Microsoft single sign on with specified 2 tenants

Question

Due to some reason in our company we have 2 Azure tenants created base on region. and we have one application want to enable SSO for both tenants, what is best practice here if we don't touch the Azure tenant setting?

For example, we have tenant A and B

Major user from tenant A will access the application, but still few user from tenant B we want to enable them to access the application. Of course we can ask user to select before selection, but do we have any easy solution, like we can invite those user in tenant B as guest of tenant A, should it work?

Answer 1

Yes, as long as the user from the one tenant are guest users in the other tenant and have access to the application, this should work just fine. You can also add the users to the app itself.

I recommend reading the guides on multi-tenant apps.

For configuring a new multi-tenant app: https://learn.microsoft.com/en-us/azure/active-directory/develop/setup-multi-tenant-app

For converting an existing app to be multi-tenant: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

Answer 2

Why do not you make the application as multi tenant and create a Service principal in the 2nd tenant. This way, you do not have to use B2B, as Mr. AAD mentioned, you need 1 license for every 5 guest users.

Answer 3

The rule that you need 1 license for 5 guest users only applies if the users are external and not users of your own company. If you use guest users for users of your company, you must buy a license for each user.
I would also recommend to look at the multi tenant applicatioj approach @Jai Verma described.

Greetings,
Tobias