What is the Microsoft OAuth2 Authorization Endpoint?

(back to Send Email from Hotmail.com, Live.com, or Outlook.com)

The Microsoft OAuth2 authorization endpoint is the URL where users are redirected to authorize your application and give it permissions to access their resources (such as email, calendar, etc.) using Microsoft’s OAuth2 protocol.

Authorization Endpoint (for Microsoft Identity Platform):

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

Explanation:

  • {tenant}: This specifies the Azure Active Directory (Azure AD) tenant or directory that you want to authenticate users from. The “{tenant}” value can be:
  • common: Allows users from both personal Microsoft accounts (like “@outlook.com”, “@hotmail.com”) and work/school accounts (Azure AD accounts).
  • organizations: Allows only Azure AD (work or school) accounts.
  • consumers: Allows only personal Microsoft accounts (such as “@outlook.com”, “@hotmail.com”, “@live.com”).
  • {tenant_id}: If you want to restrict authentication to a specific Azure AD tenant, you can replace “{tenant}” with the tenant ID or domain (like “yourdomain.com”).

Example for the common endpoint (for personal and work accounts):

https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Parameters for Authorization Request:

When you direct the user to the authorization endpoint, you include parameters like “client_id”, “redirect_uri”, “response_type”, and “scope” to specify the type of access your application is requesting.

Example Authorization Request:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=your_client_id&
response_type=code&
redirect_uri=https://yourapp.com/callback&
scope=https://outlook.office.com/SMTP.Send offline_access&
response_mode=query&
state=your_custom_state

Key Parameters:

  • “client_id”: The unique identifier for your registered application (from Azure AD).
  • “response_type”: Set to “code” for authorization code flow (which is standard for server-side apps).
  • “redirect_uri”: The URI to which the authorization server will redirect after the user grants or denies permission.
  • “scope”: The permissions you’re requesting (e.g., “offline_access”, “SMTP.Send”).
  • “response_mode”: Specifies how the authorization server returns the result. Typically, you use “query” to return the result in the URL query string.
  • “state”: A custom value used to maintain state between the request and callback (helps prevent CSRF attacks).

Token Endpoint (for exchanging the code for tokens):

After obtaining the authorization code, your application will exchange it for an access token by making a POST request to the token endpoint:

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

By using the authorization endpoint, your application can authenticate users via Microsoft’s OAuth2 flow, request access to specific resources, and obtain an authorization code for exchanging tokens.