Skip to main content
Skip table of contents

Setting up multi-tenant Intune enrollment for MSAL users

If you offer an app to many organizations (that is, organizations that use different Azure AD tenants), you can make your app "multi-tenant" by configuring your app to accept sign-ins from any Azure AD tenant. Users in any Azure AD tenant can then sign into your app after consenting to use their account with your app.

This article describes how to make your app multi-tenant using a Microsoft Intune step when using the Blue Cedar Platform to orchestrate mobile app deployment. If the app does not already have the Microsoft Authentication Library (MSAL) built into it, MSAL can be added via the Blue Cedar Platform. (See Automatically deploying Intune-enabled apps.)

Step-by-step guide

Configure the Intune step with the app's Azure AD registration as described in No-Code Integration - Microsoft Intune. (Add any other stages and steps desired.) If you already have MSAL in your app, make sure any hard-coded authority value is set to the common authority value.

For multi-tenant apps, when you configure the app registration on the Microsoft portal, there are a few differences from the single-tenant app registration described on the No-Code Integration - Microsoft Intune page. The single vs multi-tenant differences are designated here with a (blue star).

Register the mobile app as a multi-tenant app on the Microsoft portal

  1. Using an account with Application administrator privileges, log into the Azure Active Directory admin center: 
  2. Search for an existing app or, to create a new registration, follow these steps:
    1. Click + New registration.
    2. On the "Register an application" screen, enter a name.
    3. (blue star) Under "Supported account types," select "Accounts in any organizational directory (Any Azure AD directory - Multitenant)."
    4. Click Register.

Configure API permissions for the multi-tenant mobile app

  1. On the screen for your app registration, copy these values from the Essentials section and save them to use on the Blue Cedar Platform for configuration:
    • Application (client) ID
    • Directory (tenant) ID
  2. On the same application screen, click API permissions, and add the following permissions:
    • Microsoft Graph API:
      • (blue star) offline_access
      • (blue star) openid
      • (blue star) User.Read
    • Microsoft Mobile Application Management
      • DeviceManagementManagedApps.ReadWrite
    • Intune API:
      • get_data_warehouse

Use the Intune step in a workflow

Continue with the workflow instructions as described in No-Code Integration - Microsoft Intune.

See for more information about making apps multi-tenant.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.