Azure single-tenant web app vs multi-tenant

azuremulti-tenancy

There a switch in Azure portal (accessed by Azure Active Directory / App registrations / View all applications / your app / Settings / Properties), with the label Multi-tenanted and options Yes or No. The tooltip on the label says:

Designates whether users in external organizations are allowed to grant your app access to data in their organization's directory. This control affects only the ability to grant access. It does not affect any access that has already been granted.

To me, it doesn't seem to imply that, for single-tenant app, no one except users in your AD can access your app. But, many other blog posts by individuals explicitly say that only those in your AD can access your app; for example, difference-between-single-vs-multi-tenant.

I could not find anything definitive about this in Microsoft documentation; for example in this doc.

Can someone clarify this for me and others who may have a doubt, by providing an authoritative source?

Best Answer

This link here seems to be the most appropriate source to answer your question.

It’s important to note the differences between a single-tenant and multi-tenant application:

A single-tenant application is intended for use in one organization. It's typically a line-of-business (LoB) application written by an enterprise developer. A single-tenant application can only be accessed by users with accounts in the same tenant as the application registration. As a result, it only needs to be provisioned in one directory.

A multi-tenant application is intended for use in many organizations. Referred to as a software-as-a-service (SaaS) web application, it's typically written by an independent software vendor (ISV). Multi-tenant applications must be provisioned in each tenant where users need access. For tenants other than the one where the application is registered, user or administrator consent is required in order to register them. Note that native client applications are multi-tenant by default as they are installed on the resource owner's device. See the preceding Overview of the consent framework section for details on the consent framework.

Please mark this as the answer if you are satisfied with the response :)

Related Topic