# Oracle APEX Less Social Sign-In with MS Azure and Office 365

After my last blog post a natural question came up: what if I'm a little anti-social?  
  
Specifically, what if I do NOT want to make my APEX application available to everyone on the planet that has (or is willing to get) a Microsoft Azure / Office 365 account? What if I only want people in my company, that uses Azure AD, to be able to log in?  
  
There are several ways you can do this, and I recommend you employ at least two. No, recommend is too lenient, **I insist** you employ at least two :). The first is to change the way you call the Microsoft OAuth2 provider. Instead of using the values in my last blog post:  
  
  
Authorization Endpoint URL: https://login.microsoftonline.com/**common**/oauth2/v2.0/authorize  
Token Endpoint URL: https://login.microsoftonline.com/**common**/oauth2/v2.0/token  
  
Use the following:  
  
Authorization Endpoint URL: https://login.microsoftonline.com/**yourCompanyDomain**/oauth2/v2.0/authorize  
Token Endpoint URL: https://login.microsoftonline.com/**yourCompanyDomain**/oauth2/v2.0/token  
  
For Insum, this would be insum.ca:  
  
Authorization Endpoint URL: https://login.microsoftonline.com/**insum.ca**/oauth2/v2.0/authorize  
Token Endpoint URL: https://login.microsoftonline.com/**insum.ca**/oauth2/v2.0/token  
  
The method above does NOT secure your application to just your domain. It just makes it harder for someone to use another domain. A savvy user can bypass that by just typing "common" in the url.  
  
The **REAL** step to secure your application is to do one or both of the following:  
  

1.  Create an Authentication Scheme sentry function that makes sure the username includes @yourdomain
2.  Create Authorization Scheme that makes sure the username includes @yourdomain and apply it to the application.

  

I am often logged into multiple Azure AD accounts at the same time. By adding yourCompanyDomain to the Endpoint URLs you have the added bonus that users do not need to select a login each time they go to your application. Microsoft will detect the correct one to use.  
  
Edit:  
  
You can also log into the Azure Portal  
[https://portal.azure.com](https://portal.azure.com/)  
and edit the manifest of your application.  
  
Azure Active Directory > App Registrations > \[Your Application\] > Manifest  
  
Change  
  
"signInAudience": "AzureADandPersonalMicrosoftAccount",  
  
to  
  
"signInAudience": "AzureADMyOrg",