Introduction
Microsoft Entra ID now offers a feature that allows you to explicitly restrict access of multi-tenant applications to specific tenants. This innovation addresses the need to improve governance and security in SaaS environments.
Historically, configuring an application in multi-tenant mode was unrestricted: any organization with the URL could consent to and access your application. This approach could expose critical services to unauthorized users. Now, the new "Allow only certain tenants" option (Preview) introduces a native solution for adopting a controlled multi-tenant model.
Good to know
This feature allows you to easily switch between an open global model and a restricted model based on a whitelist of authorized tenants.
Configuring Restrictions on Multi-Tenant Applications
If you are already using multi-tenant applications in your production services, here are the steps to follow to implement these restrictions:
Access Microsoft Entra ID
Sign in to the Microsoft Entra ID portal and access your application registration.
Navigate to the Authentication tab
In the application management options, select Authentication.
Enable multi-tenant accounts
Verify that the supported account type is set to Multiple Entra ID tenants.
Add authorized tenant IDs
Use the Allow only certain tenants option and add the IDs of the tenants you want to authorize.
Caution
The restrictions applied could prevent some legitimate tenants from accessing your services. Be sure to review your list of authorized tenants before saving the changes.
Behavior of Unauthorized Tenants
Consent Attempt
If an unauthorized tenant attempts to grant consent, they will receive an error message indicating that the application does not allow access:
1"error": "invalid_grant",2"error_description": "AADSTS7000119: Client application 'x' with identifier 'x' is not allowed to be used by tenant 'x' with identifier 'x'."Tip
When an error like this occurs, verify that the tenant ID is correctly included in the whitelist.
Removing an Authorized Tenant
If a previously authorized tenant is removed from the whitelist, access to the application will be denied on the next login attempt, resulting in the same error message as when attempting to grant consent.
1"error": "invalid_grant",2"error_description": "AADSTS7000119: Client application 'MultiTenantApp-Demo' with identifier 'f36f643f-d066-42f5-bfda-86ce6de6d7e3' is not allowed to be used by tenant 'ourcloudnetwork' with identifier '235e5e63-c104-417e-9ed6-e96d9a456a9d'."Going Further
Documentation and Useful Links
Glossary of Key Terms
- Microsoft Entra ID: Cloud-based identity management platform.
- Whitelist: Set of items allowed to access a resource (in this case, tenant IDs).
- Consent: Action allowing a tenant to grant permissions to an application.
Practical PowerShell Script
Easily add a tenant ID to the whitelist with the following script:
1# Add an authorized tenant to a multi-tenant application2$appId = "YOUR-APPLICATION-ID"3$tenantId = "TENANT-ID"4Set-AzureADApplication -ObjectId $appId -AddTenantRestriction $tenantIdImportant
Test your configurations before deploying to production environments.
