-
The v2 endpoints are renamed to
Microsoft Identity Platformand should be preferred integration route for new apps. They are fully OAuth2/OIDC compliant. -
The
commonendpoint can be used for multi-tenant apps, which can sign-in users with personal accounts and/or multiples ad directories
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
-
The above endpoint will serve login page where you can sign in with
all microsoft identities(personal, school, work) -
The tenant specific endpoint can be used to limit logins from a perticular directory or pre-signed-up personal identities.
-
The
v1endpoint (https://login.microsoftonline.com/common/oauth2/authorize?) supports work identities and also federates with live_id but requires all social accounts to be pre-populated (invited as guests) in the directory. Logging with a random social account returns following error:
AADSTS50020: User account '****@hotmail.com' from identity provider 'live.com' does not exist in tenant 'sa**ara' and cannot access the application '49fce58f-e66f-46eb-bfc1-273984bb0e09'(**8** inc) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
- There is also a consumer tenant (with specific entry point), which federates to live id
https://login.live.com/oauth20_authorize.srfand only allows sign in with consumer identity (outlook, hotmail, github etc.)
https://login.microsoftonline.com/consumer/oauth2/v2.0/authorize
- The old legacy endpoint
login.windows.netis still around and redirects requests to old v1 endpoints.
https://login.microsoftonline.com/common/oauth2/authorize
- The old v1 endpoints shouldn't be used anymore.