The exact endpoints for Microsoft account authentication depend on the specific flow and the type of account (personal Microsoft account or Microsoft Entra ID work/school account). However, the primary authority endpoint that governs most Microsoft authentication is within the login.microsoftonline.com domain.
Primary Microsoft Authentication Endpoints
For most modern applications leveraging OAuth 2.0 and OpenID Connect to authenticate users with Microsoft accounts, the core endpoints are part of the Microsoft identity platform's v2.0 endpoint. These endpoints facilitate user sign-in, consent, and token acquisition.
Here are the key authentication endpoints:
1. Authorization Endpoint
The authorization endpoint is where the user interacts to sign in and grant consent for your application to access their data.
- URL Structure:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
2. Token Endpoint
The token endpoint is where your application exchanges an authorization code (obtained from the authorization endpoint) for an access token, refresh token, and ID token.
- URL Structure:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Understanding the {tenant} Placeholder
The {tenant} placeholder in the URLs is crucial and determines which accounts can sign in to your application:
common: This endpoint is used for applications that allow users with both personal Microsoft accounts (e.g., Outlook.com, Hotmail.com, Xbox Live) and work or school accounts (from Microsoft Entra ID) to sign in. It's ideal for multi-tenant applications.organizations: This endpoint is used for applications that allow only work or school accounts from any Microsoft Entra ID tenant to sign in. Personal Microsoft accounts are not permitted.consumers: This endpoint is specifically for applications that allow only personal Microsoft accounts to sign in. Work or school accounts are not permitted.- Tenant ID or Name: You can also use a specific Microsoft Entra ID tenant's ID (GUID) or its primary domain name (e.g.,
contoso.onmicrosoft.com). This restricts sign-ins to users within that specific tenant.
Example Endpoints Table:
| Endpoint Type | Common Endpoint ({tenant} = common) |
Work/School Accounts ({tenant} = organizations) |
Personal Accounts ({tenant} = consumers) |
|---|---|---|---|
| Authorization | https://login.microsoftonline.com/common/oauth2/v2.0/authorize |
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize |
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize |
| Token | https://login.microsoftonline.com/common/oauth2/v2.0/token |
https://login.microsoftonline.com/organizations/oauth2/v2.0/token |
https://login.microsoftonline.com/consumers/oauth2/v2.0/token |
For discovering other endpoints like the JWKS (JSON Web Key Set) endpoint or the logout endpoint, applications typically query the OpenID Connect metadata document, which is also part of the login.microsoftonline.com domain (e.g., https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration).
Beyond User Authentication: Microsoft Entra ID and Endpoint Identities
While the above endpoints are for user-centric authentication, the Microsoft identity platform, primarily Microsoft Entra ID, also plays a critical role in securing other types of interactions, including machine-to-machine or service-to-service authentication.
For instance, in environments like Azure Machine Learning deployments, authentication and authorization are handled using identity concepts tied to Microsoft Entra ID. An "endpoint identity" in this context refers to a Microsoft Entra ID that runs the user container within a deployment. This identity is crucial because the user container utilizes it for the deployment's operations and requires proper permissions to interact with necessary resources. This demonstrates that Microsoft Entra ID serves not only as the backbone for authenticating human users through the common endpoints but also provides the foundational identity for automated processes and services to securely access resources.
Practical Implementation
Developers typically don't construct these URLs manually but use Microsoft's authentication libraries (like the Microsoft Authentication Library - MSAL) which abstract away the complexities of the OAuth 2.0 and OpenID Connect flows, including endpoint discovery and token management. These libraries simplify the process of integrating Microsoft account authentication into various applications.
Understanding these endpoints is fundamental for building secure applications that integrate with the Microsoft ecosystem, ensuring proper authentication and authorization flows whether for human users or automated services.
