This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 0%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES2%3C/text%3E%3C/svg%3E)
Hello All,
I'm dealing with some odd challenges because we have three tenants: 1. ABC.com 2. abc.onmicrosoft.com (a subdomain of ABC.com) 3. B2C tenant (established under abc.msn.com). We have a requirement where we need to configure one App Registration on both sides on 1 & 3 where the application access URL is the same (as per the requirement) and when users from Tenant 1 access the URL, they are redirected to Tenant 1 for authentication and when B2C users from Tenant 2 access the same URL, they are redirected to Tenant 3 for authentication. Is that demand feasible, and if so, how?
Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik
I am following up to see if you were able to follow the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer", "Upvote" and rate your experience. This will help us and others in the community as well.
Thanks,
Akshay Kaushik
Thanks for posting your query on Microsoft Q&A. From above description I could understand that you need to configured 2 application with same URL, where users from Tenant T1 should be able to access data from application hosted in Tenant T1.
And users from tenant T2 should be able to access application hosted on B2C tenant T3.
Please do let me know in the comments if this is not correct, else try following below suggestion:
Accounts in this organizational directory only (T1 only - Single tenant) in Supported account types
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
If you have 1 application hosted in B2C tenant, then
The users will be registered as consumer accounts( local and federated B2C accounts), none of the above steps would create guest accounts in B2C tenant.
A local account refers to an account that is created in your Azure AD B2C directory when a user signs up for your application or an admin creates the account. Usernames and passwords are stored locally and Azure AD B2C serves as the identity provider for local accounts.
You can configure Azure AD B2C to allow users to sign in to your application with credentials from external social or enterprise identity providers (IdPs). Azure AD B2C supports many external identity providers and any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols.
With external identity provider federation, you can offer your consumers the ability to sign in with their existing social or enterprise accounts, without having to create a new account just for your application.
On the sign-up or sign-in page, Azure AD B2C presents a list of external identity providers the user can choose for sign-in. Once they select one of the external identity providers, they're redirected to the selected provider's website to complete the sign-in process. After the user successfully signs in, they're returned to Azure AD B2C for authentication of the account in your application.
Please do let me know if you have any further queries.
Thanks,
Akshay Kaushik
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
Thanks @Akshay-MSFT for the response, let me repeat that the application would be the same on both sides, including the application access URL, but there would be a difference in authentication, which means that when a user from Tenant-A tries to access the URL, it will automatically authenticate from Tenant-A, whereas when a user from Tenant-C tries to access the same application URL, it will be authenticated by the B2C tenant, and this should be done automatically. Is this possible?
I was OOF so was not able not respond earlier. If you have a common application hosted in B2C tenant, then
Please do let me know if you have any further queries in the comments.
Thanks,
Akshay Kaushik
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
Hello @Akshay-MSFT ,
Please correct me if I am wrong as per the below process:
Let me know if I need to do anything else from the Azure IAM side.
PFB answers inline:
No, Register an Azure AD app with default selection of Accounts in this organizational directory only (Default Directory only - Single tenant) for this application. Configure Azure AD as an identity provider, T1 is your case
Since T1 Azure AD would be integrated as IDP, users from this tenant will be guest users on AzureB2C tenant and will be able to access only post authentication from T1. Since T2 would not be integrated, users will have to register as local users and subsequent authentication will be done by B2C tenant
Please do let me know know if you if you have any further queries.
Thanks,
Akshay Kaushik
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
I don't know whether you have gone through that or not, but Guest users in Azure AD B2C tenant can only be used for the administrative work, they are not allowed to access the application, please check the below article from Microsoft:
The users will be registered as consumer accounts( local and federated B2C accounts), none of the above steps would create guest accounts in B2C tenant.
A local account refers to an account that is created in your Azure AD B2C directory when a user signs up for your application or an admin creates the account. Usernames and passwords are stored locally and Azure AD B2C serves as the identity provider for local accounts.
You can configure Azure AD B2C to allow users to sign in to your application with credentials from external social or enterprise identity providers (IdPs). Azure AD B2C supports many external identity providers and any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols.
With external identity provider federation, you can offer your consumers the ability to sign in with their existing social or enterprise accounts, without having to create a new account just for your application.
On the sign-up or sign-in page, Azure AD B2C presents a list of external identity providers the user can choose for sign-in. Once they select one of the external identity providers, they're redirected to the selected provider's website to complete the sign-in process. After the user successfully signs in, they're returned to Azure AD B2C for authentication of the account in your application.
Please do let me know if you have any further queries.
Thanks,
Akshay Kaushik
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
Hi @Akshay-MSFT thank you for your detailed answer. I have a similar usecase and would like to know whether the below requirement is feasible.
I have two tenants. T1 which acts as a main tenant and T3 which is B2C tenant(created from T1). I already set a custom flow in T3 where user can login with username by following this https://github.com/azure-ad-b2c/samples/tree/master/policies/username-or-email
Now, I would like to have an secured API App in T1 which authenticates user's in T3 with their access token and provide access to the resources in T1 through this App for T3 users.
Let me know if this is feasible. Thank you in advance.
@Ahamed Fazil Buhari Thanks for posting your comment, I would request you to create a new thread with your query, so that it could be addressed.
Thanks,
Akshay Kaushik
sorry @Akshay-MSFT for the delayed response, actually I was on vacation. but the given solution didn't work, but he managed somehow. we have created Multi tenant application on Primary tenant side and created APplication for User Flow in Azure AD B2C and asked our Developer to make the changes in their code and fortunately it worked. so thanks for the response. Appreciate your support