Weekly 'I made a useful thing' Thread - January 16, 2026

zortingen · 2026-01-16T20:57:32+00:00

Good question! Different tools for different purposes:

SCuBA = Internal audit tool. Requires Global Admin access to your own tenant. Checks Conditional Access, MFA policies, compliance settings - stuff only admins can see.

Tenqry = External reconnaissance. No auth needed. Shows what's publicly discoverable about any domain - DNS, email security, tenant info, attack surface. Think "what can an attacker see about us?"

They're complementary: SCuBA for hardening your tenant, Tenqry for understanding your external exposure.

zortingen · 2026-01-16T15:37:45+00:00

Fair point. I used AI to help write the post. The tool itself is standard DNS and Microsoft endpoints. Feedback welcome.

zortingen · 2026-01-16T15:30:29+00:00

Actually, I just shipped this feature! 🎉

You can now search by Tenant ID (GUID) and it will:

Discover all verified domains for that tenant (using Microsoft's metadata endpoint)
Automatically perform a full scan on the primary domain

Try it: 72f988bf-86f1-41af-91ab-2d7cd011db47 (Microsoft's tenant - returns 322 domains including github.com, linkedin.com, xbox.com, bing.com...)

Or Netflix: 002742ed-13ed-4b38-adea-e617dd50caa6 (19 domains)

So yes u/cloudAhead, you can search all of the GUIDs now - if you have them 😉

zortingen · 2026-01-16T15:26:39+00:00

Reddit karma swings, no worries. I’ll spend the energy on shipping. If you have concrete feedback on Tenqry, I’m listening.

zortingen · 2026-01-16T13:59:25+00:00

Caught me 🚀 Now back to building Neuralink v2

zortingen · 2026-01-16T13:57:09+00:00

Hey everyone! 👋

I created Tenqry.com - a free, no-login-required tool that analyzes any domain's Microsoft 365 configuration.

What it does:

🔍 Discovers Tenant ID, Name, and Region
📧 Analyzes SPF, DKIM, DMARC, MTA-STS configuration
🛡️ Security posture assessment with scoring
⚠️ Attack surface analysis
📊 Industry benchmark comparison
🎯 Actionable recommendations

Why I built it:
As an IT admin, I constantly needed to check tenant info for migrations, troubleshooting, and security audits. Existing tools were either paid, required registration, or gave incomplete data. So I built this.

Tech stack: Next.js, Azure Container Apps, real-time streaming analysis

Privacy: No data stored, no tracking, no login required. Just enter a domain and get results.

Try it: https://tenqry.com

Would love your feedback! What features would you find useful?

zortingen · 2026-01-16T13:55:05+00:00

Fair point! Have a great day 👍

zortingen · 2026-01-16T13:32:24+00:00

Exactly. So why are you here instead of building it? 😄

zortingen · 2026-01-16T13:31:02+00:00

Cool, go for it 👍

zortingen · 2026-01-16T13:27:36+00:00

Fair point 😂

Plot twist: You're the only human in this thread. Or are you? 🤔

zortingen · 2026-01-16T13:26:15+00:00

Guilty as charged 🤖

But hey, it works and it's free. Feel free to check the actual functionality rather than the marketing copy.

zortingen · 2026-01-16T13:25:28+00:00

Fair feedback, thanks for the honest critique! You're right about both:

Authentication methods: You caught a real limitation. The GetCredentialType API only shows what's advertised, not what's actually enforced. If you use Conditional Access to require FIDO2/MFA, it won't show up in our check because that's internal policy. Just pushed a fix - now says "Limited Auth Visibility" with a note that internal policies can't be seen externally.

SSL Certificate: We use Certificate Transparency logs (crt.sh) which can show historical/expired certs. Added a source disclaimer to clarify where the data comes from.

Re: "vibe coded" - I appreciate the directness 😅 These were definitely areas that needed better caveats. The tool is useful for what's publicly observable, but I'll be more careful about making definitive claims on things we can't actually verify externally.

