![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Exchange Online
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 11%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)
Hi @MARSEILLE Julien
Thank you for posting your question in the Microsoft Q&A forum.
This behavior is expected when your app allows personal Microsoft accounts (MSAs) to sign in. If a user selects a Gmail address during the Microsoft sign-in process, Microsoft may create a personal MSA for that address on the fly. This account can complete OAuth and receive tokens, even though it has no connection to a valid Microsoft 365 mailbox.
To prevent this and ensure that the signed-in identity has an active Exchange Online mailbox, consider the following steps:
1.Restrict sign-in to work or school accounts only
In Microsoft Entra admin center > App registrations > Your app > Authentication > set Supported account types to either:
-Accounts in this organizational directory only (single‑tenant)
-Accounts in any organizational directory (multi‑tenant)
Avoid selecting the option that includes personal Microsoft accounts. This ensures tokens are only issued for work or school accounts.
Reference: Supported account types - Microsoft identity platform | Microsoft Learn.
Also, make sure your client uses the correct authority: https://login.microsoftonline.com/organizations/ or https://login.microsoftonline.com/<yourtenantID>/
Reference: Client application configuration (MSAL) - Microsoft identity platform | Microsoft Learn.
2.Verify mailbox presence
Use Microsoft Graph to confirm the user has an Exchange Online mailbox:
-Check license details:
GET https://graph.microsoft.com/v1.0/users/{id}/licenseDetails
-Probe mailbox endpoints:
GET https://graph.microsoft.com/v1.0/users/{id}/mailboxSettings
This is the fastest method to confirm whether a mailbox exists without retrieving any message content.
Or:
GET https://graph.microsoft.com/v1.0/users/{id}/messages?$top=1
This request retrieves the first message in the user’s mailbox. A successful response confirms that the mailbox is active.
3.Inspect token claims
Validate the token to ensure it meets your criteria:
-Check tid (tenant ID) and upn/email.
-Reject tokens where tid is not in your allowlist.
-If your app requires member accounts only, reject tokens where userType is Guest.
I hope this helps clarify the behavior and how to enforce mailbox validation during SSO.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.