I created a multi-tenant registration app in Azure, supporting two types of tenants: one for internal users and another for external users.

My front-end application has a single login button and it can authenticate both internal and external users through my multi-tenant registration app.

I configured the authentication settings in my front-end according to Azure's guidelines, using the MSAL library.

My front-end aplication sends the request to  endpoint that serves across all Microsoft Entra tenants.

My question is: If a new user who is not registered in any tenant wants to sign up through my front-end application, how can I ensure they are registered in the correct tenant?

For example, if the new user is internal, the user will be registered in the internal users' tenant; otherwise, the user will be registered in the external users' tenant.

I created a multi-tenant registration app in Azure, supporting two types of tenants: one for internal users and another for external users.

My front-end application has a single login button and it can authenticate both internal and external users through my multi-tenant registration app.

I configured the authentication settings in my front-end according to Azure's guidelines, using the MSAL library.

My front-end aplication sends the request to https://login.microsoftonline/common endpoint that serves across all Microsoft Entra tenants.

My question is: If a new user who is not registered in any tenant wants to sign up through my front-end application, how can I ensure they are registered in the correct tenant?

For example, if the new user is internal, the user will be registered in the internal users' tenant; otherwise, the user will be registered in the external users' tenant.

• azure
• azure-active-directory

• 1 To ensure a new user is registered in the correct tenant, you can check their email domain on the front-end. If the domain matches your internal tenant (e.g., @company), direct them to your internal Azure AD tenant endpoint (https://login.microsoftonline/{tenant-id}). Otherwise, use the https://login.microsoftonline/common endpoint for external users. Azure AD will create the user in the appropriate tenant upon their first successful authentication. – Rukmini Commented Mar 7 at 5:34
• Any update on the issue? – Rukmini Commented Mar 10 at 13:18
• Hello Rukmini, I tried creating a multi-tenant app registration and followed your instructions, but it didn’t work. The Microsoft login screen doesn’t show an option for new external users to sign up. I know how to register external users using Azure B2C and set up a User Flow for that. However, I’m still researching how to enable external user sign-up in a multi-tenant setup and whether using a User Flow is necessary. – Agner Souza Bezerra Commented Mar 10 at 17:58

1 Answer 1

Note: In a multi-tenant app registration, users from any Azure AD tenant (including external anizations) can authenticate via the https://login.microsoftonline/common endpoint.

• However, this doesn't allow new external users (those who don't already exist in any Azure AD tenant) to self-register when they try to log in.
• They can only authenticate if they have an existing Azure AD or Microsoft account.

Using a multi-tenant Azure AD application, you cannot show an option for new external users to sign up directly.

• When external users try to authenticate through a multi-tenant application, if they don't have an Azure AD account in any tenant, they cannot register on the login screen. They can only authenticate if they already have an Azure AD account or use a Microsoft Account (e.g., Outlook).

As mentioned by you, you have to make use of register external users using Azure AD B2C and set up a User Flow .

• To allow external user sign-up, you must use Azure AD B2C, which supports self-registration with customizable user flows.
• Otherwise make use of Azure AD B2B (Business-to-Business). However, this requires an invitation, and external users need to accept the invite to authenticate.