question

Rahul-7230 avatar image
0 Votes"
Rahul-7230 asked ·

Azure AD Multi Tenant vs Azure AD B2B

Hi All,

I need some help to understand better I want to provide SSO experience for my APP.

I have two Azure AD tenants Tenant-A and Tenant-B. Application is registered in Tenant-A.

Now to allow user from Tenant-B to access my application do I need to make my app Multi-Tenant App or I should Invite Tenant-B users as Guest users in my Tenant-A directory.

I know my app doesn't need to be Multi-tenant for B2b to work. (please correct if wrong here).

I see Azure B2b as the only best option and approach here because user authorization is also required here if enabled Multi Tenancy then Authorization is not possible.

Need some assistance on this scenario and best approach.

Any major comparison between Azure AD b2b and Azure Multi tenancy approaches ?





azure-ad-app-registrationazure-ad-b2b
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@Rahul-7230 In order to allow user from Tenant-B to access Tenant-A's application both methods can be used.

  • If you create a Multi-Tenant App in Tenant-A and any user from Tenant-B tries to access that application, user will be prompted with a consent prompt. Once the consent is provided, a service principal corresponding to the app in Tenant-A will be created in Tenant-B. User of Tenant-B will be able to access the application. You can search the service principal under Tenant-B's enterprise applications blade by using the App ID. In this case, Administrator of Tenant-B needs to take authorization decisions by going to the properties of the service principal and set User assignment required to Yes and then assigned required set of users. If any unassigned user tries to access the application, he/she will get Error 50105 - The signed in user is not assigned to a role for the signed in application. Assign the user to the application.

  • If you create a single tenant app, you need to invite users of Tenant-B to Tenant-A. In this case, Administrator of Tenant-A can take the authorization decisions by selecting which users should and shouldn't be assigned to the application.

There is no best approach as it depends on what fits the best in your scenario. Hope I have covered all the aspects of your question.


Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.







· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.