alt Hacker NewsInviting individual users is a good pattern. If you want to allow an entire tenant into your tenant (e.g. if your parent company has a subdivision that has their own tenant), Entra has cross tenant access [1] for that use case.
Generally, you should say "only this tenant" unless you're a SaaS provider. And if you're a SaaS provider, you should really already understand the need to keep your various customers data separate.
[1] https://learn.microsoft.com/en-us/entra/external-id/cross-te...
Replies
ExoticPearTree • last Sunday at 8:15 PM
I am aware of the Cross tenant functionality, but it does not come free - you need at least a P1 subscription in all tenants involved. And you can't do this per user, just per tenant.
➕ show 1 reply
No, that is not an option. Entra External ID creates user objects in your external tenant.
For various reasons, we are not allowed to store personal information like that.
I need to be able to accept users from tenant A and from tenant B. I need to know to which tenant they belong, but NOT any other information such as name or email address.
This is currently not possible at all in Entra ID. The only option is allowing all tenants and manually roll auth to whitelist certain ones to actually continue calling APIs.
It’s completely moronic of Microsoft
To make things even worse, users of DIFFERENT tenants get stored TOGETHER in your external ID tenant.
In various situations it’s illegal or against contracts to have data of different companies in the same database.