That’s what you get. Entra ID doesn’t allow you to blacklist or whitelist specific tenants for multi tenant apps, which causes problems like this.
Add the fact that MSAL doesn’t work for stuff like browser extensions, so people have to implement their own security solutions to interact with Entra ID and it’s not surprising there are so many issues.
> Entra ID doesn’t allow you to blacklist or whitelist specific tenants for multi tenant apps.
This one very annoying "feature" where I could say this app is available for the following tenants. No, only "my tenant" or "all tenants in Azure".
One workaround I use is to set up apps with "only this tenant" and invite users from other tenants into my tenant. The other approach is to say "all tenants" and then use a group to enforce who can actually use the app.
I don't know if there are any reasons behind this limitation or just an oversight or no client big enough asked for this feature.
Inviting individual users is a good pattern. If you want to allow an entire tenant into your tenant (e.g. if your parent company has a subdivision that has their own tenant), Entra has cross tenant access [1] for that use case.
Generally, you should say "only this tenant" unless you're a SaaS provider. And if you're a SaaS provider, you should really already understand the need to keep your various customers data separate.
[1] https://learn.microsoft.com/en-us/entra/external-id/cross-te...
No, that is not an option. Entra External ID creates user objects in your external tenant.
For various reasons, we are not allowed to store personal information like that.
I need to be able to accept users from tenant A and from tenant B. I need to know to which tenant they belong, but NOT any other information such as name or email address.
This is currently not possible at all in Entra ID. The only option is allowing all tenants and manually roll auth to whitelist certain ones to actually continue calling APIs.
It’s completely moronic of Microsoft
To make things even worse, users of DIFFERENT tenants get stored TOGETHER in your external ID tenant.
In various situations it’s illegal or against contracts to have data of different companies in the same database.
One option is to have a button on the start page to ask the user to which tenant they belong to, and then authenticate them appropriately. Very little friction in the authentication process: Like are you an employee or a contractor?
Azure has an another option called B2C tenant (they're renaming it now something like Entra External ID or something similar) which is designed to work as user database for things like customers/clients. Instead of developing your own classic MySQL + $whatever framework for authentication to use this service as an alternative.
If you invite an external user that already exists in another Microsoft Azure tenant, you only know their user principal and first/last name. Nothing else. All other info does not get populated into your tenant even if it exists in the source tenant.
I am aware of the Cross tenant functionality, but it does not come free - you need at least a P1 subscription in all tenants involved. And you can't do this per user, just per tenant.
Yeah, I mean - if you're a big enough company where you have lots of cross tenant collaboration going on, you should pay for P1.