Azure Authentication with two tenants

Question

we want to provide an Azure Web App. I just want to ask, if there is a solution for our authentication problem. We want to provide access for users from tweo different tenants. I only found the option for multi tenant authentication but we do not want to grant access for every tenant out there.

Kind Regards

Answer 1

An application in Azure AD can be either single-tenant or multi-tenant. Here are some approaches you can take:

1. Make the app multi-tenant and check the issuer
   • Allows users from any tenant to sign in
   • Use the "/organizations" endpoint for authentication, or have 2 login buttons that use the tenant-specific endpoints
   • But your application can check the issuer in the ID token/access token and reject any issuer which is not one of those two
   • Downside of using /organizations is that this will not support external users who have been invited to either tenant, as they will sign in to their home tenant, which probably has a different issuer than what you accept
   • Using tenant-specific endpoints requires two login buttons, from which the user must select, which does allow external users to use the app too, but makes the UI a bit more complex
2. Make two single-tenant apps, one in each tenant
   • Will only allow sign in from either tenant
   • Requires usage of two login buttons, one for each tenant