Introducing Microsoft Entra ID

Microsoft Entra ID is an identity management product that organizes users and apps into groups called Tenants. A Tenant contains organizational objects like users, groups, devices, and application registrations (e.g., Microsoft 365). Its primary functions are identity authentication and resource access management, allowing administrators to set policies for access, security, and operational needs.

Single Tenant App VS Multi-Tenant App

Applications can be registered as Single Tenant or Multi-Tenant

• Single Tenant apps are only available in the Tenant where they are registered known as Home Tenant. Only users from Home Tenant can sign in to the registered apps.

• Multi-tenant apps are available for home tenants as well as other Microsoft Entra ID tenants. Users from external Organizations can also sign in to the registered apps. It allows you to interact with users across your organization of multiple tenants securely and to provision and manage those users across your tenants automatically. The audience for Multi-Tenant apps can be configured during registration. It includes other organizations’ school and business accounts that use M365 and personal accounts like Outlook.

Audience	Single/ Multi-Tenant	Who can sign in?
Accounts in this directory only	Single tenant	All user and guest accounts in your directory can use your application or API.
Accounts in any Microsoft Entra directory	Multitenant	All users and guests with a work or school account from Microsoft can use your application or API. This includes schools and businesses that use M365.
Accounts in any Microsoft Entra directory and personal Microsoft accounts (such as Skype, Xbox, Outlook.com)	Multitenant	All work, school, or personal Microsoft account users can use your application or API. It includes schools and businesses that use Microsoft 365 and personal accounts to sign in to services like Xbox and Skype.

Login URL according to the audience

Login Type	Login Url
Single Tenant	https://login.Microsoftonline.com/{tenantID}
Multi-Tenant Corporate accounts	https://login.Microsoftonline.com/organizations
Multi-Tenant All accounts	https://login. Microsoftonline.com/common
Microsoft Account only	https://login. Microsoftonline.com/consumers

Multitenant organization Scenarios

The multitenant organization scenario occurs when an organization has more than one tenant instance of Microsoft Entra ID.

Below are a few scenarios where Multitenancy is required:

• Merging or acquiring companies
• Splitting off or selling parts of a business
• Operations in various locations with different regulations
• Partnering with various organizations for collaboration

Multi-Tenant Authentication Process App and API Access

1. App and API registered with Home Tenant
2. External User from customer tenant login using common login URL
3. Only Admin needs to Accept Consent for App Access
4. The app gets an Auth token from Entra Id
5. Creates APP Service Principle on Customer Tenant
6. App forwards token inside API Call
7. Only Admin needs to Accept Consent for API Access
8. API validates the token with Entra Id
9. Creates API Service Principle on User tenant
10. Service Principles will be used for further authentication

Multi-Tenant Capabilities

• B2B collaboration: Provides application access for external users, represented in your directory and available in Teams and Microsoft 365.
• Multitenant organization: Defines boundaries for tenants, enabling seamless collaboration in Teams and Microsoft 365.
• Microsoft 365 multitenant people search: Allows collaboration with B2B users, available as contacts in Outlook and other Microsoft 365 apps.
• Cross-tenant synchronization: Automates managing B2B users across multiple tenants, governed by cross-tenant settings.
• B2B direct connect: Establishes mutual trust with another tenant for seamless collaboration, visible in Teams.

The following diagram shows how B2B direct connect, B2B collaboration, and cross-tenant synchronization capabilities could be used together.

Source: Microsoft

Best Practices for Multi-tenant Apps

Building great multitenant apps can be challenging because of the number of different policies that IT administrators can set in their tenants. If you choose to develop a multitenant app, follow these best practices:

• Test your app in a tenant that has configured Conditional Access policies.
• Follow the principle of least user access to ensure that your app only requests the permissions it needs.
• Provide appropriate names and descriptions for any permissions you expose as part of your app. This helps users and admins know what they’re agreeing to when they attempt to use your app’s APIs.

Conclusion

Microsoft Entra ID is a powerful tool for managing identities, designed to adapt to the needs of different organizations. Whether you’re dealing with a single-tenant setup or managing multiple tenants, understanding these options can help you make the most out of your identity management. Multi-tenant apps, in particular, offer a lot of flexibility—perfect for businesses that are growing, merging, or working with partners.

If you’re looking to build or maintain a multi-tenant environment, Microsoft Entra ID gives you the features you need to keep things secure and running smoothly. By following some key best practices, like testing your app with different security policies and ensuring you’re only asking for the permissions you need, you can ensure your users have a great experience while keeping everything safe.

In summary, Entra ID can help you simplify identity management and make collaboration easier—all while keeping your data secure and accessible.

Ready to build secure, flexible multi-tenant apps? Contact us today to learn how we can help you leverage Microsoft Entra ID to its full potential.