Share via

Reestricting multi tenant application in Azure AD

Mahesh Aralelemath 71 Reputation points
2022-12-15T09:20:03.44+00:00

Hi,

When application is registered as multi tenant application in Azure AD, anybody from any tenant can access the application once consent is approved from the tenant where application will be accessed.

My question is - is there any way to restrict/control from source tenant (where application is registered) to allow/block the application access?

I am looking for control mechanism to allow only selected tenants rather than allowing any user from any tenant.

Appreciate if anyone can share thoughts on this.

271003-image.png

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Vasil Michev 119.8K Reputation points MVP Volunteer Moderator
    2022-12-15T09:40:34.437+00:00

    The consent framework is controlling your app's access to the resource tenant, not the other way around. If you, as the app owner, want to restrict who can use the app, you can add code checks for the tenant ID (tid value in the access token) and block/allow specific tenants as needed.
    Alternatively, you can hardcode any token requests to use the tenant-specific endpoints instead of /common, and control the list of "allowed" tenantIds. Read for example here: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-your-code-to-handle-multiple-issuer-values

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.