Demonstrates the use of a single Azure AD B2C directory as identity service for a multi-tenant SaaS application.

A SaaS application commonly uses the concept of a tenant to group users whose use of the application is separated from its use by any other group. For example, a SaaS application may provide accounting services. Each business using the application is considered a tenant in the application. To distinguish such a tenant from Azure AD tenants, this application uses the term application tenant. (Azure AD is also a SaaS application, hence it also has the concept of a tenant).

In this sample an individual can either create a new application tenant or sign in to a tenant they are already a member of. Once a tenant is created, it's creator (admin) can invite other users by sending an invitation generated by this application to their email address. (That functionality is exposed only to creators of new tenants). Tenants created by users using AAD (Work or school address) can flag their tenant as allowing any other user from the same directory to join the tenant without invitation. In that case, user access to the tenant is controlled through the enterprise Applications tab in the directory portal. These user will not show up as members of the tenant in this application. Other user may still be invited to this tenant. To sign-in to the app, the AAD users need to use the domain=commonaad and tenant=tenantName url parameters.

Once signed up, a user may sign-in again by appending ?p=tenantName parameter to the app url. Otherwise (if there is no such parameter), B2C will pick the first tenant the user is a member of or refuse sign in altogether.

Source code for this app may be found on github.

For more info email me or use the github source repo comments area.