Home

Creating a multi tenant app and integrating it with Azure AD to be used by customers in other tenant

%3CLINGO-SUB%20id%3D%22lingo-sub-991989%22%20slang%3D%22en-US%22%3ECreating%20a%20multi%20tenant%20app%20and%20integrating%20it%20with%20Azure%20AD%20to%20be%20used%20by%20customers%20in%20other%20tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-991989%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20working%20on%20a%20project%20to%20create%20a%20multi-tenant%20app%20to%20allow%20Single%20Sign-On%20with%20Azure%20Active%20Directory%20to%20be%20used%20by%20customers%20in%20other%20tenants.%3C%2FP%3E%3CP%3EI%20am%20confused%20and%20wanted%20advice%20on%20below%20queries%3A%3C%2FP%3E%3CP%3E1.%20If%20I%20will%20provide%20the%20app%20URL%20to%20them%20will%20they%20be%20able%20to%20authenticate%20themselves%20using%20Azure%20AD%20of%20their%20tenant%20and%20can%20approve%20on%20the%20consent%20screen%20to%20get%20access%20to%20my%20app%3F%3C%2FP%3E%3CP%3E2.%20Do%20I%20need%20to%20add%20my%20app%20to%20the%20list%20of%20the%20gallery%20of%20enterprise%20applications%20on%20Azure%20AD%3F%26nbsp%3B%3C%2FP%3E%3CP%3E3.%26nbsp%3B%20Is%20it%20necessary%20to%20get%20your%20multi-tenant%20app%20added%20to%20the%20list%20of%20the%20gallery%20of%20applications%20on%20Azure%20AD%3F%20What%20are%20the%20other%20ways%20I%20can%20achieve%20it%20and%20give%20access%20to%20my%20customers%20on%20other%20tenants%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-991989%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1029844%22%20slang%3D%22en-US%22%3ERe%3A%20Creating%20a%20multi%20tenant%20app%20and%20integrating%20it%20with%20Azure%20AD%20to%20be%20used%20by%20customers%20in%20other%20te%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1029844%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449996%22%20target%3D%22_blank%22%3E%40sindhujasrivastava%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20best%20way%20to%20achieve%20your%20destination%2C%20is%20to%20use%20Azure%20AD%20B2C%20for%20authentication%20and%20publish%20your%20app%20through%20Azure%20AD%20B2C%2C%20to%20your%20customers%2C%20the%20reason%20I%20recommend%20that%20is%20because%20maybe%20not%20all%20of%20your%20customers%20have%20Azure%20AD%20for%20B2B%20authentication%2C%20so%20If%20you%20enable%20other%20kinds%20of%20authentication%20protocols%20for%20example%20if%20your%20customers%20use%20G-suite%2C%20or%20other%20ID%20Providers%2C%20they%20should%20be%20able%20to%20sign-in%20to%20your%20app%20with%20their%20managed%20credentials%2C%20and%20for%20additional%20security%20you%20would%20probably%20want%20to%20consider%20MFA%2C%20but%20that%20option%20was%20only%20recently%20announced%20at%20Ignite%20for%20Azure%20AD%20B2C%20so%20that's%20feature%20that%20is%20coming%20soon.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGetting%20Started%20with%20Azure%20AD%20B2C%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Ftutorial-create-tenant%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECreate%20your%20Azure%20AD%20B2C%20Tenant%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20to%20answer%20your%20questions%3A%3C%2FP%3E%3CP%3E1.%20If%20you%20provide%20as%20Sign-in%2FSign-Up%20page%20to%20your%20customers%20after%20setting%20up%20your%20APP%20with%20Azure%20AD%20B2C%20they%20can%20sign-in%20with%20their%20account%20and%20accept%20consent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Yes%20your%20app%20needs%20to%20be%20added%20to%20enterprise%20applications%20at%20least%20in%20the%20tenant%20that%20you%20are%20going%20to%20publish%20the%20app%20from%2C%20whether%20it%20will%20be%20Azure%20AD%20or%20your%20Azure%20AD%20B2C%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20You%20need%20to%20submit%20a%20request%20with%20Microsoft%20if%20you%20want%20to%20publish%20your%20application%20through%20Azure%20AD%20Application%20Gallery%2C%20see%20documentation%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fhowto-app-gallery-listing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fhowto-app-gallery-listing%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20recommend%20you%20to%20use%20Azure%20AD%20B2C%20for%20your%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20gets%20you%20started%2C%20Good%20luck%20with%20your%20project.%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EHaflidi.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
sindhujasrivastava
Occasional Visitor

I am working on a project to create a multi-tenant app to allow Single Sign-On with Azure Active Directory to be used by customers in other tenants.

I am confused and wanted advice on below queries:

1. If I will provide the app URL to them will they be able to authenticate themselves using Azure AD of their tenant and can approve on the consent screen to get access to my app?

2. Do I need to add my app to the list of the gallery of enterprise applications on Azure AD? 

3.  Is it necessary to get your multi-tenant app added to the list of the gallery of applications on Azure AD? What are the other ways I can achieve it and give access to my customers on other tenants?

 

Thanks in advance!

1 Reply

Hi @sindhujasrivastava 

 

The best way to achieve your destination, is to use Azure AD B2C for authentication and publish your app through Azure AD B2C, to your customers, the reason I recommend that is because maybe not all of your customers have Azure AD for B2B authentication, so If you enable other kinds of authentication protocols for example if your customers use G-suite, or other ID Providers, they should be able to sign-in to your app with their managed credentials, and for additional security you would probably want to consider MFA, but that option was only recently announced at Ignite for Azure AD B2C so that's feature that is coming soon.

 

Getting Started with Azure AD B2C

Create your Azure AD B2C Tenant

 

But to answer your questions:

1. If you provide as Sign-in/Sign-Up page to your customers after setting up your APP with Azure AD B2C they can sign-in with their account and accept consent.

 

2. Yes your app needs to be added to enterprise applications at least in the tenant that you are going to publish the app from, whether it will be Azure AD or your Azure AD B2C tenant.

 

3. You need to submit a request with Microsoft if you want to publish your application through Azure AD Application Gallery, see documentation here: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing

 

I would recommend you to use Azure AD B2C for your scenario.

 

Hope this gets you started, Good luck with your project.

Regards

Haflidi.