Share via

Autentication Multi-Tenant in Azure Entra ID (Azure AD)

Rony Pinto Menares 0 Reputation points
2025-03-06T13:46:12.1933333+00:00

Good day

Requirement

Situation

Company A needs to allow users from Company B (with their own tenant and Microsoft 365 accounts) to authenticate in Company A's ValidRisk web application using their own organizational credentials.

To achieve this, an authentication scheme based on Azure Entra ID has been implemented, and a trust relationship has been established between the tenants.

Steps Taken

  1. Application Configuration in Company A’s Azure AD
  • The ValidRisk application is registered in Company A’s Azure AD (Entra ID).
  • It has been configured to support multi-tenant authentication.
  • In the application's settings within Company A’s Azure AD, the option "Accounts in any Microsoft directory" has been enabled under the account type compatibility settings.
  1. Allowing Access to External Users (Company B)
  • Company B does not need to register the application in its own Azure Entra.
  • Users from Company B can authenticate using Microsoft Entra ID B2B (Business-to-Business).
  • Company B users have been invited as guest users in Company A’s tenant, allowing them to authenticate directly if the application permits.
  1. Authentication Process Configuration
  • OAuth 2.0 / OpenID Connect has been implemented to enable authentication for multiple tenants.
  • When a user from Company B attempts to log in, Azure AD will redirect the authentication to the correct directory.
  1. Company B’s Consent Requirement
  • If the application requests specific permissions, an administrator from Company B may need to approve these permissions the first time a user logs in.
  1. Security and Access Validation
  • Conditional Access has been configured in Azure AD to manage Company B users' access (e.g., MFA, IP restrictions, etc.).
  • Roles and permissions have been defined within the application to control what Company B users can do.

Summary

The ValidRisk application is configured as a multi-tenant application in Company A’s Azure AD, so users from Company B should be able to authenticate seamlessly using their Microsoft 365 organizational accounts.

Situation

Regarding Point 4 (Company B's Consent Requirement):

  • If the application requires specific permissions from an administrator of Company B, their IT team has informed us that the approval process will take approximately 6 months due to compliance policies.

Questions

  1. Is there a scenario where a Company B user can authenticate using only their own permissions without requiring administrator approval?
  2. Is there any configuration on our side (Company A) to avoid requiring administrator approval from Company B? Good day Requirement Situation Company A needs to allow users from Company B (with their own tenant and Microsoft 365 accounts) to authenticate in Company A's ValidRisk web application using their own organizational credentials. To achieve this, an authentication scheme based on Azure Entra ID has been implemented, and a trust relationship has been established between the tenants. Steps Taken
    1. Application Configuration in Company A’s Azure AD
    • The ValidRisk application is registered in Company A’s Azure AD (Entra ID).
    • It has been configured to support multi-tenant authentication.
    • In the application's settings within Company A’s Azure AD, the option "Accounts in any Microsoft directory" has been enabled under the account type compatibility settings.
    1. Allowing Access to External Users (Company B)
    • Company B does not need to register the application in its own Azure Entra.
    • Users from Company B can authenticate using Microsoft Entra ID B2B (Business-to-Business).
    • Company B users have been invited as guest users in Company A’s tenant, allowing them to authenticate directly if the application permits.
    1. Authentication Process Configuration
    • OAuth 2.0 / OpenID Connect has been implemented to enable authentication for multiple tenants.
    • When a user from Company B attempts to log in, Azure AD will redirect the authentication to the correct directory.
    1. Company B’s Consent Requirement
    • If the application requests specific permissions, an administrator from Company B may need to approve these permissions the first time a user logs in.
    1. Security and Access Validation
    • Conditional Access has been configured in Azure AD to manage Company B users' access (e.g., MFA, IP restrictions, etc.).
    • Roles and permissions have been defined within the application to control what Company B users can do.
    Summary The ValidRisk application is configured as a multi-tenant application in Company A’s Azure AD, so users from Company B should be able to authenticate seamlessly using their Microsoft 365 organizational accounts. Situation Regarding Point 4 (Company B's Consent Requirement):
    • If the application requires specific permissions from an administrator of Company B, their IT team has informed us that the approval process will take approximately 6 months due to compliance policies.
    Questions
    1. Is there a scenario where a Company B user can authenticate using only their own permissions without requiring administrator approval?
    2. Is there any configuration on our side (Company A) to avoid requiring administrator approval from Company B?

thanks a lot

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,070 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 12,735 Reputation points Microsoft External Staff
    2025-03-07T07:09:47.73+00:00

    Hi @Rony Pinto Menares

    Thank you for reaching Microsoft Q&A!

    I understand your concern about the application access from Company A tenant to company B tenant users without the admin permission.

    Yes, there is a way to achieve your task Microsoft have a feature to collaborate the external user in the tenant by using B2B collaboration with external guests for your workforce this way external users (company B) can access the resources of company A by using their own credentials to access your company's resources.
    In the B2B collaboration once the user is created as guest in your tenant the external user get the invitation to their email and once the external user accepts the invite users can access the applications as per the configuration.

    If you would like to ignore the guest invite email to external user, Microsoft have another feature called cross-tenant synchronization it automates creating, updating, and deleting users and allows external users (like those from Company B) to access resources in Company A's tenant without admin approval from their own organization.

    Reference: Configure cross-tenant synchronization
    Bulk invite B2B collaboration users in Microsoft Entra External ID
    Use PowerShell to bulk invite Microsoft Entra B2B collaboration users

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.