Allowing both individual and organisation accounts to login to website via Azure OIDC

B Mo 61 Reputation points
2022-05-07T17:41:03.183+00:00

I'm trying to add "Sign in with Microsoft" to an existing website using OIDC via the endpoint:
https://login.microsoftonline.com/'.$ad_tenant.'/oauth2/v2.0/authorize?

For $ad_tenant my understanding was "common" should allow any type of Microsoft account to login? When I use common and try to login with my Microsoft account I get the message "You can't sign in here with a personal account. Use your work or school account instead."

When I use my accounts Directory (tenant) ID it allows me login but won't let anyone from another tenant login.
I need it to allow both organisation and personal Microsoft accounts from any tenant to login, is this possible?
If so how? and if not why not?

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-05-24T07:58:08.077+00:00

    Hi @B Mo ,

    Thanks for reaching out and apologies for delay in response.

    I understand you are using common endpoint to authenticate the user which should allow both Microsoft accounts and work or school accounts to access the application, but you are getting error while sign in with your Microsoft Account.

    This can be due to sign-in audience need to be correctly configured in "supported account types" while registering the application.

    204910-image.png

    Selecting the "Accounts in any organizational directory and personal Microsoft accounts" option will allow users who have personal Microsoft accounts and users from another tenant to access the application.

    If you have registered your application initially as single tenant but wants to allow users from another tenant or Microsoft accounts as well. I would recommend to register the new application with above option to target largest sign-in audience to access your application.

    Updating the account supported by an application will sometimes not allow to update application from single-tenant to multi-tenant due to Application ID URI (App ID URI) name collisions. So it is better to avoid that and register new application as multi-tenant application.

    Reference docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application
    https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-modify-supported-accounts#why-changing-to-multi-tenant-can-fail

    Hope this will help.

    -------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.