synth · tnantoka · Jun 10, 2026
diff --git a/lib/omniauth/microsoft_graph/domain_verifier.rb b/lib/omniauth/microsoft_graph/domain_verifier.rb
@@ -37,7 +37,7 @@ def verify!
         # This means while it's not suitable for consistently identifying a user
         # (the domain might change), it is suitable for verifying membership in
         # a given domain.
-        return true if email_domain.casecmp?(upn_domain) ||
+        return true if email_domain&.casecmp?(upn_domain) ||
           skip_verification == true ||
           (skip_verification.is_a?(Array) && skip_verification.include?(email_domain)) ||
           domain_verified_jwt_claim

diff --git a/spec/omniauth/microsoft_graph/domain_verifier_spec.rb b/spec/omniauth/microsoft_graph/domain_verifier_spec.rb
@@ -47,6 +47,24 @@
       it { is_expected.to be_truthy }
     end
 
+    context 'when the email is missing (e.g. a personal Microsoft account)' do
+      let(:email) { nil }
+
+      context 'when domain validation is disabled' do
+        let(:options) { super().merge(skip_domain_verification: true) }
+
+        it { is_expected.to be_truthy }
+      end
+
+      context 'when all verification strategies fail' do
+        before { allow(access_token).to receive(:get).and_raise(::OAuth2::Error.new('whoops')) }
+
+        it 'raises a DomainVerificationError' do
+          expect { result }.to raise_error OmniAuth::MicrosoftGraph::DomainVerificationError
+        end
+      end
+    end
+
     context 'when the ID token indicates domain verification' do
       let(:mock_oidc_key) do
         optional_parameters = { kid: 'mock_oidc_key', use: 'sig', alg: 'RS256' }