This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 26%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hello I have a scenario where multiple divisions in a company use 3rd party SaaS applications such as Salesforce. These SaaS applications use a third party identity provider for example Google to have the users login.
Because there are various departments all using these applications independently across various divisions, what we are trying to do is to change the identity provider to Azure SSO. Where one Azure tenant is responsible for logging in the user for all the applications.
Example:
Division A uses SaaS Saleforce and Google as the Identity Provider
Division B uses SaaS Salesforce and Google as the Identity Provider
Is it possible to have Division A and B uses the same Azure tenant to login into Salesforce, instead of Google? Keeping in mind that both Salesforce applications are independent of one another. Meaning the config, database etc. is different in each division.
or
would it be a better idea to migrate the application itself into Azure and have everyone run the application directly from the Azure with different instances of the application?
Any guidance would be appreciated
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Yes, this approach is possible. You can get Azure AD authenticate all users while accessing single application by multiple different departments, keeping applications independent of each other.
To achieve this you will have to configure salesforce application using multi-instancing.
App multi-instancing refers to the need for the configuration of multiple instances of the same application within a tenant. For example, the organization has multiple accounts, each of which needs a separate service principal to handle instance-specific claims mapping and roles assignment. Or the customer has multiple instances of an application, which doesn't need special claims mapping, but does need separate service principals for separate signing keys.
You can also refer below article to get more information.
https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-app-multi-instancing
Let me know if you have any further questions on this.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thank you
I looked at the article you sent.
Is there a step by step on how to do set this up?
I am assuming I would add one instance of Sales Force from the Azure gallery? then set it up to handle multiple different logins?
Hi @Sandeep G-MSFT would i simply add multiple Sales Force applications from the Azure gallery and just configure each one per department?
or would there be one Salesforce application the handles all the requests?
You can add multiple salesforce service principals. Don't worry about the application. You can use add a non-gallery application in Azure.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.