Hello, thank you for these well detailed videos. I have a few questions if you do not mind. 1. What features in the creation of Single-Tenant Application makes an Application either B2B or B2C? 2. If personal Microsoft accounts, Google and Facebook accounts from External IDPs can be used for Single Tenant application with B2B features, how is Single Tenant B2B application different from Single Tenant B2C applications?. 3. You said an external user can sign-up to a Single Tenant B2B application using onetime password code for sign up, the external user account is then created as guest account in the Home Entra ID tenant for the B2B application. How will this user subsequently sign in to this B2B application, or what is the auth flow for subsequent sign in since the user does not require password? Thank you and I look forward to your answers.
Hi, Thank you for watching! Here are the answers - I hope they will be useful. 1. I would say this is more about the approach rather than specific features. Here is the thing. Single tenant application is created in your Microsoft Entra ID corporate tenant. You can invite guest users and grant them access to this application. You can also enable "self-service sign-up" using user flows so users can sign up and then access your application. However, please remember that B2B is more about corporate Microsoft Entra ID tenants and for B2C scenarios it is recommended to use Azure AD B2C which is separate tenant and service. The most important question is this: "Do I want all customer accounts land in my corporate tenant?". In most cases answer is no. You want to have this isolation so your corporate partner accounts land in Microsoft Entra ID tenant (corporate one) and for customer solutions you use separate tenant - Azure AD B2C. 2. Good question. Partially I answered in m the first point above. This is not about features specifically, it is more about architecture decision. Typically you create separate Azure AD B2C tenant to handle customer (B2C) use cases. You have isolation for accounts, you can customize authentication options (Google, Facebook, others) and you can customize what is included in the tokens issued to applications. You have to differentiate who should be treated as "partner" of your organization (B2B scenario) and to which corporate resource such person should have access to, and who should be treated as a customer (B2C). 3. For users which registered using one time passcode (or one time password) the flow stays exactly the same. Once you registered and you want to access the application once again, you have to provide your email address and then new one-time passcode will be sent to your email. It means that if you are authenticated and your session is still active, you can access the B2B application. If your session is expired, you have to go through the process again (get new code sent to your email). Small fragment from docs: "User sessions expire after 24 hours. After that time, the guest user receives a new passcode when they access the resource.". I hope this clarifies a bit!
Hi, I love your videos. I’m casting them on my TV at night instead of a movie :-) The following video to this one would be multi tenant application or azure B2C (this is my current point :-) ). Great job, thanks and continue !
Thank you so much for kind words! I am happy that you like the series and it is interesting for you! When it comes to video about multi-tenant vs B2C - let me put it on my list! I will think about it! :)
For B2B scenario, do you have examples of redirect urls? we keep getting invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
Also, if we decide to use Multiple tenants scenario, how do we add the second tenant to the identify providers? what if the app accesses an api? how does the app work with the api with several tenants?
I was viewing again this video and looked at the ID Token in the context of my azure B2C tenant lab. Local users and external AD users have ID token referencing my B2C tenant in their tid and iss claims. Is it the normal behaviour ? I wanted to use this information to know from which tenant of our partners they were coming and use this information yo give some permissions. But I can not like this. And I see there is no UPN claim. I'm using custom policies issued from the templates socialandlocalaccounts that I customised to add federation with EntraID. Could be the reason ? Thank you .
Yes, with Azure AD B2C situation is a little bit different. In the custom policies you have the technical profile for your external identity federation. In this technical profile you can map claims from the federated identity provider. Here are examples how you can get claims from the external IDP: Abve you can see that I map "iss" claim from external IDP to "identityProvider" claim that will be returned in the token from the Azure AD B2C. I hope this clarifies a bit!
I really appreciate this series of videos and have learned a lot from them, but I am left with a question: Let's say I'm developing a multi-tenant SaaS solution where other organizations are my customers. My customer organizations again have a need to invite other organizations and their users to collaborate on their data in my SaaS solution. How can this be solved using Microsoft Entra ID? It is desirable that both my customer organizations and their partners should be able to manage their own users. My first thought was to register the SaaS solution as a multi-tenant app in my Microsoft Entra ID tenant, so that my customer organizations can add the SaaS solution as an enterprise application in their Microsoft Entra ID Tenants and let their users access the SaaS solution . But what about the customers' partners and their users? Do you have any suggestions on how this can be implemented?
