This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 32%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBI%3C/text%3E%3C/svg%3E)
I'm building a web application with a React frontend and a NodeJS backend (for API calls), and I need to limit it's use to perhaps ~ 10 users within a single company, who have corporate Microsoft AD / MS Entra ID accounts. It needs to be protected by MFA (which the domain users already have, and SSO is fine), and nobody but the assigned users should have access.
Ideally I'd like for ALL the access setup to be able to be performed from within Entra ID admin center. (Not require a separate users database table to be maintained for the application.)
There doesn't need to be different levels of access, all ~ 10 users can have the same permissions.
I setup the application in MS Entra admin center, got my client ID, setup the redirect, etc., and tried using these packages, which I thought would allow me to accomplish such:
"@azure/msal-browser": "^4.0.1",
"@azure/msal-react": "^3.0.1",
After much research and trial and error (the "quick build" code available in the portal used very old versions of these dependencies, and I wanted to use the latest versions, which have different structure), I finally had it where I could press login, be directed to a Microsoft login page, select my account, and then be directed back to my application, from which my SPA private routes (page views) were then accessible. And they were not accessible unless I was logged in. So I thought I had the frontend authentication basics working.
However, even though in Entra admin center I had "Assignment required" set to Yes for the application, I found that I could still login with a different MS user account, that was not assigned.
Even with no assigned users, I could still sign in with any user:
I even went so far as to set "Enabled for users to sign-in" to No.
But I could STILL login to my app using Microsoft. Tried clearing the cache in Edge, made no difference - I could still login.
I tried deleting the app entirely from within Entra admin center, and then I (understandably) could NOT login.
I'm using the isAuthenticated value from msal-react:
const isAuthenticated = useIsAuthenticated();
So why can I still login, and does anyone have any recommendations on how to achieve this? (I want to avoid deprecated dependencies.)
I presume I'm doing something wrong and this isn't a major Microsoft security flaw.
I may have sorted this out... I had:
authority: "https://login.microsoftonline.com/common",
And I've changed it to include my directory / tenant id:
authority: "https://login.microsoftonline.com/XXXXX-XXXXX-XXXX-XXXXX",
Not sure why the common version wouldn't abide by the settings... but that's what it's looking like so far.
If anyone has any other thoughts on this, would be curious...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 60%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECE%3C/text%3E%3C/svg%3E)
Hello @Ben in CA ,
Thank you for posting your query on Microsoft Q&A.
From your description, it seems you're facing an issue where, even with "Assignment Required" set to "Yes" in the Entra Admin Center, you're still able to log in with an unassigned Microsoft account. Despite setting "Enabled for users to sign-in" to "No" and clearing the cache, the authentication flow isn't respecting your settings. You're using msal-react with useIsAuthenticated() for managing authentication.
Even if you set "Enabled for users to sign-in" to No, you still need to ensure that "Assignment Required" is set to Yes. This is the key to restricting access to only those users who are explicitly assigned to your application.
Steps to do that :
By doing this, only the assigned users will be able to sign in. You can assign users through the "Enterprise Applications" section in Entra ID.
Let me know if this helps or if you need further clarification.
I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Chaithra.
Thanks Chaithra; however I had tried that, and it made no difference. I've posted my comment as an answer, but really I feel that Microsoft should address this (even with a warning) in Entra.
Turns out that if you use:
authority: "https://login.microsoftonline.com/common",
Then the access settings you set for the app won't apply.
I've changed it to include my directory / tenant id:
authority: "https://login.microsoftonline.com/XXXXX-XXXXX-XXXX-XXXXX",
Not sure why the common version wouldn't abide by the settings... seems to be a bit of a bug that there should be a warning about, but at least I can work around it.
Hello @Ben in CA ,
Since you're using the common endpoint, this endpoint allows users from any Azure AD tenant to authenticate.
Here are the available options in Microsoft Entra Id for the authority endpoint:
To fix this, you need to set the authority URL to your specific tenant's ID, like this:
authority: "https://login.microsoftonline.com/{tenant-id}"
This will restrict authentication to users within your tenant and enforce the application assignment settings in Entra ID.
Reference: Supported Accounts Validation.
Yes, and that's what I've done, but if I delete the app, then the authentication doesn't work. So it SHOULD also block users not assigned, even if using the common endpoint.