OAuth2 Authorization and Token Endpoints for Azure App Registrations

Azure provides different OAuth2 endpoints depending on the type of application registration, the Azure environment, and whether the app is single-tenant or multi-tenant.

Understanding Azure OAuth2 Endpoints

OAuth2 uses two main types of endpoints in the authorization flow:

  1. Authorization Endpoint – Used to authenticate users and obtain an authorization code.
  2. Token Endpoint – Used to exchange the authorization code for an access token.

These endpoints differ based on:

  • Azure Cloud (Global, Government, or China)
  • Single-Tenant vs Multi-Tenant Apps
  • Microsoft Accounts vs Organizational Accounts

Common OAuth2 Endpoints in Azure

A. Microsoft Identity Platform (Azure AD v2.0)

Multi-Tenant or Personal Microsoft Accounts

For applications supporting Microsoft Accounts (MSA) and Work or School (Azure AD) accounts, use the common endpoint:

  • Authorization Endpoint - 
    https://login.microsoftonline.com/common/oauth2/v2.0/authorize
  • Token Endpoint - 
    https://login.microsoftonline.com/common/oauth2/v2.0/token

• Used for applications that authenticate users from any organization or Microsoft Account.

• Supports Azure AD B2C and Microsoft 365 services.

B. Single-Tenant Applications (Specific to One Azure AD Tenant)

For applications that should only authenticate users from a specific Azure AD directory, replace "common" with your tenant ID:

  • Authorization Endpoint - 
    https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize
  • Token Endpoint - 
    https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

• Restricts authentication to a single organization (tenant-specific).

• More secure than multi-tenant if you only need access within one organization.

C. Multi-Tenant Enterprise Applications (Work or School Accounts Only)

For multi-tenant Azure AD enterprise apps, use the organizations endpoint:

  • Authorization Endpoint - 
    https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
  • Token Endpoint - 
    https://login.microsoftonline.com/organizations/oauth2/v2.0/token

• Allows only Work/School accounts (Azure AD), no personal Microsoft accounts.

• Used for enterprise SaaS applications that support multiple businesses.

D. Azure Government Cloud (US Government Tenants)

For apps in Azure Government (US), use:

  • Authorization Endpoint - 
    https://login.microsoftonline.us/{tenant_id}/oauth2/v2.0/authorize
  • Token Endpoint - 
    https://login.microsoftonline.us/{tenant_id}/oauth2/v2.0/token

• Used for government cloud deployments.

How to Choose the Right Endpoint

  • Single-Tenant App (Internal Use Only)

    Use "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize"

  • Multi-Tenant SaaS (Work & School Only)

    Use "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize"

  • Allow Both Work/School and Microsoft Accounts

    Use "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"

  • US Government

    Use the appropriate regional endpoint.