Restrict Microsoft Azure App OAuth2.0 to Internal Users

I want to setup Microsoft social authentication for just the accounts within my organizational directory.

I performed the following steps:

1. Registered an app ("App Registrations > New Registration")
2. Provided a custom name and set "Supported account types" to "Accounts in this organizational directory only (Default Directory only - Single tenant)"
3. Created a new client secret in "Certificates & Secrets".
4. Grabbed "Application (client) ID" and "Secret value" and added them to my backend

The social authentication works, but it isn't restricted to my organizational directory. Anyone with any Microsoft account can use social login to sign into my service.

How do I restrict this application/client secret to just internal users?

Review your backend implementation: Ensure that your backend is correctly configured to use the organizational (work/school) accounts endpoint, not the common endpoint. The endpoint should be https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize, where {tenant-id} is your specific Azure AD tenant ID or your domain name.

Validate the token: In your backend, make sure you're validating the tokens issued by Azure AD. Check the aud (audience) claim in the token to ensure it matches your application's client ID. Verify the tid (tenant ID) claim to ensure it matches your organization's tenant ID.