Resolve Microsoft Subscription ID to Tenant ID

Overview

This workflow takes an Azure Subscription ID and resolves it to the owning Microsoft Entra (Azure AD) tenant, returning the Tenant ID, Display Name, and Default Domain.

It uses a clever trick: an unauthenticated Azure Resource Manager (ARM) request that intentionally fails with 401 to discover the tenant ID, optionally calling the Microsoft Graph API to fetch public tenant information or perform other operations.

This is ideal for MSPs who regularly receive subscription IDs (from logs, invoices, alerts, etc.) and need to quickly determine which tenant they belong to.

The Workflow

{
  "nodes": [
    {
      "parameters": {},
      "type": "n8n-nodes-base.manualTrigger",
      "typeVersion": 1,
      "position": [
        0,
        96
      ],
      "id": "7c119039-c05f-4324-9743-e08fed0af2ee",
      "name": "When clicking ‘Execute workflow’"
    },
    {
      "parameters": {
        "url": "=https://management.azure.com/subscriptions/{{ $json.subscriptionId }}?api-version=2020-01-01",
        "options": {
          "response": {
            "response": {
              "fullResponse": true,
              "neverError": true
            }
          }
        }
      },
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.3,
      "position": [
        448,
        96
      ],
      "id": "373edc9e-5fc2-4bbe-9ecc-ccb9222b7ae2",
      "name": "Resolve Subscription ID"
    },
    {
      "parameters": {
        "assignments": {
          "assignments": [
            {
              "id": "1edf47fa-6295-4af2-b337-854fe9dcf93a",
              "name": "tenantId",
              "type": "string",
              "value": "={{ $json.headers['www-authenticate'].match(/https:\\/\\/login\\.windows\\.net\\/([0-9a-f-]{36})/i)?.[1];\n }}"
            }
          ]
        },
        "options": {}
      },
      "type": "n8n-nodes-base.set",
      "typeVersion": 3.4,
      "position": [
        672,
        96
      ],
      "id": "645f3f2a-b5d1-4d52-9791-21a36a91be9d",
      "name": "Set tenantId"
    },
    {
      "parameters": {
        "assignments": {
          "assignments": [
            {
              "id": "7554df89-9da2-42dd-ad81-c041b7ec5f28",
              "name": "subscriptionId",
              "type": "string",
              "value": "00000000-0000-0000-0000-000000000000"
            }
          ]
        },
        "options": {}
      },
      "type": "n8n-nodes-base.set",
      "typeVersion": 3.4,
      "position": [
        224,
        96
      ],
      "id": "3fb770e5-6986-42bf-acb3-d479b9cd4196",
      "name": "Set subscriptionId"
    },
    {
      "parameters": {
        "tenantId": "00000000-0000-0000-0000-000000000000",
        "graphUrl": "=https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='{{ $json.tenantId }}')"
      },
      "type": "@mspcopilot/n8n-nodes-microsoft-partner-gdap.microsoftPartnerGdap",
      "typeVersion": 1,
      "position": [
        896,
        0
      ],
      "id": "ccc203b0-dddd-48b7-9e4a-968cc3667d3d",
      "name": "Lookup Tenant Details",
      "credentials": {
        "microsoftPartnerGdapApi": {
          "id": "YOUR_CREDENTIAL_ID",
          "name": "API account"
        }
      }
    },
    {
      "parameters": {
        "tenantId": "={{ $json.tenantId }}",
        "graphUrl": "/v1.0/users"
      },
      "type": "@mspcopilot/n8n-nodes-microsoft-partner-gdap.microsoftPartnerGdap",
      "typeVersion": 1,
      "position": [
        896,
        192
      ],
      "id": "5473a31d-9a18-4a68-afc1-255b0c2e2e7b",
      "name": "Get User Example",
      "credentials": {
        "microsoftPartnerGdapApi": {
          "id": "YOUR_CREDENTIAL_ID",
          "name": "API account"
        }
      }
    }
  ],
  "connections": {
    "When clicking ‘Execute workflow’": {
      "main": [
        [
          {
            "node": "Set subscriptionId",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Resolve Subscription ID": {
      "main": [
        [
          {
            "node": "Set tenantId",
            "type": "main",
            "index": 0
          }
        ],
        []
      ]
    },
    "Set tenantId": {
      "main": [
        [
          {
            "node": "Lookup Tenant Details",
            "type": "main",
            "index": 0
          },
          {
            "node": "Get User Example",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Set subscriptionId": {
      "main": [
        [
          {
            "node": "Resolve Subscription ID",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Lookup Tenant Details": {
      "main": [
        []
      ]
    }
  }
}

How It Works

Resolve Subscription ID (ARM call):
- Makes a GET request to: https://management.azure.com/subscriptions/{{ $json.subscriptionId }}?api-version=2020-01-01
- The call is unauthenticated on purpose.
- It is set to Never Error and Include Response Headers and Status.
- Azure responds with 401 Unauthorized and includes a WWW-Authenticate header that contains the tenant ID: authorization_uri="https://login.windows.net/{tenantId}".
Set tenantId:
- A Set node parses the WWW-Authenticate header with a regex and extracts the tenant ID into tenantId. {{ $json.headers['www-authenticate'].match(/https:\\/\\/login\\.windows\\.net\\/([0-9a-f-]{36})/i)?.[1];\n }}
Lookup Tenant Details (Graph):
- Uses the Microsoft Partner GDAP node to call: https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='{{ $json.tenantId }}')
- Returns displayName, defaultDomainName, and verifiedDomains for the tenant.
Get User Example (optional):
- Shows how to reuse the same tenant context to call /v1.0/users in Microsoft Graph for that tenant.

Credits

This workflow is based on a great idea shared in the r/MSP community.
Special thanks to u/olavhell for the original concept and inspiration.