Multi Tenant App

Question

I have two Azure EntraID tenants: Tenant A (north division of my business) and Tenant B (south division).

• In Tenant A, I have an App Service protected by Easy Auth.
• In Tenant B, I have an application where users authenticate.

I want users signed into the app in Tenant B to be able to call both their own app and the App Service in Tenant A—essentially adding an API permission on the app in Tenant B to access the API in Tenant A.

However, making the App Service registration multitenant seems to broaden the security scope, which I’d like to avoid. Since the two applications are in separate single-tenant app registrations, what would be the best approach to allow authenticated users in Tenant B to securely access the API in Tenant A? Can I whitelist just the one tenant?

Answer 1

Hi @TestAdmin,

Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

Based on your query, I understand that you would like to add Tenant A, API to the application in tenant B without being making app as a multi-tenant application.

I understand that you would like to add the application as an API to Tenant B, but there is not any option that we could use to achieve your end goal. This is because the scope of the application is applied along with application ID belongs to that particular tenant. This object will not be available in tenant 'B' which leads to the errors. Instead, you can make use of our previous engineer idea of making the application as multi-tenant and add to the tenant B.

Apart from this, there is no other option that we would suggest achieving your end goal. You can provide your feedback in our feedback forum which will be visible to our product team as well.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".