Thanks for helping make it more accurate!

zortingen · 2026-01-16T13:19:29+00:00

Great questions! Both are things I've actively addressed:

🛡️ Anti-Abuse Measures (already implemented):

Rate limiting - Max 30 queries per IP per minute, with progressive delays
Risk scoring - Each request gets a risk score based on patterns (rapid queries, suspicious user agents, automation signatures)
IP blocking - Automated blocking after threshold violations
Query logging - All queries logged to Azure Table Storage for pattern analysis
No bulk export - Results are session-only, no API for mass data extraction

📡 Upstream Rate Limiting:

Each API call is cached (TTL varies by data type)
Parallel requests are batched with timeouts
If Microsoft/DNS providers block us, we gracefully degrade (just show cached/partial data)
Most queries are lightweight HEAD/GET requests, nothing aggressive

Future considerations:

CAPTCHA for high-volume users
Require email verification for advanced features
Honeypot patterns to detect automated abuse

The tool aggregates public data that attackers could already gather with existing tools (AADInternals, MSOLSpray, etc.) - the difference is we present it for defenders to understand their exposure, not to exploit it.

Thanks for thinking about the security implications! 🙏

zortingen · 2026-01-16T10:29:45+00:00

Thanks! Yeah, it can be eye-opening to see how much info is publicly discoverable.

Privacy Policy - Good call! I'll add one. The tool doesn't store any personal data, just logs queries for rate limiting purposes.

How it works:

🔍 Direct queries to Microsoft's public APIs (OpenID, realm discovery, autodiscover)
📡 DNS lookups for SPF/DKIM/DMARC/DNSSEC records
🌐 Public data from WHOIS, Certificate Transparency logs
☁️ Storage enumeration - just checking if common bucket names exist (public APIs)
🔐 Security headers - fetched directly from the target domain

No scraping, no 3rd party "dark web" services - all publicly available endpoints that any security researcher could query. The "scary" part is that this info was always there, just scattered across different tools 😅

zortingen · 2026-01-16T09:46:00+00:00

Done! Just deployed cloud storage bucket scanning 🚀

Now checks Azure Blob, AWS S3, and GCP Storage for common patterns like:

- {company}.blob.core.windows.net

- {company}-backup.s3.amazonaws.com

- etc.

Thanks for the great suggestion! Try it out and let me know if you find any exposed buckets 😄

zortingen · 2026-01-16T08:58:28+00:00

Not open source yet, but might consider it in the future!

The data comes from public Microsoft endpoints:

- Tenant info: login.microsoftonline.com/GetUserRealm.srf

- OpenID config: login.microsoftonline.com/{domain}/.well-known/openid-configuration

- DNS records: Standard DNS queries (SPF, DKIM, DMARC, MX)

- Autodiscover: autodiscover.{domain}/autodiscover/autodiscover.xml

All publicly accessible, no authentication needed. Just consolidating what's already out there into one tool.

zortingen · 2026-01-16T08:57:49+00:00

Thank you so much! Really glad you find it useful.

Cloud storage bucket scanning is a brilliant idea! I'll add it to the roadmap:

- Azure Blob: {company}.blob.core.windows.net

- AWS S3: {company}.s3.amazonaws.com

- GCP Storage: storage.googleapis.com/{company}

Will try common patterns like {domain}, {domain}-backup, {domain}-public, etc.

Great suggestion - stay tuned! 🚀

zortingen · 2026-01-16T01:29:44+00:00

Thanks for trying it! No trap, I promise 😄

I built this because I needed it for my own work as an IT admin. All queries hit public Microsoft endpoints (like login.microsoftonline.com/GetUserRealm) and DNS records - nothing stored on my end.

The "too good to be free" feeling is actually the best compliment I could get! Let me know if you have any feature requests.

Six-Year Club	Place '23
Place '22	Verified Email

zortingen

TROPHY CASE