根据文档,Microsoft Graph 支持来自仅限 Azure AD v2.0 和 Azure AD:
According to documentation, Microsoft Graph supports tokens from Azure AD v2.0 and Azure AD only:
Microsoft Graph 支持两个身份验证提供程序:
The Microsoft Graph supports two authentication providers: 要使用个人 Microsoft 帐户(例如 live.com 或 outlook.com 帐户)对用户进行身份验证,请使用 Azure Active Directory (Azure AD) v2.0 端点.要使用企业(即工作或学校)帐户对用户进行身份验证,请使用 Azure AD.
但是,Azure AD v2.0 是支持 Microsoft 帐户类型的新端点:个人(以前的 Live 帐户)和工作/学校(经典 Azure AD 帐户).目前还不清楚,如何将授权仅限于个人帐户.
But, Azure AD v2.0 is new endpoint that supports both Microsoft account types: personal (former Live account) and work/school (classic Azure AD accounts). And it's unclear, how to limit authorization to personal accounts only.
Azure AD 仅支持工作/学校帐户.
Azure AD support only work/school account.
那么,如果我想让我的应用只使用个人帐户,该怎么做?如何在 Microsoft Graph 中仅使用 Microsoft 个人帐户进行身份验证(禁止用户使用工作/学校帐户)?
So, If I want to allow my app use only personal accounts, how to do it? How to authenticate in Microsoft Graph with Microsoft personal accounts only ( forbid for user to use work/school accounts) ?
P.S.:如果重要的话,我会在我的应用中使用 MSAL 进行身份验证.
P.S.: I use MSAL for authentication in my app, if it matters.
基于 Azure AD v2.0
,如果您只想支持 Microsoft Accounts
,则您想要使用的端点是 https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
.这里的关键是 consumers
,它将确保您的用户只能选择使用 Microsoft 帐户进行身份验证.
Based on the documentation for Azure AD v2.0
, if you want to support only Microsoft Accounts
, the endpoint you would want to use is https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize
. The key thing here is consumers
which will ensure that your users will only get an option of authenticating using Microsoft Accounts.
如果我采用 Github 示例对于 MSAL
,您将进行的更改位于 Startup_Auth.cs
If I were to take the Github example of MSAL
, the change you would make is in Startup_Auth.cs
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/consumers/v2.0
// The `Scope` describes the initial permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/
ClientId = clientId,
Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "consumers", "/v2.0"),
RedirectUri = redirectUri,
Scope = "openid email profile offline_access Mail.Read",
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters