Introduction
Microsoft has recently introduced a graphical user interface to simplify the management of tenant restrictions on multi-tenant Entra ID applications. This new feature allows administrators to control access to applications without relying exclusively on Graph API methods.
Context
This functionality follows the introduction of tenant restrictions for Entra ID integrated applications, which allow limiting access to multi-tenant applications to specific tenants.
Accessing the new interface
Configuring tenant restrictions is now accessible directly from the Entra ID administration portal. Here's how to proceed:
Navigation to app registrations
Access the Entra ID administration portal and navigate to Entra ID > App registrations.
Application selection
Choose the application object you want to configure from the list of registered applications.
Access to authentication settings
Navigate to the Authentication (Preview) page then switch to the Supported account types tab.
Configuring tenant restrictions
By default, multi-tenant applications do not enforce any tenant restrictions. To enable this feature:
Enabling restrictions
Select the Allow only certain tenants (Preview) option. The system will immediately present an error message, as at least one tenant value must be provided.
Important prerequisite
An application cannot have an empty list of authorized tenants. At least one tenant must be specified when enabling restrictions.
Managing authorized tenants
Click the Manage authorized tenants button to open the configuration panel. This interface allows:
- Addition of up to 20 different tenants
- Referencing by tenant ID or by verified domain name
- Support for .onmicrosoft.com domains by default
- Search by verified custom domain
Finalization and saving
Validation of changes
Confirm the changes by clicking the Apply button. You will be redirected to the Supported account types tab with the updated list of authorized tenants.
Settings saving
Click the Save button to definitively validate the changes. An Application authentication update notification will confirm the successful operation.
Constraints and technical limitations
Configuration prerequisites
The list of authorized tenants can only be configured when the application audience is set to Multiple Entra ID tenants ("AzureADMultipleOrgs").
Warning
Changing the supported account type to another value will automatically clear the list of authorized tenants. The interface will display a confirmation warning in this case.
Managing changes
To remove all tenant restrictions, you must select the Allow all tenants option rather than clearing the list.
Advantages of the new interface
This user interface brings several significant improvements:
- Simplified management: No longer need to master Graph API calls
- Intelligent search: Support for domain name search
- Real-time validation: Automatic warnings and confirmations
- Clear limit: Maximum of 20 tenants per application
Practical tip
The domain search functionality uses the findTenantInformationByDomainName method from the Graph API in the background, providing a smooth user experience without technical exposure.
Conclusion
This new interface represents a positive evolution for managing multi-tenant Entra ID applications. It democratizes access to tenant restriction features by offering a graphical alternative to Graph API methods. Administrators can now effectively configure the security of their applications without deep technical expertise in API development.
