The consent framework is controlling your app's access to the resource tenant, not the other way around. If you, as the app owner, want to restrict who can use the app, you can add code checks for the tenant ID (tid value in the access token) and block/allow specific tenants as needed.
Alternatively, you can hardcode any token requests to use the tenant-specific endpoints instead of /common, and control the list of "allowed" tenantIds. Read for example here: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-your-code-to-handle-multiple-issuer-values
Reestricting multi tenant application in Azure AD
Mahesh Aralelemath
71
Reputation points
Hi,
When application is registered as multi tenant application in Azure AD, anybody from any tenant can access the application once consent is approved from the tenant where application will be accessed.
My question is - is there any way to restrict/control from source tenant (where application is registered) to allow/block the application access?
I am looking for control mechanism to allow only selected tenants rather than allowing any user from any tenant.
Appreciate if anyone can share thoughts on this.
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,968 questions
Accepted answer
-
Vasil Michev 118.9K Reputation points MVP Volunteer Moderator
2022-12-15T09:40:34.437+00:00