Microsoft MVP Logo

Hear people talk about single tenant or multi-tenant when they refer to Azure AD and get a bit confused? Let me see if I can help clear it up conceptually and then dive into it a little deeper.

So what is the difference? When you create an app in you Azure AD tenant you have a toggle to say if the app is multi-tenant or not.

When this is not enabled, or in single tenant mode, it means that only users who are in your Azure tenant's AD can login and use that app. However if you switch the toggle to enabled, then it is in multi-tenant mode. This means that anyone in any Azure tenant can login to their tenant and use your app.

Why would you want this? Well if you are building an app that is only intended to be used by your company employees, then you'd set it to be in single-tenant mode. But let's say it's an extranet style app where you want your employees and some of your customers to use the app. In that case you would want to make it multi-tenant so your employees can use it by logging into your company's Azure AD tenant but your customers can also login to their Azure AD and use your company's app.

Digging Deeper For Developers

As a developer of an app, do you have to keep in mind how you configure your app? Yup... your sure do!

Generally the only thing you need to keep in mind is the endpoint you will use to send your users in to login and that you will use to obtain the OAuth access token. So for instance, the URL you use to obtain an access token looks something like this:

https://login.windows.net/[...]/oauth2/authorize

The thing that makes it single tenant is when that think in the middle is a GUID or the tenant name (like [..].onmicrosoft.com). So for instance, something like this:

https://login.windows.net/f7a787ec-4210-498f-b647-b06bf0329908/oauth2/authorize

If you are logging into a multi-tenant app, you would use the common endpoint:

https://login.windows.net/common/oath2/common

Now in the case of a multi-tenant app, you can check the claims that are returned to get the specific tenantID for the user’s directory. You can get the tenant ID that the user logged into by looking up this claim in the collection of claims returned: http://schemas.microsoft.com/identity/claims/tenantid.

Comments powered by Disqus