Microsoft Entra ID - single vs. multi-tenant differences

Microsoft Entra ID (formerly Azure AD), supports two types of application authentication configurations - single and multi-tenant. Learn what's different.

By Last Updated: December 18, 2014 2 minutes read

Hear people talk about single tenant or multi-tenant when they refer to Microsoft Entra ID and get a bit confused? Let me see if I can help clear it up conceptually and then dive into it a little deeper.

So what is the difference? When you create an app in you Microsoft Entra ID tenant you have a toggle to say if the app is multi-tenant or not.

Single tenant vs. Multi-tenant

When this is not enabled, or in single tenant mode, it means that only users who are in your Azure tenant’s AD can sign in and use that app. However if you switch the toggle to enabled, then it is in multi-tenant mode. This means that anyone in any Azure tenant can sign in to their tenant and use your app.

Why would you want this? Well if you are building an app that is only intended to be used by your company employees, then you’d set it to be in single-tenant mode. But let’s say it’s an extranet style app where you want your employees and some of your customers to use the app. In that case you would want to make it multi-tenant so your employees can use it by logging into your company’s Microsoft Entra ID tenant but your customers can also sign in to their Microsoft Entra ID and use your company’s app.

Digging Deeper For Developers

As a developer of an app, do you have to keep in mind how you configure your app? Yup… your sure do!

Generally the only thing you need to keep in mind is the endpoint you will use to send your users in to sign in and that you will use to obtain the OAuth access token. So for instance, the URL you use to obtain an access token looks something like this:

https://login.windows.net/[...]/oauth2/authorize

The thing that makes it single tenant is when that think in the middle is a GUID or the tenant name (like \[..\].onmicrosoft.com). So for instance, something like this:

https://login.windows.net/f7a787ec-4210-498f-b647-b06bf0329908/oauth2/authorize

If you are logging into a multi-tenant app, you would use the common endpoint:

https://login.windows.net/common/oath2/common

Now in the case of a multi-tenant app, you can check the claims that are returned to get the specific tenantID for the user’s directory. You can get the tenant ID that the user logged into by looking up this claim in the collection of claims returned: http://schemas.microsoft.com/identity/claims/tenantid.

Branded horizontal divider.