-
The v2 endpoints are renamed to
Microsoft Identity Platform
and should be preferred integration route for new apps. They are fully OAuth2/OIDC compliant. -
The
common
endpoint can be used for multi-tenant apps, which can sign-in users with personal accounts and/or multiples ad directories
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
-
The above endpoint will serve login page where you can sign in with
all microsoft identities
(personal, school, work) -
The tenant specific endpoint can be used to limit logins from a perticular directory or pre-signed-up personal identities.
-
The
v1
endpoint (https://login.microsoftonline.com/common/oauth2/authorize?
) supports work identities and also federates with live_id but requires all social accounts to be pre-populated (invited as guests) in the directory. Logging with a random social account returns following error:
AADSTS50020: User account '****@hotmail.com' from identity provider 'live.com' does not exist in tenant 'sa**ara' and cannot access the application '49fce58f-e66f-46eb-bfc1-273984bb0e09'(**8** inc) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
- There is also a consumer tenant (with specific entry point), which federates to live id
https://login.live.com/oauth20_authorize.srf
and only allows sign in with consumer identity (outlook, hotmail, github etc.)
https://login.microsoftonline.com/consumer/oauth2/v2.0/authorize
- The old legacy endpoint
login.windows.net
is still around and redirects requests to old v1 endpoints.
https://login.microsoftonline.com/common/oauth2/authorize
- The old v1 endpoints shouldn't be used anymore.