Google Auth allows people to register with Corporate email addresses

We support Single Sign On using Google and Microsoft but we’ve seen that a user of Microsoft can register with Google using their Microsoft email address. Google then sends them a validation email and they can then proceed to login using that email address against Google or Microsoft.

The problem then comes if they leave the Microsoft identity for whatever reason, e.g. they were fired, they can just choose to auth against Google at login and still authenticate using the same email.

Is there a way of ensuring the user hasn’t just registered their company email address, which was with MSFT, with Google’s Identity and are signing in with that instead?

Was wondering about only supporting GSuite or Microsoft Work Accounts for SSO?

Did you ever find a precise solution for this?

Hi everyone!

In order to prevent such users logging in through the google social connection, you could check if their domain is gmail or not and prevent authentication by using a Post Login Trigger:

if(event.transcation.protocol === 'google-oauth2' && username.domain != 'gmail.com")
{
api.access.deny('reason");
}

After denying access, you would need to delete the identity created by their login attempt as well.

Kind Regards,
Nik