How sub2tenant works
sub2tenant performs two lightweight lookups to tell you which Microsoft Entra tenant a subscription ID, tenant ID, or verified domain belongs to.
1. Subscription → Tenant
Azure Resource Manager exposes the tenant ID for any subscription in the
WWW-Authenticate header returned by the subscription endpoint. This requires
no authentication, no permissions, and no access to any customer tenant.
2. Tenant → Details
The tool uses a managed identity in the tenant that hosts sub2tenant to call Microsoft Graph’s
tenantRelationships API. Depending on the input, it uses
findTenantInformationByTenantId for subscription IDs and tenant IDs, or
findTenantInformationByDomainName for verified domains. Graph returns the tenant’s
tenantId, displayName, and defaultDomainName.
No lookup data is stored, logged, or transmitted anywhere. Inputs are discarded immediately after the two calls.
For full technical details and the complete code, see the GitHub repository.