![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 89%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
3,289 questions
Hi @Rakesh Singh ,when an external user (userType is Member) logs into the target tenant of any app registered in the target tenant, they will use their UPN from their home tenant (source tenant) to authenticate. The UPN created in the target tenant will be in the format of "johndoe_targettenant.com#EXT#@sourcetenant.com" as you mentioned, but this is only used for identification purposes within the target tenant.
For the authentication flow, when the user attempts to sign in to the app in the target tenant, the authorization endpoint requests a token for the application. The user's credentials are then acquired and verified for authentication. If the user has been granted access to the app through cross-tenant synchronization, the authentication request is evaluated against cross-tenant access settings in both the user's home tenant and the target tenant. If all access requirements are met, a token is issued to the user that allows them to access the app.
If you enable "trust the MFA of source tenant" in the cross-tenant synchronization settings, it means that the target tenant will trust the MFA claims from the source tenant.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James