Is it possible to restrict a multi-tenant Azure AD application, so that only a select few tenants are allowed to sign-up?
As mentioned in this article, the web app can validate the user to check if the issuer value is part of a list of their approved tenants. However, this happens after the fact that the user is already signed up for their web app. Is it possible to restrict the sign up process to limit to an approved list of tenants?
You can restrict access to tenants but cannot restrict sign-up. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions
You could, however, have your service keep a whitelist of tenants which are allowed to call your API, and check that the token has the correct issuer or tid claim. (See Restrict Azure Active Directory app access to specific tenants)
Srinivas, you can restrict the application so that only some specific users are able to sign up by configuring the application on portal.
You need to find the application you created. Go to the azure portal, click the Azure Active Directory, select Enterprise Applications, Select All Applications to view a list of all your applications. If you do not see the application you want show up here, use the various filters at the top of the All applications list to restrict the list or scroll down the list to locate your application.image
Enable user assignment. Select the your application, go to the properties, locate the setting User assignment required? and set it to Yes. image
Assign users and groups to the app. Select the Users and groups, select the Add user, and chose the users you want to allow to sign up, then you can restrict the sign up process to limit to these tenants.image
You can refer this document for more detail.
