Hear people talk about single tenant or multi-tenant when they refer to Microsoft Entra ID and get a bit confused? Let me see if I can help clear it up conceptually and then dive into it a little deeper.
So what is the difference? When you create an app in you Microsoft Entra ID tenant you have a toggle to say if the app is multi-tenant or not.
When this is not enabled, or in single tenant mode, it means that only users who are in your Azure tenant’s AD can sign in and use that app. However if you switch the toggle to enabled, then it is in multi-tenant mode. This means that anyone in any Azure tenant can sign in to their tenant and use your app.
Why would you want this? Well if you are building an app that is only intended to be used by your company employees, then you’d set it to be in single-tenant mode. But let’s say it’s an extranet style app where you want your employees and some of your customers to use the app. In that case you would want to make it multi-tenant so your employees can use it by logging into your company’s Microsoft Entra ID tenant but your customers can also sign in to their Microsoft Entra ID and use your company’s app.
Digging Deeper For Developers
As a developer of an app, do you have to keep in mind how you configure your app? Yup… your sure do!
Generally the only thing you need to keep in mind is the endpoint you will use to send your users in to sign in and that you will use to obtain the OAuth access token. So for instance, the URL you use to obtain an access token looks something like this:
https://login.windows.net/[...]/oauth2/authorize
The thing that makes it single tenant is when that think in the middle is a GUID or the tenant name (like \[..\].onmicrosoft.com). So for instance, something like this:
https://login.windows.net/f7a787ec-4210-498f-b647-b06bf0329908/oauth2/authorize
If you are logging into a multi-tenant app, you would use the common endpoint:
https://login.windows.net/common/oath2/common
Now in the case of a multi-tenant app, you can check the claims that are returned to get the specific tenantID for the user’s directory. You can get the tenant ID that the user logged into by looking up this claim in the collection of claims returned: http://schemas.microsoft.com/identity/claims/tenantid.
author
Andrew Connell
Microsoft MVP, Full-Stack Developer & Chief Course Artisan - Voitanos LLC.
Andrew Connell is a full stack developer who focuses on Microsoft Azure & Microsoft 365. He’s a 20+ year recipient of Microsoft’s MVP award and has helped thousands of developers through the various courses he’s authored & taught. Whether it’s an introduction to the entire ecosystem, or a deep dive into a specific software, his resources, tools, and support help web developers become experts in the Microsoft 365 ecosystem, so they can become irreplaceable in their organization.
