![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 42%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFD%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Fispoke DevOps
Thank you for reaching out to Microsoft Q&A.
You can absolutely avoid one IdP per tenant by treating Azure AD itself as a “multi-tenant” OpenID Connect provider in your B2C user flow. Here’s the high-level approach:
- Register a multi-tenant Azure AD app
- In the Azure portal, go to App registrations in your B2C (or a linked) tenant.
- Create a new app, set Supported account types to “Accounts in any organizational directory (Any Azure AD directory – Multi-tenant)”.
- Expose a redirect URI pointing back to your B2C callback (
https://<your-b2c-tenant>.b2clogin.com/<your-b2c-tenant>/oauth2/authresp). - Generate a client secret.
- Wire it up as an OpenID Connect IdP in B2C
- In the B2C blade, under Identity providers, choose OpenID Connect.
- For the metadata URL use the “organizations” endpoint (work/school only) or “common” if you also want MSA personal accounts: • Work/school only: https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration • All Microsoft accounts: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
- Paste in your client ID, secret, and scopes (
openid profile email) and give it a friendly name like “AzureAD-MultiTenant”.
- Include that provider in your user flow
- Edit your
B2C_1_NONMFAuser flow, go to Identity providers, and toggle on your new “AzureAD-MultiTenant” entry. - Now you’ll get a single “Sign in with Microsoft” button that federates to any Entra ID tenant.
- Edit your
Behind the scenes this works because you’re pointing B2C at the “organizations” (or “common”) endpoint rather than a fixed tenant GUID. No per-tenant configs needed.
Hope that helps—let me know if you need a deeper dive on registering the app, setting up the metadata URL or scopes, or if you plan to move to the newer Microsoft Entra External ID experience once B2C is retired.
Reference docs:
- Configure AAD in B2C via OpenID Connect (multi-tenant): https://learn.microsoft.com/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant#configure-an-openid-connect-identity-provider
- Common vs. Organizations endpoint details: https://learn.microsoft.com/azure/active-directory/develop/v2-endpoints
- Migrate to Microsoft Entra External ID (future of B2C): https://learn.microsoft.com/entra/external-id/external-identities-overview