Oracle APEX Less Social Sign-In with MS Azure and Office 365

After my last blog post a natural question came up: what if I'm a little anti-social?

Specifically, what if I do NOT want to make my APEX application available to everyone on the planet that has (or is willing to get) a Microsoft Azure / Office 365 account? What if I only want people in my company, that uses Azure AD, to be able to log in?

There are several ways you can do this, and I recommend you employ at least two. No, recommend is too lenient, I insist you employ at least two :). The first is to change the way you call the Microsoft OAuth2 provider. Instead of using the values in my last blog post:

Authorization Endpoint URL: login.microsoftonline.comcommon/oauth2/v2.0/authorize
Token Endpoint URL: login.microsoftonline.comcommon/oauth2/v2.0/token

Use the following:

Authorization Endpoint URL: login.microsoftonline.comyourCompanyDomain/oauth2/v2.0/authorize
Token Endpoint URL: login.microsoftonline.comyourCompanyDomain/oauth2/v2.0/token

For Insum, this would be

Authorization Endpoint URL:
Token Endpoint URL:

The method above does NOT secure your application to just your domain. It just makes it harder for someone to use another domain. A savvy user can bypass that by just typing "common" in the url.

The REAL step to secure your application is to do one or both of the following:

  1. Create an Authentication Scheme sentry function that makes sure the username includes @yourdomain
  2. Create Authorization Scheme that makes sure the username includes @yourdomain and apply it to the application.

I am often logged into multiple Azure AD accounts at the same time. By adding yourCompanyDomain to the Endpoint URLs you have the added bonus that users do not need to select a login each time they go to your application. Microsoft will detect the correct one to use.


You can also log into the Azure Portal
and edit the manifest of your application.

Azure Active Directory > App Registrations > [Your Application] > Manifest


"signInAudience": "AzureADandPersonalMicrosoftAccount",


"signInAudience": "AzureADMyOrg",