Hi 김경민 ,
I understand that you are looking to know how the Restrict-Access-To-Tenants feature works when there is more than one registered Azure AD tenant.
I'm not sure that I fully understand which part of workflow you feel is missing from the documentation so feel free to clarify for me, but the guide explains that any domain that is registered with a tenant can be used to identify the tenant in Restrict-Access-To-Tenants: <permitted tenant list> list. To allow access you would just add a comma-separated list of tenants you want to allow users to access. For example, Restrict-Access-To-Tenants: contoso.com,fabrikam.onmicrosoft.com,72f988bf-86f1-41af-91ab-2d7cd011db47
Any domain that is registered with a tenant can be used to identify the tenant in this list, and you can also use the directory ID of that tenant. The diagram and traffic flow would work the same way for multiple tenants and Azure AD will issue security tokens for the permitted tenants.
Let's say you have Tenant 1 and Tenant 2 that are both registered in Azure AD. Tenant 1 has enabled the "Restrict access to a tenant" function for an application or service, and has specified that only users in Tenant 1 should be able to access it. This means that users in Tenant 2 will not be able to access the app or service, even if they have been granted access by an administrator in their own tenant.
Note that the Restrict-Access-Context can only include a single directory ID and the context can only be set for one tenant at a time when setting the tenant restrictions for that particular directory.
If you have a long list of tenants to allow, it helps that identical headers are concatenated on our side, so you can do:
Restrict-Access-To-Tenants : Foo.com
Restrict-Access-To-Tenants : bar.com, Baz.com
This is equivalent to
Restrict-Access-To-Tenants : Foo.com, bar.com, Baz.com
They must of course all use the same header name (i.e. you can't do eg restrict-access-to-tenants1 and restrict-access-to-tenants2).
There is another explanation of this process in the Tech Community announcement: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/new-enhanced-access-controls-in-azure-ad-tenant-restrictions-is/ba-p/245194
The inbound and outbound settings are also described in more details in this video: https://www.youtube.com/watch?v=Ku64fo7iZ4Y
Let me know if this is what you are asking or if I am missing your concern. If you have more specific questions about the architecture I can definitely try to get the answers for you!
-
If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar information.