alt Hacker NewsNo, that is not an option. Entra External ID creates user objects in your external tenant.
For various reasons, we are not allowed to store personal information like that.
I need to be able to accept users from tenant A and from tenant B. I need to know to which tenant they belong, but NOT any other information such as name or email address.
This is currently not possible at all in Entra ID. The only option is allowing all tenants and manually roll auth to whitelist certain ones to actually continue calling APIs.
It’s completely moronic of Microsoft
To make things even worse, users of DIFFERENT tenants get stored TOGETHER in your external ID tenant.
In various situations it’s illegal or against contracts to have data of different companies in the same database.
One option is to have a button on the start page to ask the user to which tenant they belong to, and then authenticate them appropriately. Very little friction in the authentication process: Like are you an employee or a contractor?
Azure has an another option called B2C tenant (they're renaming it now something like Entra External ID or something similar) which is designed to work as user database for things like customers/clients. Instead of developing your own classic MySQL + $whatever framework for authentication to use this service as an alternative.
If you invite an external user that already exists in another Microsoft Azure tenant, you only know their user principal and first/last name. Nothing else. All other info does not get populated into your tenant even if it exists in the source tenant.