Does App need to be multi-tenant when using B2B invite

3
votes

We are building a Web App/API to publish in our Azure AD and want to provide access to the app by inviting (B2B scenario) external users into our Azure AD. This will create accounts in our Azure AD of type "Guest" which we will use to assign permissions to the app. In this scenario, do we need to configure our application to be "multi-tenant"? There are steps to take inside the code to accommodate for multi-tenant sign-ins and there is a setting on the Settings tab of the App Registration in Azure AD that is labeled "Multi-tenanted" where you select either Yes or No. On the App Registration setting, there is a pop-out bubble that says:

Designates whether users in external organizations are allowed to grant your app access to data in their organization's directory

I am not sure how (or if) the code changes and the app registration setting are related but our app will not need access to any data outside of our directory.

1
azureazure-web-app-serviceazure-active-directory

1 Answers

3
votes

No your app does not need to be multi-tenanted and you do not need to direct users to the /common endpoint. I have tested this, and you still get a kind of SSO experience.

Example [email protected] (homed in Org1 AAD) is a guest user in Org2 AAD (invite has been accepted). Now this same user opens a private browser and logs in to Org1 AAD.

The user then tries to hit a web app with app registration in Org2, and web app redirects user to https://login.microsoftonline.com/org2.onmicrosoft.com/oauth2/authorize.

Result, user is considered logged in by AAD and gets redirected to the redirect_url with tokens, etc.