Tenancy in Azure Active Directory

Azure Active Directory (Azure AD) organizes objects like users and apps into groups called tenants. Tenants allow an administrator to set policies on the users within the organization and the apps that the organization owns to meet their security and operational policies.

Who can sign in to your app?

When it comes to developing apps, developers can choose to configure their app to be either single-tenant or multi-tenant during app registration in the Azure portal.

  • Single-tenant apps are only available in the tenant they were registered in, also known as their home tenant.
  • Multi-tenant apps are available to users in both their home tenant and other tenants.

In the Azure portal, you can configure your app to be single-tenant or multi-tenant by setting the audience as follows.

Audience Single/multi-tenant Who can sign in
Accounts in this directory only Single tenant All user and guest accounts in your directory can use your application or API.
Use this option if your target audience is internal to your organization.
Accounts in any Azure AD directory Multi-tenant All users and guests with a work or school account from Microsoft can use your application or API. This includes schools and businesses that use Office 365.
Use this option if your target audience is business or educational customers.
Accounts in any Azure AD directory and personal Microsoft accounts (such as Skype, Xbox, Outlook.com) Multi-tenant All users with a work or school, or personal Microsoft account can use your application or API. It includes schools and businesses that use Office 365 as well as personal accounts that are used to sign in to services like Xbox and Skype.
Use this option to target the widest set of Microsoft accounts.

Best practices for multi-tenant apps

Building great multi-tenant apps can be challenging because of the number of different policies that IT administrators can set in their tenants. If you choose to build a multi-tenant app, follow these best practices:

  • Test your app in a tenant that has configured Conditional Access policies.
  • Follow the principle of least user access to ensure that your app only requests permissions it actually needs. Avoid requesting permissions that require admin consent as this may prevent users from acquiring your app at all in some organizations.
  • Provide appropriate names and descriptions for any permissions you expose as part of your app. This helps users and admins know what they are agreeing to when they attempt to use your app's APIs. For more information, see the best practices section in the permissions guide.

Next steps