Authentication from multiple, but certain, tenants to OAuth apps

ingolfurprogrammis · ‎Dec 28 2023

Got an SPA App and Api I'm using MSAL for authentication. The endusers come from a limited set, but not a singular, tenant.
Since for the application authentication I can only select a single tenant, or all the tenants I'm looking for solutions here.

One is tenant collaboration/ multitenant organization but it seems like overkill for this need.

Another is multiple authorities but isn't it then tricky to wrangle multiple client ids, selecting the right authority etc.

Is there a way of doing this I'm missing?

Vasil Michev · ‎Dec 28 2023

Either create separate apps/service principals for each tenant as needed, or use a multi-tenant app. While there is no way to restrict the latter to specific tenants, each tenant will have to consent to the app before they can use it, which in turn allows you to have a say in the provisioning process. Or you can simply hardcode the list of "allowed" tenant IDs within your app.

juliansperling · ‎Dec 28 2023

@ingolfurprogrammis

So the other Tenants have added the Application to their own Tenants or do you add the Users from the other Tenants to the one the App Registration Lives in as Guests?

If you have registered a Multi Tenant Application in Entra ID I don't know of any way to restrict the tenants that can use it, so you would have to check the Tenant ID in the SSO Token within your application and create your own block logic.

Authentication from multiple, but certain, tenants to OAuth apps

Authentication from multiple, but certain, tenants to OAuth apps

Re: Authentication from multiple, but certain, tenants to OAuth apps

Re: Authentication from multiple, but certain, tenants to OAuth apps

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Authentication from multiple, but certain, tenants to OAuth apps