get back into your account", this is where the issue exists. The default configuration for password resets are 1-step, meaning you only have to confirm one recovery method to be able to reset the password.

The barrier to entry and the death of security

Due to simswapping and callforwarding being very popular in "Com" circles, this is where the issue sits. Using any platform similar to rocketreach you can find the desired emails associated phone number as the last two digits are leaked in the password recovery page, once that has been confirmed you simply plug it in, setup a call forward and reset the password.

Cybersecurity is dead

While you would think most companies would be aware of such a configuration and this would only affect low hanging fruit that is where you would be wrong, companies such as Intel are vulnerable to this attack vector allowing both sms and call verification methods to be abused.

Thank you for coming to my tedtalk, heres a random cat and the link to my tenant osint codebase.

Osint Code - Github