In this blog, we’ll cover how to configure an Azure App Registration as Multi-Tenant in Azure Active Directory (Azure AD). This is useful when your application is registered in one tenant but needs to authenticate or access resources from another tenant.
By the end of this article, you’ll know how to register your app, grant admin consent in external tenants, and fetch user data securely through Microsoft Graph API.
Multi-Tenant App Registration in Azure AD
If your Azure App Registration is created in Tenant X but you need access to users in Tenant Y, you must configure the app in Tenant X as a multi-tenant app and obtain admin consent from Tenant Y.
For example:
- Tenant X = tenantx.com (where the app is registered)
- Tenant Y = tenanty.com (where you want to access user data)
Prerequisites
Before you begin, make sure you have:
- Azure AD Admin Access in Tenant X (to register the app).
- Global Admin or App Admin in Tenant Y (to provide admin consent).
- Basic familiarity with Azure App Registrations, OAuth 2.0, and Microsoft Graph API.
- Tools such as Postman or cURL are installed for testing authentication and API calls.
- A valid Azure subscription with permissions to manage App Registrations.
Steps to Register App as Multi-Tenant
Step 1: Register the App as Multi-Tenant in Tenant X
- Go to Azure AD (Tenant X) → App registrations.
- Select your app and go to Authentication.
- Under Supported account types, select:
- Accounts in any organizational directory (Multi-tenant)
- Save changes.
Step 2: Create and Manage Secrets
You must have created your client secret. If not, then please go to Certificates & secrets and create a secret. Please note down client id and client secret.
Step 3: Configure Redirect URI
Go to Authentication 🡪 Web 🡪 Redirect URIs
- Set Redirect URI = https://jwt.ms (for testing tokens).
Step 4: Assign Graph API Permissions
- Add required Application Permissions (such as User.Read.All).
- Grant Admin Consent within Tenant X.
- See this
Step 5: Get Admin Consent from Tenant Y
Since your app is in tenant X, it doesn’t have direct access to tenant Y unless an administrator from tenant Y explicitly grants permission.
1. Share the Admin Consent URL with the administrator of tenant Y:
2.The admin of tenant Y must accept the consent for your app.
3. Once accepted, your app will be registered under Enterprise Applications in tenant Y.
Step 6: Generate Access Token
Use Tenant Y’s tenant ID, but the client credentials of the app in Tenant X:
This returns a Bearer Access Token.
Step 7: Fetch Users from Tenant Y
Use the token to call the Microsoft Graph API:
End Result
App registration is in tenant X but the users in the response are of tenant Y.
You can also add filters, for example:
References:
and
Conclusion
By following these steps, you can successfully enable your application to authenticate and fetch user data across multiple tenants. This setup is particularly useful for SaaS applications that need to serve multiple organizations securely.
Key Takeaways
- Always register your app in the primary tenant where you manage development.
- Ensure admin consent is granted in every external tenant where your app will be used.
- Use Microsoft Graph API with proper permissions to fetch or manage user data.
- Consider applying least privilege principles by only requesting the permissions your app truly needs.
