As a small SaaS provider I currently have an app service which I host in my tenant and it uses Azure AD for IAM. I have two customers and there is a separate app service instance and database for each customer in different regions. I also have created two additional tenants for each customer and within each customer tenant I have an app registration (single tenant) linked to an enterprise application. User accounts are created within a customer tenant AAD and given access to the enterprise application with one of the corresponding app registration roles.
This all works fine however one of my customers has recently implemented Office 365 in their own tenant and would like to use their O365 user accounts to sign in to my application instead of the user accounts within the tenant I created for them.
I followed this documentation and this tutorial and updated the Issuer Url to "https://login.microsoftonline.com/customer-tenant-id/v2.0" in the app service authentication provider properties. This didn't allow my customer tenant to access my app but once I changed my host app registration to multi-tenant it worked. However it didn't prevent other test tenants from also accessing my app so going down the multi-tenant path seems to introduce unnecessary complexity and risk especially when there will only ever be a one to one relationship between customer and app service instance.
Therefore since each instance of my app is only used by one customer I would like to keep the single tenant design. However I cannot find a way to implement the app registration and roles within my tenant and have the customer only have the enterprise application in their tenant. Is this possible?
