How to modify the accounts supported by an application
When you registered your application with the Microsoft identity platform, you specified who--which account types--can access it. For example, you might've specified accounts only in your organization, which is a single-tenant app. Or, you might've specified accounts in any organization (including yours), which is a multi-tenant app.
In the following sections, you learn how to modify your app's registration in the Azure portal to change who, or what types of accounts, can access the application.
Change the application registration to support different accounts
To specify a different setting for the account types supported by an existing app registration:
Sign in to the Azure portal.
If you have access to multiple tenants, use the Directory + subscription filter in the top menu to select the tenant in which you want to register an application.
Search for and select Azure Active Directory.
Under Manage, select App registrations, then select your application.
Now, specify who can use the application, sometimes referred to as the sign-in audience.
Supported account types Description Accounts in this organizational directory only Select this option if you're building an application for use only by users (or guests) in your tenant.
Often called a line-of-business (LOB) application, this is a single-tenant application in the Microsoft identity platform.
Accounts in any organizational directory Select this option if you'd like users in any Azure AD tenant to be able to use your application. This option is appropriate if, for example, you're building a software-as-a-service (SaaS) application that you intend to provide to multiple organizations.
This is known as a multi-tenant application in the Microsoft identity platform.
Why changing to multi-tenant can fail
Switching an app registration from single- to multi-tenant can sometimes fail due to Application ID URI (App ID URI) name collisions. An example App ID URI is
The App ID URI is one of the ways an application is identified in protocol messages. For a single-tenant application, the App ID URI need only be unique within that tenant. For a multi-tenant application, it must be globally unique so Azure AD can find the app across all tenants. Global uniqueness is enforced by requiring that the App ID URI's host name matches one of the Azure AD tenant's verified publisher domains.
For example, if the name of your tenant is contoso.onmicrosoft.com, then
https://contoso.onmicrosoft.com/myapp is a valid App ID URI. If your tenant has a verified domain of contoso.com, then a valid App ID URI would also be
https://contoso.com/myapp. If the App ID URI doesn't follow the second pattern,
https://contoso.com/myapp, converting the app registration to multi-tenant fails.
For more information about configuring a verified publisher domain, see Configure a verified domain.
Learn more about the requirements for converting an app from single- to multi-tenant.