Achieving Passive User Enumeration with OneDrive

This blog post describes a simple, largely passive OneDrive-based user-enumeration technique for Office 365 tenants: constructing predictable tenant/user OneDrive URLs and interpreting 403 responses as evidence the user exists and has logged into OneDrive (404 indicates non-existent or never-logged-in users). The author provides a Python script to automate checks, usage examples, and notes the method's limitation (the target must have used OneDrive) and that Microsoft had quietly fixed a related issue previously.