This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have ADFS on-prem with a relying party trust to our on-prem web app (in our company A).
We grant access to the on-prem app to company B, by adding a claims provider trust to company B (they use ADFS) and passing / transforming claims into the RP - works great.
We wish to use our AzureAD now to do this (company A) and Company B also have Azure AD they wish to use.
My question is, how do we create a claims provider trust in Company A AAD to Company B AAD to achieve the same / test this out?
We tried to add company B's AAD SAML info using external identity providers > new SAML IDP but it errorr'd saying company B is running AAD....
Is there another way we need to do the claim provider trust we are missing?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Turpin, James , Just checking to see if the answer was helpful to you. If so, please remember to "mark as answer" so that others in the community can more easily find a resolution. Otherwise, if you're still facing this problem, please let us know so we can help troubleshoot!
Hello@Turpin, James ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,
Hello @Turpin, James ,
Thanks for reaching out and sorry for delayed response.
You don't have to create claims provider trust, because when your partner organization own an Azure Active Directory account or a Microsoft Account then you could leverage either of way to achieve your scenario.
In order to allow user from Tenant-B to access Tenant-A's application both methods can be used.
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications
Example: If you create a single tenant app, you need to invite users of Company-B to Tenant-A. In this case, Administrator of Tenant-A can take the authorization decisions by selecting which users should and shouldn't be assigned to the application.
To learn more about B2B collaboration: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b
If you're providing an app as a service and you don't want to manage your customers' user accounts, a multitenant app is likely the right choice for you. When you develop applications intended for other Azure AD tenants, you can target users from a single organization (single tenant), or users from any organization that already has an Azure AD tenant (multitenant applications).
Example: If you create a Multi-Tenant App in Company-A and any user from Company-B tries to access that application, user will be prompted with a consent prompt. Once the consent is provided, a service principal corresponding to the app in Tenant-A will be created in Tenant-B. User of Tenant-B will be able to access the application. You can search the service principal under Tenant-B's enterprise applications blade by using the App ID. In this case, Administrator of Tenant-B needs to take authorization decisions by going to the properties of the service principal and set User assignment required to Yes and then assigned required set of users.
To learn more about Multi-Tenant App: https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/
You can decide based on what fits the best in your scenario. Hope I have covered all the aspects of your question.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.