How to programmatically differentiate between a Business Microsoft 365 account and a consumer Office 365 account?

Chirag 0 Reputation points
2024-06-17T23:40:44.7366667+00:00

Hi,

I am building a multi-tenant application that makes use of the Graph API. For authorizing a sign-in, my code is calling the “common/oauth2/v2.0/authorize” endpoint to fetch the OAuth access token for a user through the Graph API.

I want to be able to tell programatically when a user is trying to sign into a business Microsoft Exchange Online account from a consumer Office 365 account. Both these products are accessed by Graph API and the auth response is identical. Also my code is agnostic to "tenantId" of business enterprises. So I am trying to understand how I could differentiate when a user is fetching an authorization code for Office 365 (hotmail/ outlook) account vs a business account.

One naive way might be to see if the user account's domain name is - hotmail.com or outlook.com, which would likely mean that it is a consumer (non-business account). Business accounts likely will have their custom domain names eg. my-company.com. Is there a better way to do it though? Ideally some sort of a flag in the response from the /authorize Graph API that tells my code whether the account is hosted via Exchange Online or is a regular Office 365 account?

Thanks!

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
650 questions
Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,029 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,322 questions
Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,054 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,358 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. CarlZhao-MSFT 39,736 Reputation points
    2024-06-18T07:57:50.7+00:00

    Hi @Chirag

    There are several methods to distinguish between personal and work accounts:

    • By authorization code

    The authorization code for both is an opaque string, but the authorization code for work accounts is usually long, while the authorization code for personal accounts is short.

    • By user id

    Try to call the /me endpoint and find the user id. You will find that the user id of the work account is in GUID format, and the user id of the personal account is just a string instead of GUID.

    • By access token.

    The access token for the work account uses the standard JWT format and can be decoded by jwt.io. The access token for the personal account is a specially encrypted token, not in JWT format.


    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.