Azure Active Directory - Support 2 Domains for an app

Question

I have an Azure Active Directory app that I used to authenticate people to my Application, the current mechanism that I used is single-tenant, And now I need another email domain to access my app (Only two domains not any organization email).

For Example, .domain1 & .domain2 only can use the app and authenticate to my app.

Any Idea what I can do?

Answer 1

I'm assuming you mean two AAD tenants.

Well I wrote a whole article on this topic https://joonasw.net/view/best-practices-for-n-tenant-azure-ad-applications.

The app needs to be registered multi-tenant as there is no option to allow specific tenants. Your back-ends especially should define the valid issuers, so the issuer URIs for the two AAD tenants. That way a token issued for another tenant will not be considered valid. A typical multi-tenant app might disable issuer validation, but you must not.

Then you have to think how you will do login. You can use the organizations endpoint, but that does allow a user to use some other tenant to login, probably on accident. Then advantage of that approach is that it's a single authentication URL. Disadvantage is that guest accounts (externals) in those tenants will not work.

The other option is to somehow detect the tenant the user should use, or offer the user the choice. Then use the tenant-specific endpoint to authenticate. This has the advantage of working well with all types of accounts. Disadvantage of making the login process from app side more complex.