Confusion with Entra ID tenant and Microsoft Account

Question

Confusion with Entra ID tenant and Microsoft Account

Karl Gardner 195

Hello,

I went through the following training module: https://learn.microsoft.com/en-us/training/modules/msgraph-user-photo-information/1-introduction

and it seems to be working with the profile picture I put in my Entra ID tenant (with global administator kgardner3300_gmail.com#EXT#@kgardner3300gmail.onmicrosoft.com)

User's image

and running the node.js application with local host: User's image

However, I expected to get back a different profile photo that I had in my original Microsoft account that I used to create the azure account (******@gmail.com): User's image

Would this not be the same account? Seems like the ******@gmail.com may be my personal microsoft 365 account that is not associated with the Entra ID tenant?

Thanks!

Accepted answer

0 additional answers

Your answer

Answer 1

CarlZhao-MSFT 46,376

Hi @Karl Gardner

The kgardner3300_gmail.com#EXT#@kgardner3300gmail.onmicrosoft.com account is actually the work identity of the ******@gmail.com account.

When you create a tenant with your personal account "******@gmail.com", your personal account will be treated as the root account of the new tenant, and it will be automatically assigned the global administrator role and work domain, and it will be a work account at this time.

Although both identities are different manifestations of your same account, Entra ID treats them as two different accounts and they have different access rights.

Therefore, the photo of your account's "personal" identity will not be synchronized to its "work" identity. You need to upload a new photo for your user's work identity in Entra ID, which is why your user has two different photos.

In summary, if you want to get the photo of your user's "personal" identity, you need to log in to the multi-tenant application using the /common endpoint. Conversely, if you want to get the photo of your user's "work" identity, you need to log in to the multi-tenant application using the /{tenant_id} endpoint.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Karl Gardner 195 Reputation points

2024-07-19T00:33:39.8733333+00:00

Hello @CarlZhao-MSFT,

This makes a bit more sense now, thanks for the detailed explanation. Is their any documentation links on this topic of "work" and "personal" identities to read? I just haven't heard about this before. I'm also wondering if I logged into the https://login.microsoftonline.com/common endpoint to authenticate with EntraID (MSAL) would I then have to use the /users/{id | userPrincipalName}/photo/$value endpoint for Graph API:

https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#get-the-photo

How else would Graph API know to get the photo of my personal account then if I am using the /common endpoint?
CarlZhao-MSFT 46,376 Reputation points

2024-07-19T09:51:10.55+00:00

Hi @Karl Gardner

You can refer to the documentation for creating a new tenant. When you create a new Azure AD tenant with a personal account, your personal account becomes the first user in the tenant and is automatically assigned as a global administrator. This means that you have the highest permissions in the new tenant and can manage and configure all settings and users in the tenant. However, this new tenant is independent of the original personal account. Although you created the tenant with a personal account, they are two different entities in Azure AD. You can add other users in the new tenant and assign different roles and permissions to them.

No, after you log in to a multi-tenant application using the /common endpoint, you should call the /me/photo/$value API to get the photo of the logged in user.

When you use the /common endpoint for authentication, the authorized application will give priority to personal account logins.
Karl Gardner 195 Reputation points

2024-07-19T21:35:37.35+00:00

Hello @CarlZhao-MSFT ,

Thanks for the information! Finally got it working:

Guess, the /common endpoint is in Microsoft Identity Platform documentation as well but it's weird how it will give priority to the personal identity and instead of work identity. Think I need to learn more about Identity platform. Thanks!

Share via

Confusion with Entra ID tenant and Microsoft Account

0 additional answers

Your answer