Azure AD multi-tenant app - restrict tenants that can sign up

Question

Is it possible to restrict a multi-tenant Azure AD application, so that only a select few tenants are allowed to sign-up?

As mentioned in this article, the web app can validate the user to check if the issuer value is part of a list of their approved tenants. However, this happens after the fact that the user is already signed up for their web app. Is it possible to restrict the sign up process to limit to an approved list of tenants?

Answer 1

You can restrict access to tenants but cannot restrict sign-up. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions

You could, however, have your service keep a whitelist of tenants which are allowed to call your API, and check that the token has the correct issuer or tid claim. (See Restrict Azure Active Directory app access to specific tenants)