如何仅使用 Microsoft 个人帐户在 Microsoft Graph 中进行身份验证?
How to authenticate in Microsoft Graph with Microsoft personal accounts only?
According to documentation,Microsoft Graph 仅支持来自 Azure AD v2.0 和 Azure AD 的令牌:
The Microsoft Graph supports two authentication providers:
- To authenticate users with personal Microsoft accounts, such as live.com or outlook.com accounts, use the Azure Active Directory (Azure AD) v2.0 endpoint.
- To authenticate users with enterprise (that is, work or school) accounts, use Azure AD.
但是,Azure AD v2.0 是支持两种 Microsoft 帐户类型的新端点:个人(以前的 Live 帐户)和 work/school(经典 Azure AD 帐户)。而且还不清楚,如何限制对个人帐户的授权。
Azure AD 仅支持 work/school 帐户。
所以,如果我想让我的应用程序只使用个人帐户,该怎么做?
如何在 Microsoft Graph 中仅使用 Microsoft 个人帐户进行身份验证(禁止用户使用 work/school 个帐户)?
P.S.: 如果重要的话,我在我的应用程序中使用 MSAL 进行身份验证。
根据 Azure AD v2.0 的文档,如果您只想支持 Microsoft Accounts,您希望使用的端点是 https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize。这里的关键是 consumers 这将确保您的用户只能获得使用 Microsoft 帐户进行身份验证的选项。
如果我选择 Github example of MSAL, the change you would make is in Startup_Auth.cs
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/consumers/v2.0
// The `Scope` describes the initial permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/
ClientId = clientId,
Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "consumers", "/v2.0"),
RedirectUri = redirectUri,
Scope = "openid email profile offline_access Mail.Read",
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters
According to documentation,Microsoft Graph 仅支持来自 Azure AD v2.0 和 Azure AD 的令牌:
The Microsoft Graph supports two authentication providers:
- To authenticate users with personal Microsoft accounts, such as live.com or outlook.com accounts, use the Azure Active Directory (Azure AD) v2.0 endpoint.
- To authenticate users with enterprise (that is, work or school) accounts, use Azure AD.
但是,Azure AD v2.0 是支持两种 Microsoft 帐户类型的新端点:个人(以前的 Live 帐户)和 work/school(经典 Azure AD 帐户)。而且还不清楚,如何限制对个人帐户的授权。
Azure AD 仅支持 work/school 帐户。
所以,如果我想让我的应用程序只使用个人帐户,该怎么做? 如何在 Microsoft Graph 中仅使用 Microsoft 个人帐户进行身份验证(禁止用户使用 work/school 个帐户)?
P.S.: 如果重要的话,我在我的应用程序中使用 MSAL 进行身份验证。
根据 Azure AD v2.0 的文档,如果您只想支持 Microsoft Accounts,您希望使用的端点是 https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize。这里的关键是 consumers 这将确保您的用户只能获得使用 Microsoft 帐户进行身份验证的选项。
如果我选择 Github example of MSAL, the change you would make is in Startup_Auth.cs
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/consumers/v2.0
// The `Scope` describes the initial permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/
ClientId = clientId,
Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "consumers", "/v2.0"),
RedirectUri = redirectUri,
Scope = "openid email profile offline_access Mail.Read",
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters