Share via

Multiple instances of Azure AD in one tenant

Jacek B 26 Reputation points
2022-07-25T20:07:47.503+00:00

My company uses Azure AD internally. I need to make a web app with singup&login functionality, but can't use the already used AD instance.
I therefore created a web app for Personal Microsoft accounts only and it doesn't seem to work and I can't figure out why.
Here is a thread about it: https://stackoverflow.com/questions/73102294/aadsts9002331-application-is-configured-for-use-by-microsoft-account-users-only

My question now is, how do I go about it.
Can I create(if so, how) another instance of AD in the same tenant, where I will be able to store users.
Or do I need to create a separate tenant for it?

Thanks in advance!

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-07-26T05:50:49.83+00:00

    Hi @Jacek B ,

    Thanks for reaching out.

    I understand you are trying to access web applications for personal Microsoft accounts only and getting error while access the application as mentioned in stack overflow.
    You don't need to create another instance if you need to sign in with Microsoft users already added in your Azure AD tenant.

    All the users are stored in same Azure AD tenant, but if you want your application to access by personal Microsoft accounts only. You need to set the audience of your application as PersonalMicrosoftAccount while registering the application in Azure AD tenant. This won't allow any other users apart from Microsoft Accounts users to sign into your application.

    224707-image.png

    Now, to authenticate the Personal Microsoft accounts users and to get the token, you need to use the endpoints in your application's code depend on the application's type and account types it should support. In this case, https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token endpoint where {tenant} need to replace with consumers for Microsoft accounts only.
    Server will send the user to redirect URL once the app has been successfully authorized and granted an authorization code or access token.

    Hope this will help. If you have any further questions on that, please let us know.

    Thanks,
    Shweta

    ------------------------------

    Please remember to "Accept Answer" if answer helped you.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2022-07-26T03:44:49.937+00:00

    Hello @Jacek B , an Azure AD tenant will share all its local and guest users with all applications with signInAudience AzureADMyOrg, AzureADMultipleOrgs and AzureADandPersonalMicrosoftAccount. If app signInAudience is set to PersonalMicrosoftAccount, only Microsoft Personal Accounts will be able to sign-in. You can restrict (local and guest) users or groups per applications but they will still be stored in the same Azure AD tenant. If you cannot enable sign-in for these users then you will need to create a separate Azure AD tenant and applications.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    0 comments
  2. DY.Gobel 0 Reputation points
    2024-10-01T12:02:29.8733333+00:00

    Even in 2024, with Azure Entra, everything is still intertwined with Azure AD, and it’s not possible to have multiple Entra services running in a single subscription. Unfortunately, my only solution is to move to a competitor.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.