Sign-up and tenant onboarding - how to only allow when invited to application

Question

Microsoft has a guide on multi-tenant application and managing identities. They explain how the tenant admin (or tenant users) can provide consent in using the user profile for the application. However I am also interested in the opposite: as application owner to consent usage of the application to specific tenants. We only want to allow tenants on the application that have signed up with an SLA.

How can we "whitelist" tenants such that only known tenants sign up with our application?

Answer 1

Azure AD will not limit the which tenants' users can login to the app, the best way is to specify the valid token issuers to the token validator on the app's side.

ASP.NET Core sample:

// Inside .AddOpenIdConnect()
o.TokenValidationParameters = new TokenValidationParameters
{
    // NOTE: We should not turn issuer validation off
    // We should instead list the valid issuers
    // You can find your issuer URI at: https://login.microsoftonline.com/tenant-id-here/v2.0/.well-known/openid-configuration
    // It's in the "issuer" property
    NameClaimType = "name",
    ValidIssuers = new[] // THIS IS IMPORTANT Only accept tokens from these tenants
    {
        $"https://login.microsoftonline.com/{authSettings.EmployeeTenantId}/v2.0",
        $"https://login.microsoftonline.com/{authSettings.PartnerTenantId}/v2.0"
    }
};

For more details, refer to the blog - Best practices for N-tenant Azure AD applications.