How to Limit Multi-Tenant Applications to Specific Tenants in Entra ID

Earlier, when an application was configured as a multi-tenant app, it could be accessed by users from any external tenant. This meant that if another organization discovered the application’s details, they could grant consent and begin using the app, depending on their tenant’s user consent settings.

To address this, Microsoft introduced a Microsoft Graph API capability a few months ago that allowed administrators to configure tenant restrictions programmatically. Microsoft has now simplified this further by bringing a new preview feature ‘Allow only certain tenants’ directly into the Entra admin center.

This blog explains how to restrict sign-in audiences for multi-tenant Entra apps to strengthen access control across external tenants.

Restricting app access for multi-tenant configured applications is crucial for the following reasons:

• Support partner–specific applications: Ideal for applications built for specific partners, customers, or integrations that should not be publicly accessible.
• Reduce administrative overhead: Tenant restrictions can now be managed directly at the platform level, eliminating the need for custom access logic within the application.

We can limit multi-tenant application access to specific tenants using both the Entra portal and PowerShell. To view the detailed steps, explore the sections below.

• Limit multi-tenant app access to a specific tenant in Entra portal
• Restrict multi-tenant app access to a specific tenant using PowerShell

To create a new multi-tenant application limited to specific tenants using Microsoft Entra admin center, follow the steps below:

1. Sign in to the Microsoft Entra admin center.
2. Navigate to Entra ID → App registrations and click + New registration.
3. On the Register an application page, provide the application name.
4. Under the Supported account types section, choose Multiple Entra ID tenants from the drop-down list.
5. Then, select the Allow only certain tenants (Preview) radio button.
6. Next, specify the tenant IDs or domain names of the organizations that should be allowed to access the application.
7. Finally, click Apply and register the Entra ID application as usual.

The above approach helps limit access to a new multi-tenant application for specific organizations. If you want to restrict an existing multi-tenant application to specific organizations, that is also possible. To do so, follow the steps below.

1. Navigate to Entra ID → App registrations and select the respective application.
2. Select the Authentication (Preview) tab under Manage.
3. Next, go to the Supported accounts section and select Multiple Entra ID tenants under Supported account types dropdown.
4. Then choose Allow only certain tenants.
5. On the Manage allowed tenants (Preview) page, add the tenant IDs or domain names of the organizations you want to allow.
6. Finally, click Apply and save the settings.

You can also use PowerShell to configure tenant restrictions for multi-tenant applications, for both existing and newly registering apps. For detailed steps, go through the following steps.

• First, connect to Microsoft Graph using the following cmdlet.
  
  PowerShell

  Connect-MgGraph -Scopes "Application.ReadWrite.All"

  1	Connect-MgGraph -Scopes "Application.ReadWrite.All"

• To configure tenant restrictions for multi-tenant applications, replacing <Appname> with the app name and <TenantID> with the tenant IDs.
  
  PowerShell

  $params = @{ DisplayName = "<AppName>" SignInAudience = "AzureADMultipleOrgs" SignInAudienceRestrictions = @{ "@odata.type" = "#microsoft.graph.allowedTenantsAudience" allowedTenantIds = @( " <TenantID> " " <TenantID> " ) } } New-MgBetaApplication @params

  1 2 3 4 5 6 7 8 9 10 11 12

  $params = @{     DisplayName = "<AppName>"     SignInAudience = "AzureADMultipleOrgs"     SignInAudienceRestrictions = @{         "@odata.type" = "#microsoft.graph.allowedTenantsAudience"         allowedTenantIds = @(             " <TenantID> "             " <TenantID> "          )     } } New-MgBetaApplication @params

  
  
• To restrict multi-tenant app access to a specific tenant for an existing app, run the following cmdlet. Make sure to replace <ObjectID> with the object ID of the app, <Appname> with the app name, and <TenantID> with the tenant IDs.
  
  PowerShell

  $params = @{ DisplayName = "<AppName>" SignInAudience = "AzureADMultipleOrgs" SignInAudienceRestrictions = @{ "@odata.type" = "#microsoft.graph.allowedTenantsAudience" allowedTenantIds = @( "<TenantID>" , "<TenantID>" ) } } Update-MgBetaApplication –ApplicationID "<ObjectID>" -BodyParameter $param

  1 2 3 4 5 6 7 8 9 10 11 12

  $params = @{     DisplayName = "<AppName>"     SignInAudience = "AzureADMultipleOrgs"     SignInAudienceRestrictions = @{         "@odata.type" = "#microsoft.graph.allowedTenantsAudience"         allowedTenantIds = @(             "<TenantID>" ,             "<TenantID>"         )     } } Update-MgBetaApplication –ApplicationID "<ObjectID>" -BodyParameter $param

If a user from a tenant that is not included in the allowed tenants list attempts to access the application, the AADSTS7000119 error will be returned.

Note: If an organization has already granted consent to the application and its tenant ID is later removed from the allowed tenants section, it will also encounter the same error.

And that’s a wrap! Restricting multi-tenant applications to specific tenants in Microsoft Entra ID helps organizations maintain better control over who can access and provide consent to their applications. By allowing only approved tenants, you can prevent unauthorized organizations from consenting and using your application.

If you have any questions, feel free to share them in the comments—we’d love to hear from you. Stay tuned for more blogs coming soon!