Determine OrganisationId / Tenant upon OAuth2 Login via AzureAD MultiTenant Personal Account Type

Question

Determine OrganisationId / Tenant upon OAuth2 Login via AzureAD MultiTenant Personal Account Type

Theo Dickinson 20

I've registered an App with Supported Account Type "Accounts in any organizational directory and personal Microsoft accounts".
This allows me to login to my App via OAuth using my personal account and organisational account.

Roughly the call is to the endpoint

/oauth2/v2.0/authorize?client_id=APPID&redirect_uri=MyAppUrl&scope=User.Read

Where MyAppUrl is the https://myapp/oauth/callback

I use part of the payload returned upon AAD authentication within my Php WebApp. The payload is defined by the "User.Read" realm.

I intend to customise the MyAppUrl features available to the user based on the logged in user's Organisation/Business/Tenant identity.

Given that any organisation AD or personnel Account "common" can be used for auth, how can I get the user's Organisation/Business identity ? Can the payload returned to MyAppUrl be configured to include the needed data, if so how ?

Do I need to make a separate call to https://graph.microsoft.com/v1.0/organization

As an aside Im using the Laravel Socialite package https://socialiteproviders.com/Microsoft-Azure/#installation-basic-usage

Any advice appreciated.

Daniel Oosterhuis 0 Reputation points

2023-09-28T10:28:07.6166667+00:00

Maybe a little late, but I've solved this by extending the Socialite plugin for Azure, adding a organization() method, which queries the /organization endpoint. It will return all the info you need to give Azure users access to a multi-tenant application and then from there do your own whitelisting etc.
Theo Dickinson 20 Reputation points

2023-09-28T22:36:00.18+00:00

Hello Daniel, thanks for the feedback.

This may be of interest to you as I forked and "fixed" (in my opinion) the issue. As you will see another solution was provided as a PR #1035 but I don't believe it to be a decent fix, more a blunt fix.

I discuss the issue here

https://github.com/SocialiteProviders/Providers/issues/1029

and provide a solution in my Forked repo

https://github.com/SocialiteProviders/Microsoft/compare/master...theodson:Microsoft:feature/support_all_work_school_consumer_user_accounts_under_common

Accepted answer

0 additional answers

Your answer

Daniel Oosterhuis 0 Reputation points

2023-09-28T10:28:07.6166667+00:00

Maybe a little late, but I've solved this by extending the Socialite plugin for Azure, adding a organization() method, which queries the /organization endpoint. It will return all the info you need to give Azure users access to a multi-tenant application and then from there do your own whitelisting etc.
Theo Dickinson 20 Reputation points

2023-09-28T22:36:00.18+00:00

Hello Daniel, thanks for the feedback.

This may be of interest to you as I forked and "fixed" (in my opinion) the issue. As you will see another solution was provided as a PR #1035 but I don't believe it to be a decent fix, more a blunt fix.

I discuss the issue here

https://github.com/SocialiteProviders/Providers/issues/1029

and provide a solution in my Forked repo

https://github.com/SocialiteProviders/Microsoft/compare/master...theodson:Microsoft:feature/support_all_work_school_consumer_user_accounts_under_common

Answer 1

Akshay-MSFT 17,961 Microsoft Employee Moderator

@Theo Dickinson

Thank you for posting your query on Microsoft Q&A, please find below answers in line:

Given that any organisation AD or personnel Account "common" can be used for auth, how can I get the user's Organisation/Business identity ?

You may get the same from Azure AD sign in logs as the within the id token the tid claim value represents GUID that represents the Azure AD tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal accounts, the value is 9188040d-6c67-4c5b-b112-36a304b66dad. The profile scope is required in order to receive this claim.

I tested this with my test application with common endpoint:

User's image

Please do let me know if you have any further queries.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Theo Dickinson 20 Reputation points

2023-05-24T17:32:38.8166667+00:00

Hi Thanks for the reply.

I've looked at multiple configurations and inspected the two TOKENs (ID_TOKEN and ACCESS_TOKEN). They both seem to contain the tid entry. In my App I've experimented with enabling Implicit and Hybrid flows only with User.Read scope, the Access Token only exists and does indeed contain the correct tid.

If I additionally request "openid" and optionally "profile" (doesn't appear to need this) scopes the ID_TOKEN is produced and it too contains the tid.

I've tested both of these with two issuer types, common and organizations and the behaviour was the same with the expection of only common allow Public Microsoft Accounts (and yes I confirmed For personal accounts, the value is 9188040d-6c67-4c5b-b112-36a304b66dad )

I now have this question, will this tid of 9188040d-6c67-4c5b-b112-36a304b66dad always reflect Public Microsoft Accounts and are there any other "special" tid I need to be aware of?

Thanks again
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-05-25T11:17:55.1166667+00:00

@Theo Dickinson ,

Yes, for personal Microsoft accounts tid would always reflect as 9188040d-6c67-4c5b-b112-36a304b66dad since this is the only authority issuing token for personals accounts .

Since you could not decode access token for a personal account, hence only id token will help you with tid claim.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Share via

Determine OrganisationId / Tenant upon OAuth2 Login via AzureAD MultiTenant Personal Account Type

0 additional answers

Your answer