1

I'm using adal-angular4 on the frontend to login and that works, it's successful and through the process it doesn't ask me if I want to use my business account or my personal account and afaik there's no 'persona' account with the email I'm trying to login.

The app itself is configured to allow only B2B and I have the endpoint configured as 'common';

Now, I am sending that token to the backend where I have passport-azure-ad and again I have configured everything as B2B and I have tried both common endpoints. Everytime, the shape of the token does not have the properties listed by the types provided in @types;

And in the token details I can see: idp: 'live.com' which makes it seem like I have logged in with my personal account actually?

I've also tried with a different B account and it seems that the shape of the token is correct and has no 'idp: 'live.com' property.

So it seems to me:

  • The app in the FE shouldn't let me login with a personal account(???)
  • The login screen should still let me choose between personal/business account
  • Passport plugin shouldn't return 'token verified' if its a personal account? whilst I configured it to be b2b everywhere?

How can I enforce B2B accounts? Screenshot of my config in the azure portal.

SebastianG
  • 8,563
  • 8
  • 47
  • 111
  • Are you using the v2 endpoint? There if you want only B2B users, you need to use `organizations` endpoint, not `common`. – juunas Jun 04 '19 at 13:45
  • @juunas I'm using the v1 endpoint both frontend & backend; I can only specify the tenant property as the tenant id or 'common' -- organizations doesn't work with that unfortunately. Specifying the tenant works but then I can only login business users from that tenant. However if I try to login within my own tenant -- on the backend the token itself still has 'live.com' in it and a different shape. – SebastianG Jun 04 '19 at 14:15
  • Ah now I remember. You can set `msafed=0` on the query when redirecting to authenticate. That disables personal accounts on v1. – juunas Jun 04 '19 at 14:17

1 Answers1

1

You can set msafed=0 on the query when redirecting to authenticate. That disables personal accounts on v1.

A user could remove the parameter so you may want to check the token after login.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • one last question -- do you know by any chance where I could slide that in? It seems the underlying (not the adal-angular4 but the main adal-angular) doesn't offer options to affect the URL directly, I tried sliding it in after the clientId or the tenant but it just breaks the thing; – SebastianG Jun 04 '19 at 15:38
  • In adal at least there was a possibility of specifying `extraQueryParameters` – juunas Jun 04 '19 at 15:47
  • Thanks, ended up just using the simple msal package directly from ms as adal is getting phased out – SebastianG Jun 05 '19 at 15:43
  • Yeah with MSAL you can use the organizations endpoint to achieve the same thing – juunas Jun 05 '19 at 17:14