How to implement multi-tenant application with connection to Microsoft Entra ID (Azure AD)

We have a self-service multitenant application with tenants seperated by Auth0-organizations.
We now want to offer our customers to connect to their Entra-ID (Azure AD) for SSO.

In the first concept we thought about registering a Microsoft AD - connection for each single organization using home realm discovery to decide where to go during login (We planned to use the management-api to create new connections so that organizational admins are enabled to do the configuration on their own)

No I’m wondering if this is the correct way, since each customer would have to register an application on the Azure-side manually. Reading the Docs I came across the Microsoft Configuration for applications “Supported Account Types”. Here you could choose “Accounts in any organizational directory”.

Could someone explain which way to choose:

  1. Each organization will have its own related Azure AD-connection in Auth0 and an app-registration with configuration “Accounts in this organizational directory only”

vs.

  1. The organizations use a shared Azure AD-connection in Auth0 and there is only one app-registration with configuration “Accounts in any organizational directory”

We also thought about bringing our App to the Microsoft Entra application gallery one day. I could imagine the decision above might have an impact on this goal.

help appreciated :slight_smile:

Related Docs:

Did you come to any conclusions? Also have the same question!

I would typically think your first option is the go to solution. Especially with home realm discovery being used.

However, I notice that you can add additional domains for the same Azure A/D Enterprise connection to match on for home realm discovery. Potentially allowing for 1 common enterprise connection + many Azure A/D tenant domains being matched on (if the Azure A/D app is configured to support any directory) for home realm discovery.

Would love to know if this is possible.