Hi @Dervishi, Erald · Thank you for reaching out.
Yes, this can be done by registering a Multi-tenant application in tenant A. In case of Multi-tenant applications, you get redirected to https://login.microsoftonline.com/organizations or https://login.microsoftonline.com/common instead of https://login.microsoftonline.com/tenant_name_or_id, which allows tenant discovery based on the user's UPN suffix. After redirection to the user's tenant, a consent prompt will appear, upon acceptance of the consent prompt, a service principal corresponding to the application will be created in user's tenant, after which tenant B can issue a token for the application in tenant A.
You can validate issuer to prevent users of tenant C from accessing the application. Below is an example of code for ValidateSpecificIssuers:
private string ValidateSpecificIssuers(string issuer, SecurityToken securityToken,
TokenValidationParameters validationParameters)
{
var validIssuers = GetAcceptedTenantIds()
.Select(tid => $"https://login.microsoftonline.com/{tid}/v2.0");
if (validIssuers.Contains(issuer))
{
return issuer;
}
else
{
throw new SecurityTokenInvalidIssuerException("The sign-in user's account does not belong to one of the tenants that this Web App accepts users from.");
}
}
private string[] GetAcceptedTenantIds()
{
// If you are an ISV who wants to make the Web app available only to certain customers who
// are paying for the service, you might want to fetch this list of accepted tenant ids from
// a database.
// Here for simplicity we just return a hard-coded list of TenantIds.
return new[]
{
"<GUID1>",
"<GUID2>"
};
}
Sample for your reference: An ASP.NET Core Web app signing-in users in any org with the Microsoft identity platform
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.