0

According to documentation, Microsoft Graph supports tokens from Azure AD v2.0 and Azure AD only:

The Microsoft Graph supports two authentication providers:

  • To authenticate users with personal Microsoft accounts, such as live.com or outlook.com accounts, use the Azure Active Directory (Azure AD) v2.0 endpoint.
  • To authenticate users with enterprise (that is, work or school) accounts, use Azure AD.

But, Azure AD v2.0 is new endpoint that supports both Microsoft account types: personal (former Live account) and work/school (classic Azure AD accounts). And it's unclear, how to limit authorization to personal accounts only.

Azure AD support only work/school account.

So, If I want to allow my app use only personal accounts, how to do it? How to authenticate in Microsoft Graph with Microsoft personal accounts only ( forbid for user to use work/school accounts) ?

P.S.: I use MSAL for authentication in my app, if it matters.

Askolein
  • 3,250
  • 3
  • 28
  • 40
23W
  • 1,413
  • 18
  • 37

1 Answers1

3

Based on the documentation for Azure AD v2.0, if you want to support only Microsoft Accounts, the endpoint you would want to use is https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize. The key thing here is consumers which will ensure that your users will only get an option of authenticating using Microsoft Accounts.

If I were to take the Github example of MSAL, the change you would make is in Startup_Auth.cs 

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/consumers/v2.0
                // The `Scope` describes the initial permissions that your app will need.  See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/                    
                ClientId = clientId,
                Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "consumers", "/v2.0"),
                RedirectUri = redirectUri,                    
                Scope = "openid email profile offline_access Mail.Read",
                PostLogoutRedirectUri = redirectUri,
                TokenValidationParameters = new TokenValidationParameters
Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241
  • Thank you, I've spent whole day today with this and similar code. And it have to work but doesn't work at present day. There is issue on Azure AD and "they are working to fix it". For detail look at MSAL git - https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/410 – 23W May 08 '17 at 17:43
  • 3
    This is correct, but to ensure that only consumer users can sign into your app, you should also validate the issuer of the resulting sign-in token. [Here](https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2/blob/master/UserSync/App_Start/Startup.Auth.cs#L49-L59) is some code that shows how to add extra validation to your app. I'd recommend editing your answer to include this piece. – dstrockis May 08 '17 at 18:53