Thank you for kind words and watching! Very interesting scenario. Let me explain how I see it. I would rather think about my SaaS product architecture and identity integration. If you know that users of you product can invite other users, in such case I would recommend using another approach where you enable your clients to use your SaaS product with their own Microsoft Entra ID tenant (or identity provider). Let me put an example with SalesForce. It is SaaS product where you can configure your Entra ID as an identity provider. Here is example: help.salesforce.com/s/articleView?id=sf.sso_provider_azure.htm&type=5 In such scenario, your clients can configure your SaaS product with their Entra ID tenant and also invite guest users to it. Of course (as I mentioned before) this scenario would work only when you provide your SaaS product with the option to integrate with external identity providers and you have dedicated login URL for each client (company/registered entity). Having your SaaS product as multi-tenant application in the scenario where you know that there will be multiple clients and they will invite B2B users is not a good idea here because of complexity and aspects I mentioned in the video. Please also keep in mind that in case of multi-tenant applications we use /common endpoint for authentication. In case of B2B users, they are taken to their "home" tenant for authentication. It means that after successful authentication, such user would use application in context of their home tenant, not in the context of tenant where "multi-tenant" app is registered. Another solution would be to have your SaaS product secured with Entra ID (and registered as multi-tenant application) where your customers can invite other users not using B2B feature but instead creating account for them in their tenant. From the user management perspective it would be also more beneficial - for instance as an owner of the entity using your SaaS project you could require MFA for all users and use security groups to group users in your tenant or assign specific app roles. Please let me know if it make sense and if you have any other questions.
Hi, this video is great, I learned a lot from this, but I have one question, after registering my application as a multi-tenant one and creating logic around granting consent for tenants. I am facing the issue that users from the Customer tenant can't log in to my application, the error says: "Selected user account does not exist in tenant 'Home Tenant' and cannot access the application '123' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account." Is there a way for users from Customer tenants to log in to my application without being invited as a guest to my tenant? P.S. The Service Principle(Instante) of my application is created in Customer Tenant.
Hello, thank you for these well detailed videos. I have a few questions if you do not mind. 1. What features in the creation of Single-Tenant Application makes an Application either B2B or B2C? 2. If personal Microsoft accounts, Google and Facebook accounts from External IDPs can be used for Single Tenant application with B2B features, how is Single Tenant B2B application different from Single Tenant B2C applications?. 3. You said an external user can sign-up to a Single Tenant B2B application using onetime password code for sign up, the external user account is then created as guest account in the Home Entra ID tenant for the B2B application. How will this user subsequently sign in to this B2B application, or what is the auth flow for subsequent sign in since the user does not require password? Thank you and I look forward to your answers.
Hi, Thank you for watching! Here are the answers - I hope they will be useful. 1. I would say this is more about the approach rather than specific features. Here is the thing. Single tenant application is created in your Microsoft Entra ID corporate tenant. You can invite guest users and grant them access to this application. You can also enable "self-service sign-up" using user flows so users can sign up and then access your application. However, please remember that B2B is more about corporate Microsoft Entra ID tenants and for B2C scenarios it is recommended to use Azure AD B2C which is separate tenant and service. The most important question is this: "Do I want all customer accounts land in my corporate tenant?". In most cases answer is no. You want to have this isolation so your corporate partner accounts land in Microsoft Entra ID tenant (corporate one) and for customer solutions you use separate tenant - Azure AD B2C. 2. Good question. Partially I answered in m the first point above. This is not about features specifically, it is more about architecture decision. Typically you create separate Azure AD B2C tenant to handle customer (B2C) use cases. You have isolation for accounts, you can customize authentication options (Google, Facebook, others) and you can customize what is included in the tokens issued to applications. You have to differentiate who should be treated as "partner" of your organization (B2B scenario) and to which corporate resource such person should have access to, and who should be treated as a customer (B2C). 3. For users which registered using one time passcode (or one time password) the flow stays exactly the same. Once you registered and you want to access the application once again, you have to provide your email address and then new one-time passcode will be sent to your email. It means that if you are authenticated and your session is still active, you can access the B2B application. If your session is expired, you have to go through the process again (get new code sent to your email). Small fragment from docs: "User sessions expire after 24 hours. After that time, the guest user receives a new passcode when they access the resource.". I hope this clarifies a bit!
Hello, thank you for these well detailed videos.
I have a few questions if you do not mind.
