Determine OrganisationId / Tenant upon OAuth2 Login via AzureAD MultiTenant Personal Account Type

Theo Dickinson 20 Reputation points
2023-05-22T11:58:59.9633333+00:00

I've registered an App with Supported Account Type "Accounts in any organizational directory and personal Microsoft accounts".
This allows me to login to my App via OAuth using my personal account and organisational account.

Roughly the call is to the endpoint

/oauth2/v2.0/authorize?client_id=APPID&redirect_uri=MyAppUrl&scope=User.Read

Where MyAppUrl is the https://myapp/oauth/callback

I use part of the payload returned upon AAD authentication within my Php WebApp. The payload is defined by the "User.Read" realm.

I intend to customise the MyAppUrl features available to the user based on the logged in user's Organisation/Business/Tenant identity.

Given that any organisation AD or personnel Account "common" can be used for auth, how can I get the user's Organisation/Business identity ? Can the payload returned to MyAppUrl be configured to include the needed data, if so how ?

Do I need to make a separate call to https://graph.microsoft.com/v1.0/organization

As an aside Im using the Laravel Socialite package https://socialiteproviders.com/Microsoft-Azure/#installation-basic-usage

Any advice appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
{count} votes

Accepted answer
  1. Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
    2023-05-24T12:00:23.1866667+00:00

    @Theo Dickinson

    Thank you for posting your query on Microsoft Q&A, please find below answers in line:

    • Given that any organisation AD or personnel Account "common" can be used for auth, how can I get the user's Organisation/Business identity ?

    You may get the same from Azure AD sign in logs as the within the id token the tid claim value represents GUID that represents the Azure AD tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal accounts, the value is 9188040d-6c67-4c5b-b112-36a304b66dad. The profile scope is required in order to receive this claim.

    • User's image
    • I tested this with my test application with common endpoint:

    User's image

    Please do let me know if you have any further queries.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.