This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 82%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
How can Azure Entra be utilized to manage identity for a web application that is expecting to grow from approximately 200 clients? Each client can customize their login theme and will have multiple users.
Considering that Azure Entra ID has a limitation of 200 tenants and Azure Entra External ID supports up to 20 tenants per subscription, what would be the best solution to accommodate these requirements?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Hello Deepak Arora,
We haven’t heard from you on the last response and was just checking back to see if you have any more concerns.
Thanks for response. Currently have no further concerns.
Hello Deepak Arora
Please remember to "Accept Answer", so that others in the community facing similar issues can easily find this post.
Hello Deepak Arora
While Azure Entra External ID (for customers) has some subscription-level tenant limits, the better long-term solution is to use a single Azure Entra External ID (B2C) tenant and implement per-client branding and segregation within that.
Rather than creating a tenant per client (which hits the 200-tenant limit), leverage a single Azure Entra ID tenant and manage clients within that tenant using custom policies, branding, and group/user management.
Azure Entra External ID (formerly Azure AD B2C) allows you to manage identities of external users (e.g., customers) within a single tenant, and it's designed for multi-organization support without requiring one tenant per customer.
Azure Entra External ID supports customized user flows and custom policies (Identity Experience Framework), including:
Custom UI per client: You can dynamically load branding (logos, colors) based on the domain or query string.
Separate user journeys: Custom policies allow defining different flows per client (e.g., signup, login, MFA).
Domain filtering: Based on email domain or another identifier, route users through the correct flow.
You do not need to create one Entra tenant per client. Instead, simulate multi-tenancy by:
-Storing client metadata in a database (branding settings, allowed domains, etc.).
-Using pre-authentication logic (e.g., in the web app or via B2C prebuilt/custom policies) to select branding and flow.
Working with Azure AD B2C Custom Policies
Azure AD B2C custom policy overview
Considerations for using Azure Active Directory B2C in a multitenant architecture
Enable custom domains in Azure Active Directory B2C
how-to-custom-oidc-federation-customers
Within a single B2C tenant, you can:
-Tag users with custom attributes (e.g., clientId) to group them by organization.
-Use Access Control in your app to enforce client boundaries (i.e., a user in Client A can’t access Client B’s data)
Use Conditional Access, MFA, identity protection, and verified domains per client to enforce secure access as needed.
If you feel this clarified your question Please remember to "Accept Answer", so that others in the community facing similar issues can easily find this post.
Great Answer!