1. What features in the creation of Single-Tenant Application makes an Application either B2B or B2C?
2. If personal Microsoft accounts, Google and Facebook accounts from External IDPs can be used for Single Tenant application with B2B features, how is Single Tenant B2B application different from Single Tenant B2C applications?.
3. You said an external user can sign-up to a Single Tenant B2B application using onetime password code for sign up, the external user account is then created as guest account in the Home Entra ID tenant for the B2B application. How will this user subsequently sign in to this B2B application, or what is the auth flow for subsequent sign in since the user does not require password?
Thank you and I look forward to your answers.
Hi,
Thank you for watching!
Here are the answers - I hope they will be useful.
1.
I would say this is more about the approach rather than specific features. Here is the thing. Single tenant application is created in your Microsoft Entra ID corporate tenant. You can invite guest users and grant them access to this application. You can also enable "self-service sign-up" using user flows so users can sign up and then access your application. However, please remember that B2B is more about corporate Microsoft Entra ID tenants and for B2C scenarios it is recommended to use Azure AD B2C which is separate tenant and service. The most important question is this: "Do I want all customer accounts land in my corporate tenant?". In most cases answer is no. You want to have this isolation so your corporate partner accounts land in Microsoft Entra ID tenant (corporate one) and for customer solutions you use separate tenant - Azure AD B2C.
2.
Good question. Partially I answered in m the first point above. This is not about features specifically, it is more about architecture decision. Typically you create separate Azure AD B2C tenant to handle customer (B2C) use cases. You have isolation for accounts, you can customize authentication options (Google, Facebook, others) and you can customize what is included in the tokens issued to applications. You have to differentiate who should be treated as "partner" of your organization (B2B scenario) and to which corporate resource such person should have access to, and who should be treated as a customer (B2C).
3.
For users which registered using one time passcode (or one time password) the flow stays exactly the same. Once you registered and you want to access the application once again, you have to provide your email address and then new one-time passcode will be sent to your email. It means that if you are authenticated and your session is still active, you can access the B2B application. If your session is expired, you have to go through the process again (get new code sent to your email). Small fragment from docs: "User sessions expire after 24 hours. After that time, the guest user receives a new passcode when they access the resource.".
I hope this clarifies a bit!
Hi, I love your videos. I’m casting them on my TV at night instead of a movie :-)
The following video to this one would be multi tenant application or azure B2C (this is my current point :-) ).
Great job, thanks and continue !
Thank you so much for kind words! I am happy that you like the series and it is interesting for you!
When it comes to video about multi-tenant vs B2C - let me put it on my list! I will think about it! :)
For B2B scenario, do you have examples of redirect urls? we keep getting invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
Also, if we decide to use Multiple tenants scenario, how do we add the second tenant to the identify providers? what if the app accesses an api? how does the app work with the api with several tenants?
For B2B case, how do I only enable invitation only without allowing self-signup?
How can I create login for external users with credentials to my applications
I was viewing again this video and looked at the ID Token in the context of my azure B2C tenant lab. Local users and external AD users have ID token referencing my B2C tenant in their tid and iss claims. Is it the normal behaviour ? I wanted to use this information to know from which tenant of our partners they were coming and use this information yo give some permissions. But I can not like this. And I see there is no UPN claim.
I'm using custom policies issued from the templates socialandlocalaccounts that I customised to add federation with EntraID. Could be the reason ?
Thank you .
Yes, with Azure AD B2C situation is a little bit different. In the custom policies you have the technical profile for your external identity federation. In this technical profile you can map claims from the federated identity provider. Here are examples how you can get claims from the external IDP:
Abve you can see that I map "iss" claim from external IDP to "identityProvider" claim that will be returned in the token from the Azure AD B2C. I hope this clarifies a bit!
I really appreciate this series of videos and have learned a lot from them, but I am left with a question:
Let's say I'm developing a multi-tenant SaaS solution where other organizations are my customers. My customer organizations again have a need to invite other organizations and their users to collaborate on their data in my SaaS solution. How can this be solved using Microsoft Entra ID? It is desirable that both my customer organizations and their partners should be able to manage their own users.
My first thought was to register the SaaS solution as a multi-tenant app in my Microsoft Entra ID tenant, so that my customer organizations can add the SaaS solution as an enterprise application in their Microsoft Entra ID Tenants and let their users access the SaaS solution . But what about the customers' partners and their users? Do you have any suggestions on how this can be implemented?
Thank you for kind words and watching!
