Hi @Sashin Sahasra · Thank you for reaching out.
When you create Multi-tenant application (e.g. App001) in tenant1 and users of tenant2 access that application, a service principal corresponding to App001 gets created in tenant2. The tenant2 can then issue token with audience App001's App ID URI and only App001 can consume the token.
In order to create resources (e.g. Storage Account) in Azure, the audience must be https://management.core.windows.net/
, which you cannot get in context of the service principal created in tenant2 corresponding to App001.
Can they get access to the resources in my tenant?
No, the users will not be added to your tenant when they access multi-tenant application. So you can't use RBAC to grant them access to the resources in the subscription linked to your tenant.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.