Reputation: 1530
How to authenticate in Microsoft Graph with Microsoft personal accounts only?
According to documentation, Microsoft Graph supports tokens from Azure AD v2.0 and Azure AD only:
The Microsoft Graph supports two authentication providers:
- To authenticate users with personal Microsoft accounts, such as live.com or outlook.com accounts, use the Azure Active Directory (Azure AD) v2.0 endpoint.
- To authenticate users with enterprise (that is, work or school) accounts, use Azure AD.
But, Azure AD v2.0 is new endpoint that supports both Microsoft account types: personal (former Live account) and work/school (classic Azure AD accounts). And it's unclear, how to limit authorization to personal accounts only.
Azure AD support only work/school account.
So, If I want to allow my app use only personal accounts, how to do it? How to authenticate in Microsoft Graph with Microsoft personal accounts only ( forbid for user to use work/school accounts) ?
P.S.: I use MSAL for authentication in my app, if it matters.
Upvotes: 0
Views: 3107
Answers (1)
Reputation: 136216
Based on the documentation for Azure AD v2.0, if you want to support only Microsoft Accounts, the endpoint you would want to use is https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize. The key thing here is consumers which will ensure that your users will only get an option of authenticating using Microsoft Accounts.
If I were to take the Github example of MSAL, the change you would make is in Startup_Auth.cs
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/consumers/v2.0
// The `Scope` describes the initial permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/
ClientId = clientId,
Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "consumers", "/v2.0"),
RedirectUri = redirectUri,
Scope = "openid email profile offline_access Mail.Read",
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters
Upvotes: 3
Related Questions
- Is there way to authenticate to Graph API using Username and Password without Application Registration in Azure AD
- Authenticating to Microsoft Graph using Microsoft.Identity.Client
- Azure API Authentication and MSGraph
- Microsoft Graph Login - Personal accounts trigger "User account does not exist in tenant"
- How to authenticate Microsoft Azure API's using username & Password
- Login with personal Microsoft accounts failes to Oauth2 v2
- Microsoft Graph and access without a user
- Using MS Graph API without user credentials
- Microsoft graph and Azure Ad user authentication
- How to access Microsoft Graph's services with service-user credentials