Azure AD - What’s the Difference Between Single vs. Multi-Tenant

Confused when people talk about single tenant or multi-tenant when they refer to Azure AD? This article will clear it up & then dive into it a little deeper.

Hear people talk about single tenant or multi-tenant when they refer to Azure AD and get a bit confused? Let me see if I can help clear it up conceptually and then dive into it a little deeper.

So what is the difference? When you create an app in you Azure AD tenant you have a toggle to say if the app is multi-tenant or not.

Single tenant vs. Multi-tenant

When this is not enabled, or in single tenant mode, it means that only users who are in your Azure tenant’s AD can login and use that app. However if you switch the toggle to enabled, then it is in multi-tenant mode. This means that anyone in any Azure tenant can login to their tenant and use your app.

Why would you want this? Well if you are building an app that is only intended to be used by your company employees, then you’d set it to be in single-tenant mode. But let’s say it’s an extranet style app where you want your employees and some of your customers to use the app. In that case you would want to make it multi-tenant so your employees can use it by logging into your company’s Azure AD tenant but your customers can also login to their Azure AD and use your company’s app.

Digging Deeper For Developers

As a developer of an app, do you have to keep in mind how you configure your app? Yup… your sure do!

Generally the only thing you need to keep in mind is the endpoint you will use to send your users in to login and that you will use to obtain the OAuth access token. So for instance, the URL you use to obtain an access token looks something like this:

https://login.windows.net/[...]/oauth2/authorize

The thing that makes it single tenant is when that think in the middle is a GUID or the tenant name (like \[..\].onmicrosoft.com). So for instance, something like this:

https://login.windows.net/f7a787ec-4210-498f-b647-b06bf0329908/oauth2/authorize

If you are logging into a multi-tenant app, you would use the common endpoint:

https://login.windows.net/common/oath2/common

Now in the case of a multi-tenant app, you can check the claims that are returned to get the specific tenantID for the user’s directory. You can get the tenant ID that the user logged into by looking up this claim in the collection of claims returned: http://schemas.microsoft.com/identity/claims/tenantid.

Andrew Connell
Developer & Chief Course Artisan, Voitanos LLC. | Microsoft MVP
Written by Andrew Connell

Andrew Connell is a web developer with a focus on Microsoft Azure & Microsoft 365. He’s received Microsoft’s MVP award every year since 2005 and has helped thousands of developers through the various courses he’s authored & taught. Andrew’s the founder of Voitanos and is dedicated to delivering industry-leading on-demand video training to professional developers. He lives with his wife & two kids in Florida.