I'm using adal-angular4 on the frontend to login and that works, it's successful and through the process it doesn't ask me if I want to use my business account or my personal account and afaik there's no 'persona' account with the email I'm trying to login.
The app itself is configured to allow only B2B and I have the endpoint configured as 'common';
Now, I am sending that token to the backend where I have passport-azure-ad and again I have configured everything as B2B and I have tried both common endpoints. Everytime, the shape of the token does not have the properties listed by the types provided in @types;
And in the token details I can see: idp: 'live.com' which makes it seem like I have logged in with my personal account actually?
I've also tried with a different B account and it seems that the shape of the token is correct and has no 'idp: 'live.com' property.
So it seems to me:
- The app in the FE shouldn't let me login with a personal account(???)
- The login screen should still let me choose between personal/business account
- Passport plugin shouldn't return 'token verified' if its a personal account? whilst I configured it to be b2b everywhere?
How can I enforce B2B accounts? Screenshot of my config in the azure portal.
You can set
msafed=0on the query when redirecting to authenticate. That disables personal accounts on v1.A user could remove the parameter so you may want to check the token after login.