This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 89%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
So, we have a Tenant A (source tenant) and a tenant B (target tenant) and we are synching users via Cross Tenant synch from A to B. We are synching them as userType: member, with home realm MFA and claims accepted by tenant B.
Now, question is: how would access to federated applications (on tenant B) for external identities work (if possible)? Can this be setup at all?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Rakesh Singh ,
Thanks for your post! I am looking into your question and will get back shortly.
Hi @Rakesh Singh ,
If the user's home tenant can satisfy the MFA challenge on their perimeter, the other Tenant will take it as well. When using a federated MFA, as long as the third party is properly set up with Azure MFA, you should be able to trust the partner tenant MFA without errors.
Hi Marilee, thank you for the response. However, my query is about Federated Applications.
So, if an application is federated with Tenant B, how would the HRD happen during the login on the application.
As we know, when we login to a federated app, we get redirected to the IDP (in this case it would be Tenant B) based on the domain suffix of the user (HRD). My query is how would it work for an external identity which is synched from tenant B to tenant A. Users of these external identities continue to use their home tenant's UPN (user1@tenantB.com), so how would the HRD work here? Or is this even possible for a synched user from tenant B to Tenant A, to be able to login a federated application (federated with Tenant A)?
@Rakesh Singh Thanks for following up. I'm looking into your question and discussing with a colleague.
@Rakesh Singh My understanding is that this would not be supported like you said, but I've reached out to a colleague on the external identities team to confirm.
Hi @Rakesh Singh ,
I have not yet heard back from my colleague on the External Identities team about this, but my understanding is that you are correct and this is not a supported scenario.
Adding a federated OIDC identity provider is currently only supported in an Azure AD B2C tenant, which supports allowing sign in via external federated OIDC IDP identities.
That said, there is a potential workaround available, which I will share with you in a private message on this thread.
Under External Identities, you can invite B2B guest users via SAML\WS-Fed Federation feature (where OIDC is not supported).
If you are planning to invite external users to the other Entra tenant, the recommended approach is to use B2B Guest Invitations: Add a guest user and send an invitation
I am sending you a private message about an available option and you can confirm whether it meets your requirements! If you refresh the page and click on the private messaging feature under the original post, you would be able to see my message.
If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.