How to authenticate in Microsoft Graph with Microsoft personal accounts only?

0
votes

According to documentation, Microsoft Graph supports tokens from Azure AD v2.0 and Azure AD only:

The Microsoft Graph supports two authentication providers:

  • To authenticate users with personal Microsoft accounts, such as live.com or outlook.com accounts, use the Azure Active Directory (Azure AD) v2.0 endpoint.
  • To authenticate users with enterprise (that is, work or school) accounts, use Azure AD.

But, Azure AD v2.0 is new endpoint that supports both Microsoft account types: personal (former Live account) and work/school (classic Azure AD accounts). And it's unclear, how to limit authorization to personal accounts only.

Azure AD support only work/school account.

So, If I want to allow my app use only personal accounts, how to do it? How to authenticate in Microsoft Graph with Microsoft personal accounts only ( forbid for user to use work/school accounts) ?

P.S.: I use MSAL for authentication in my app, if it matters.

1
azuremicrosoft-graph-apimsal
If I understand your question correctly, you want to use Azure AD v2.0 and only want to restrict access to Microsoft accounts. Is my understanding correct?Gaurav Mantri
@GauravMantri, yep23W

1 Answers

3
votes

Based on the documentation for Azure AD v2.0, if you want to support only Microsoft Accounts, the endpoint you would want to use is https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize. The key thing here is consumers which will ensure that your users will only get an option of authenticating using Microsoft Accounts.

If I were to take the Github example of MSAL, the change you would make is in Startup_Auth.cs 

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/consumers/v2.0
                // The `Scope` describes the initial permissions that your app will need.  See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/                    
                ClientId = clientId,
                Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "consumers", "/v2.0"),
                RedirectUri = redirectUri,                    
                Scope = "openid email profile offline_access Mail.Read",
                PostLogoutRedirectUri = redirectUri,
                TokenValidationParameters = new TokenValidationParameters