Azure AD Multi Tenant vs Azure AD B2B

Rahul 236 Reputation points
2019-12-09T14:04:14.74+00:00

Hi All,

I need some help to understand better I want to provide SSO experience for my APP.

I have two Azure AD tenants Tenant-A and Tenant-B. Application is registered in Tenant-A.

Now to allow user from Tenant-B to access my application do I need to make my app Multi-Tenant App or I should Invite Tenant-B users as Guest users in my Tenant-A directory.

I know my app doesn't need to be Multi-tenant for B2b to work. (please correct if wrong here).

I see Azure B2b as the only best option and approach here because user authorization is also required here if enabled Multi Tenancy then Authorization is not possible.

Need some assistance on this scenario and best approach.

Any major comparison between Azure AD b2b and Azure Multi tenancy approaches ?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,639 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,447 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2019-12-10T05:09:07.14+00:00

    @Rahul In order to allow user from Tenant-B to access Tenant-A's application both methods can be used.

    • If you create a Multi-Tenant App in Tenant-A and any user from Tenant-B tries to access that application, user will be prompted with a consent prompt. Once the consent is provided, a service principal corresponding to the app in Tenant-A will be created in Tenant-B. User of Tenant-B will be able to access the application. You can search the service principal under Tenant-B's enterprise applications blade by using the App ID. In this case, Administrator of Tenant-B needs to take authorization decisions by going to the properties of the service principal and set User assignment required to Yes and then assigned required set of users. If any unassigned user tries to access the application, he/she will get Error 50105 - The signed in user is not assigned to a role for the signed in application. Assign the user to the application.
      • If you create a single tenant app, you need to invite users of Tenant-B to Tenant-A. In this case, Administrator of Tenant-A can take the authorization decisions by selecting which users should and shouldn't be assigned to the application.

    There is no best approach as it depends on what fits the best in your scenario. Hope I have covered all the aspects of your question.

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.