Managing external identities to enable secure access for partners, customers, and other non-employees
Hello Nishant Kant Ojha,
Greetings! Thanks for raising this question in the Q&A forum.
This is a fundamental distinction in how multi-tenant applications work in Microsoft Entra ID, and it is a common point of confusion. Understanding the difference between an application object and a service principal is key here.
When you register an application in your home tenant, the app registration (application object) lives only in your home tenant permanently. It does not replicate or copy to other tenants, even if you configure the application as multi-tenant and list other tenants as supported. What appears in a guest or external tenant after consent is not an app registration it is a service principal object, which is a local representation of the application in that tenant that enables access control, consent tracking, and token issuance. These are two separate object types.
In a standard Entra ID workforce tenant, the service principal is created automatically the first time a user or admin from that tenant consents to the application. In Microsoft Entra External ID, the behaviour is different and more restrictive, which is what you are likely encountering.
Here is how to get your application visible and functional in your Entra External ID tenant.
Understand that Entra External ID has limited multi-tenant application support. Entra External ID tenants (the customer identity type, formerly Azure AD B2C's successor) are not standard workforce tenants. They are purpose-built for customer-facing scenarios and do not support the standard multi-tenant consent flow that creates a service principal automatically. Applications that external users authenticate with must typically be registered directly within the External ID tenant itself, rather than relying on cross-tenant service principal provisioning.
Register the application directly in the Entra External ID tenant. Switch your portal context to the External ID tenant by selecting it from the directory switcher in the top right of the Azure portal. Then go to Identity > Applications > App registrations > New registration and register the application there. This creates a native application object in the External ID tenant, which is the supported model for that tenant type.
Use the same Application (client) ID if needed. If you need the same client ID across tenants for your architecture, note that each registration generates its own unique Application ID. For External ID scenarios, the recommended approach is to treat the External ID tenant registration as a separate application identity and configure your application code to use the correct client ID and authority URL for the External ID tenant:
https://login.microsoftonline.com/<your-external-tenant-id>/v2.0
or for External ID with custom domain:
https://<your-tenant>.ciamlogin.com/<your-tenant>.onmicrosoft.com/v2.0
- If you specifically need a service principal in a standard Entra ID tenant (not External ID) to appear, trigger admin consent. For standard multi-tenant scenarios where the guest tenant is a regular workforce Entra ID tenant, an admin of that tenant can pre-provision the service principal without waiting for user consent by navigating to:
https://login.microsoftonline.com/<target-tenant-id>/adminconsent?client_id=<your-app-client-id>
This creates the service principal in the target tenant immediately. You can then verify it appeared by going to Enterprise applications in that tenant and searching by your application's client ID.
- Verify the service principal via Microsoft Graph if needed. To confirm whether a service principal exists in a given tenant, you can query:
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '<your-app-client-id>'
Run this call authenticated against the target tenant. An empty result means no service principal has been provisioned there yet.
If this answer helps you kindly accept the answer which will help others who have similar questions.
Best Regards,
Jerald Felix.