根据文档，Microsoft Graph 支持来自仅限 Azure AD v2.0 和 Azure AD:

According to documentation, Microsoft Graph supports tokens from Azure AD v2.0 and Azure AD only:

Microsoft Graph 支持两个身份验证提供程序:

The Microsoft Graph supports two authentication providers: 要使用个人 Microsoft 帐户(例如 live.com 或 outlook.com 帐户)对用户进行身份验证，请使用 Azure Active Directory (Azure AD) v2.0 端点.要使用企业(即工作或学校)帐户对用户进行身份验证，请使用 Azure AD.

但是，Azure AD v2.0 是支持 Microsoft 帐户类型的新端点:个人(以前的 Live 帐户)和工作/学校(经典 Azure AD 帐户).目前还不清楚，如何将授权仅限于个人帐户.

But, Azure AD v2.0 is new endpoint that supports both Microsoft account types: personal (former Live account) and work/school (classic Azure AD accounts). And it's unclear, how to limit authorization to personal accounts only.

Azure AD 仅支持工作/学校帐户.

Azure AD support only work/school account.

那么，如果我想让我的应用只使用个人帐户，该怎么做?如何在 Microsoft Graph 中仅使用 Microsoft 个人帐户进行身份验证(禁止用户使用工作/学校帐户)?

So, If I want to allow my app use only personal accounts, how to do it? How to authenticate in Microsoft Graph with Microsoft personal accounts only ( forbid for user to use work/school accounts) ?

P.S.:如果重要的话，我会在我的应用中使用 MSAL 进行身份验证.

P.S.: I use MSAL for authentication in my app, if it matters.

推荐答案

基于 Azure AD v2.0，如果您只想支持 Microsoft Accounts，则您想要使用的端点是 https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize.这里的关键是 consumers，它将确保您的用户只能选择使用 Microsoft 帐户进行身份验证.

Based on the documentation for Azure AD v2.0, if you want to support only Microsoft Accounts, the endpoint you would want to use is https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize. The key thing here is consumers which will ensure that your users will only get an option of authenticating using Microsoft Accounts.

如果我采用 Github 示例对于 MSAL，您将进行的更改位于 Startup_Auth.cs

If I were to take the Github example of MSAL, the change you would make is in Startup_Auth.cs

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // The `Authority` represents the v2.0 endpoint - https://login.microsoftonline.com/consumers/v2.0
                // The `Scope` describes the initial permissions that your app will need.  See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/                    
                ClientId = clientId,
                Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "consumers", "/v2.0"),
                RedirectUri = redirectUri,                    
                Scope = "openid email profile offline_access Mail.Read",
                PostLogoutRedirectUri = redirectUri,
                TokenValidationParameters = new TokenValidationParameters