@Rahul In order to allow user from Tenant-B to access Tenant-A's application both methods can be used.
- If you create a Multi-Tenant App in Tenant-A and any user from Tenant-B tries to access that application, user will be prompted with a consent prompt. Once the consent is provided, a service principal corresponding to the app in Tenant-A will be created in Tenant-B. User of Tenant-B will be able to access the application. You can search the service principal under Tenant-B's enterprise applications blade by using the App ID. In this case, Administrator of Tenant-B needs to take authorization decisions by going to the properties of the service principal and set User assignment required to Yes and then assigned required set of users. If any unassigned user tries to access the application, he/she will get
Error 50105 - The signed in user is not assigned to a role for the signed in application. Assign the user to the application.
- If you create a single tenant app, you need to invite users of Tenant-B to Tenant-A. In this case, Administrator of Tenant-A can take the authorization decisions by selecting which users should and shouldn't be assigned to the application.
There is no best approach as it depends on what fits the best in your scenario. Hope I have covered all the aspects of your question.
Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.