I want to setup Microsoft social authentication for just the accounts within my organizational directory.
I performed the following steps:
The social authentication works, but it isn't restricted to my organizational directory. Anyone with any Microsoft account can use social login to sign into my service.
How do I restrict this application/client secret to just internal users?
Review your backend implementation: Ensure that your backend is correctly configured to use the organizational (work/school) accounts endpoint, not the common endpoint. The endpoint should be https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize, where {tenant-id} is your specific Azure AD tenant ID or your domain name.
Validate the token: In your backend, make sure you're validating the tokens issued by Azure AD. Check the aud (audience) claim in the token to ensure it matches your application's client ID. Verify the tid (tenant ID) claim to ensure it matches your organization's tenant ID.