Azure Active Directory | Multi-tenant Application

Question

Is there a way of restrict to certain tenants when using multi-tenant applications on Azure AD?

Maybe I misunderstood the whole thing but I realize that a user of another tenant can log in into my application after giving consent and I couldn't find a way to restrict that login to a group of tenants I trust.

Answer 1

While this feature isn't available in Azure AD today, you could implement this scenario if you add Auth0 in the mix. Auth0 supports multi-tenant Azure AD applications as a connection for your applications and using the rules engine you can write rules to restrict access to a specific application based on the Azure AD tenant.

Here's an example of how such a rule (which runs in the Auth0 authentication pipeline, after the user authenticated in Azure AD and before the user can access your application):

function (user, context, callback) {
     if(context.clientName !== 'NameOfTheAppWithWhiteList'){

      var whitelist = [ 'tenantId1', 'tenantId2' ]; //authorized Azure AD tenants.
      var userHasAccess = whitelist.some(
        function (tenantId) {
          return tenantId === user.tenantid;
        });

      if (!userHasAccess) {
        return callback(new UnauthorizedError('Access denied.'));
      }
    }

    callback(null, user, context);
}

Disclaimer: I work for Auth0.

Answer 2

We don't currently have an application configuration property that maps to a tenant allow list for a multi-tenant app.

What you can do is build this capability into your application - the auth/JWT token contains the tenantID (tid) as a claim. You can authorize access only for known tenants in your app's allow list.

Please let us know if this is a feature that you want to be able to configure through an application configuration page (like in the azure management portal)? Also it would be great to understand your scenario here.

Hope this helps,