How sub2tenant works
sub2tenant performs two lightweight lookups to determine which Microsoft Entra tenant a subscription ID, tenant ID, or verified domain belongs to. It requires no authentication and no access to any customer tenant.
1. Subscription → Tenant ID
Azure Resource Manager exposes the tenant ID for any subscription in the
WWW-Authenticate header returned by the subscription endpoint. sub2tenant reads this
header directly — no permissions or tokens needed — and extracts the correct tenant ID.
2. Tenant ID / Domain → Tenant details
Once the tenant ID is known (or when you enter a tenant ID or domain directly), the tool uses a
managed identity in its hosting environment to call Microsoft Graph’s
tenantRelationships API. Depending on the input, it uses
findTenantInformationByTenantId
or
findTenantInformationByDomainName
to retrieve the tenant’s tenantId, displayName, and
defaultDomainName.
sub2tenant never stores subscription IDs, tenant IDs, or domains. All lookup inputs stay in-memory only and are discarded immediately after the two Microsoft Graph calls. A small amount of anonymous metadata (such as lookup type and success/failure) is logged to help keep the service reliable. None of the identifiers themselves are ever logged or stored.
For full technical details and the complete code, see the GitHub repository.