On-behalf-of on Azure Ad v2.0 endpoint for both MSA (Microsoft personal) and AAD accounts
Question
We have a user-facing web app and a middle-tier ASP.NET Core Web api, currently using OAuth 2.0 On-Behalf-Of flow (OBO) on the Azure Ad v1.0 endpoint, authenticating only AAD accounts. We need to authenticate also MSA (personal) accounts, therefore migrate our solution to the Azure AD v2.0 endpoint.
The official sample only authenticates AAD accounts and says:
" Current limitations : The on-behalf-of flow does not currently work for Microsoft Personal accounts."
Can somebody confirm this ? What is the alternative for getting a service to service token for both Microsoft Personal accounts and work or school accounts if this is the case?
2 answers
solution1
1 2019-03-22 03:31:39
As the documentation says, a common OBO pattern cannot be used for clients that sign in both personal and work or school accounts. The general guidelines recommend, if possible, to merge the middle tier application and the front-end UI into one AAD v2.0 application. Ofcourse, this can only be done if you have a single front-end mapped to the middle tier and won't be applicable in cases of multiple front-ends sharing the same middle tier.
This link provides information regarding the reasons for these limitations and the workaround that I described above. Unfortunately, merging the two applications is the only way.
solution2
0 2020-02-28 00:32:35
On-behalf-of flow with MSA is now supported.
Please check this sample for more details.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.