Very interesting scenario. Let me explain how I see it. I would rather think about my SaaS product architecture and identity integration. If you know that users of you product can invite other users, in such case I would recommend using another approach where you enable your clients to use your SaaS product with their own Microsoft Entra ID tenant (or identity provider). Let me put an example with SalesForce. It is SaaS product where you can configure your Entra ID as an identity provider. Here is example:
help.salesforce.com/s/articleView?id=sf.sso_provider_azure.htm&type=5
In such scenario, your clients can configure your SaaS product with their Entra ID tenant and also invite guest users to it. Of course (as I mentioned before) this scenario would work only when you provide your SaaS product with the option to integrate with external identity providers and you have dedicated login URL for each client (company/registered entity).
Having your SaaS product as multi-tenant application in the scenario where you know that there will be multiple clients and they will invite B2B users is not a good idea here because of complexity and aspects I mentioned in the video. Please also keep in mind that in case of multi-tenant applications we use /common endpoint for authentication. In case of B2B users, they are taken to their "home" tenant for authentication. It means that after successful authentication, such user would use application in context of their home tenant, not in the context of tenant where "multi-tenant" app is registered.
Another solution would be to have your SaaS product secured with Entra ID (and registered as multi-tenant application) where your customers can invite other users not using B2B feature but instead creating account for them in their tenant. From the user management perspective it would be also more beneficial - for instance as an owner of the entity using your SaaS project you could require MFA for all users and use security groups to group users in your tenant or assign specific app roles.
Please let me know if it make sense and if you have any other questions.
Hi, this video is great, I learned a lot from this, but I have one question, after registering my application as a multi-tenant one and creating logic around granting consent for tenants. I am facing the issue that users from the Customer tenant can't log in to my application, the error says: "Selected user account does not exist in tenant 'Home Tenant' and cannot access the application '123' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account." Is there a way for users from Customer tenants to log in to my application without being invited as a guest to my tenant? P.S. The Service Principle(Instante) of my application is created in Customer Tenant.
issue fixed, dont forget to specify "organisations" or "common" instead of tenantId value in appsetting.json
Hello, thank you for these well detailed videos.
I have a few questions if you do not mind.
1. What features in the creation of Single-Tenant Application makes an Application either B2B or B2C?
2. If personal Microsoft accounts, Google and Facebook accounts from External IDPs can be used for Single Tenant application with B2B features, how is Single Tenant B2B application different from Single Tenant B2C applications?.
3. You said an external user can sign-up to a Single Tenant B2B application using onetime password code for sign up, the external user account is then created as guest account in the Home Entra ID tenant for the B2B application. How will this user subsequently sign in to this B2B application, or what is the auth flow for subsequent sign in since the user does not require password?
Thank you and I look forward to your answers.
Hi,
Thank you for watching!
Here are the answers - I hope they will be useful.
1.
I would say this is more about the approach rather than specific features. Here is the thing. Single tenant application is created in your Microsoft Entra ID corporate tenant. You can invite guest users and grant them access to this application. You can also enable "self-service sign-up" using user flows so users can sign up and then access your application. However, please remember that B2B is more about corporate Microsoft Entra ID tenants and for B2C scenarios it is recommended to use Azure AD B2C which is separate tenant and service. The most important question is this: "Do I want all customer accounts land in my corporate tenant?". In most cases answer is no. You want to have this isolation so your corporate partner accounts land in Microsoft Entra ID tenant (corporate one) and for customer solutions you use separate tenant - Azure AD B2C.
2.
Good question. Partially I answered in m the first point above. This is not about features specifically, it is more about architecture decision. Typically you create separate Azure AD B2C tenant to handle customer (B2C) use cases. You have isolation for accounts, you can customize authentication options (Google, Facebook, others) and you can customize what is included in the tokens issued to applications. You have to differentiate who should be treated as "partner" of your organization (B2B scenario) and to which corporate resource such person should have access to, and who should be treated as a customer (B2C).
3.
For users which registered using one time passcode (or one time password) the flow stays exactly the same. Once you registered and you want to access the application once again, you have to provide your email address and then new one-time passcode will be sent to your email. It means that if you are authenticated and your session is still active, you can access the B2B application. If your session is expired, you have to go through the process again (get new code sent to your email). Small fragment from docs: "User sessions expire after 24 hours. After that time, the guest user receives a new passcode when they access the resource.".
I hope this clarifies a bit!