How to use Azure AD in SaaS multi-tenant application

I have an issue how to use Azure AD in context of my SaaS application. I have a feeling that Azure AD multi-tenant is a different term than SaaS multi-tenant. If I'm wrong, then I hope somebody will show my misinterpretation.

What is SaaS multi-tenant (IMO): separation of data and users in one application. In my case it is an application which works for many small companies. Application stores data in one database and uses schema per company/tenant. Each company can have many users - usually 1 - 5 users. SaaS is an .NET Core, REST application.

As a client I have a desktop application. I could implement JWT handling, but good practices suggests to use existing solutions, like Azure AD. So, I googled about it, but for Azure AD multi-tenant I see Azure AD B2B, but after deep reading, I don't think that it is an option for me, because my clients (companies) usually will not have their own Azure AD.

My question is - how to use Azure AD? I have feeling that:

• I should have only one tenant/directory, which is my own.
• My SaaS should add users to directory.
• How to mark in my directory that few 1 - 5 users belongs to the same SaaS tenant?

Azure AD topic is new to me, I will appreciate hints and tips which will make me close to implement authentication environment in my application.

I think you're over complicating it.

If you wish to deploy the application once in your tenant, and but you can all control of who can access the app (including guest accounts) and manage all the permissions, then use Single-tenant application: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

If you wish to deploy an application once in your tenant, and have it appear in different tenants where each tenant admins are responsible to manager their own user access and permissions to the app, then use Multi-tenant application: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

You'll find the process to register both apps is essentially the same, you just need to have few tweaks applied to allow multi-tenant apps to work correctly.

More reading about multi-tenant apps: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-and-multi-tenant-apps

Here's a sample app if you wanna play around: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md

The idea of multi/single tenant apps gets a little bit blurred when you invite guest accounts from other tenant to your tenant to access an app: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b

Remember the best way to think of this is: who is going to maintain use access and their permissions? answering that will make it easy to determine which type of registration to have. Hope this help.