Hi, I’m Mizuame. December is here and getting tough. Personally, I’ll be 20 in about 3 months, feeling the end of life. Engineer retirement age of 20. This article is Day 1 of coins Advent Calendar 2025.

You Want University Email Authentication, Right?

Periodically among University of Tsukuba computer geeks, discussion arises about wanting unified authentication. Recently, classroom info mysteriously couldn’t be posted on non-authenticated kdb from this year, requiring Twinte timetable app to import classroom data separately. Talk of opening unified authentication publicly emerged. This could technically be done by writing a Shibboleth wrapper (understanding there are political issues), but hasn’t happened yet.

In this case, there’s another way to verify being a University of Tsukuba person: Microsoft account authentication via the university email created at enrollment.

Azure B2B

Azure has Business-To-Business (B2B) feature.

Azure is managed in tenant units, and your university email Microsoft account is in the University of Tsukuba tenant. But you normally don’t have permissions in that tenant. So create a new tenant and invite university email accounts as guest users to authenticate as university members.

External Identities | External collaboration settings

Specifying the university address allows inviting only this address as guest.

See this article for detailed B2B explanation: https://jpazureid.github.io/blog/azure-active-directory/what-is-b2b/

But registering each user via console is endless. That’s where Graph API comes in, allowing automatic user invitation via API.

Need User.Invite.All for invitations and User.Read.All for user list retrieval. Configure secrets and callback URLs appropriately.

Successfully invited users appear in the list.

See this article for reference: https://blog.shibayan.jp/entry/20240519/1716107947

Actually Built It

Built a Discord invitation app with university email authentication using Cloudflare Worker, serverlessly. Storing logs in KV. Code here: https://github.com/mizuamedesu/entra-auth-discord

Try it at: https://chaoslt-auth.mizuame.app/

Note

But isn’t the university email a lifetime address, so it doesn’t prove student status?

Such feedback received. That’s true, but you can get student IDs, so server-side filtering is possible.

This article is not introducing a guaranteed method to verify University of Tsukuba students, and I take no responsibility for unauthorized disclosure of resources behind unified authentication. Use it for things like university-student-only SNS creation.