Azure Single-Tenant vs Multi-Tenant Applications

The distinction between single-tenant and multi-tenant Azure applications lies in how these applications handle user access and authentication across different Azure AD tenants (directories).

Single-Tenant Azure Application:

A single-tenant application is designed to serve users from a single Azure AD tenant (directory). It is registered in and can authenticate users only from that specific Azure AD tenant.  It is used when the application is intended for use within a specific organization, and access is limited to users within that organization’s Azure AD.

Multi-Tenant Azure Application:

A multi-tenant application is designed to serve users from multiple Azure AD tenants (directories). It can be registered once and used by users from any Azure AD tenant that grants consent for the application. It should be chosen for applications that need to be used by customers or partners from different organizations, where each organization has its own Azure AD tenant.

Key Differences:

– User Access:
– Single-Tenant: Users from a single specified Azure AD tenant can access the application.
– Multi-Tenant: Users from multiple Azure AD tenants can access the application after their tenant admin grants consent.

– Registration and Consent:
– Single-Tenant: The application needs to be registered separately in each Azure AD tenant where it will be used.
– Multi-Tenant: The application is registered once, and tenant admins from other Azure AD tenants can grant consent for their users to access the application.

– Authentication:
– Single-Tenant: Authentication is limited to users from the specific Azure AD tenant where the application is registered.
– Multi-Tenant: Authentication can occur for users from any Azure AD tenant that has granted consent.

– Permissions and Roles:
– Single-Tenant: The application’s permissions are managed within the context of a single Azure AD tenant.
– Multi-Tenant: Permissions need to be handled carefully to ensure security across multiple tenants. The application may need to support dynamic discovery of tenant-specific details.