Automating the enumeration of missing reply URLs in Azure multitenant apps

This blog post describes an automated methodology and Python tool (reply-url-brute) to enumerate unregistered reply URLs in Azure multitenant applications, determine their type (SPA, public client, web) via OAuth interaction, brute-force scopes or auto-consent to identify pre-consented permissions, and check for domain/resource takeover opportunities that can lead to user impersonation or tenant takeover; the author demonstrates the workflow, implementation details, and a real example, and notes responsible disclosure to Microsoft.