B2B Multitenant Application Tenant onboarding, roles and permission, grouping same tenant users

Question

We are currently in the process of developing a multi-tenant, B2B SaaS solution using Azure AD B2C for authentication. Our choice to register our app in the B2C tenant was primarily to maintain separation between our home tenant and our consumers (customers). However, our challenge is to manage the authorization of our customer (end users), we intend to incorporate features like role mapping and dynamic groups, commonly found in Azure AD apps, which appear to be absent in Azure B2C.

 

Our application has a specific need for role-based access control, with defined roles such as 'superuser', 'user', and 'user.readonly'. Our tenant onboarding workflow is as follows: when a user signs up and signs in for the first time from the client frontend, we aim to programmatically assign the 'superuser' role to this user. The superuser should then be able to invite other users to their tenant and assign them either the 'user' or 'user.readonly' roles.

 

We understand that Azure AD B2C doesn't natively support roles and permissions the same way Azure AD does. We are aware that using custom attributes in Azure AD B2C could serve as a workaround for roles, and these roles can be included as claims in tokens. However, the challenge we face is figuring out how to programmatically assign these custom attributes 'roles' during the user sign-up and sign-in process.

 

Considering the advanced capabilities of Microsoft Entra with Azure Active Directory, we would greatly appreciate any guidance on an approach or design pattern that would allow us to effectively manage role assignment and role-based authorization in our Azure AD B2C application.

 

One alternative approach we are considering is using Azure AD B2C's Graph API and Python to create a custom attribute called 'roles', assigning values like 'superuser', 'user', and 'user.readonly' to it. However, our goal is to simplify this process.

 

We are looking forward to your guidance on this matter and thank you in advance for your assistance.

Answer 1

Hello Yogesh,

You're correct that Azure AD B2C does not have built-in support for roles and permissions like Azure AD. However, you can still achieve role-based access control in your Azure AD B2C application using custom attributes and custom policies. Here's an approach you can consider:

Define Custom Attributes: Create custom attributes in your Azure AD B2C user schema to represent roles, such as role or roles. These attributes will hold the role assignments for each user.

Use Custom Policies: Azure AD B2C provides custom policies that allow you to define custom authentication and authorization logic. You can use custom policies to extend the sign-up and sign-in process and programmatically assign roles to users.

Customize the Sign-Up and Sign-In Flow: Modify the custom policies to include custom orchestration steps for assigning roles during the sign-up and sign-in process. You can use a combination of user journey, claims transformation, and REST API calls within the custom policies.

Manage Roles Programmatically: To simplify the process of managing roles, you can leverage the Azure AD Graph API (Microsoft Graph API can also be used) to interact with your Azure AD B2C tenant programmatically. You can write custom code using a language like Python to create, update, and retrieve user roles using the custom attributes you defined earlier.

Here's a high-level overview of the steps involved in managing roles programmatically:

a. Create a Service Principal: Create a service principal in your Azure AD B2C tenant that has the necessary permissions to manage user roles.

b. Use Graph API: Use the Azure AD Graph API or Microsoft Graph API to make REST API calls to manage roles. For example, you can use the Graph API to create a user, update the custom attribute representing their role, or retrieve users with a specific role.

c. Integrate with your Application: Integrate your custom code with your application's logic to assign roles during the onboarding workflow or when inviting users. You can call your code within the custom policies or from your application backend.

Remember to secure the credentials used to access the Graph API and ensure proper authentication and authorization mechanisms are in place.

By combining custom attributes, custom policies, and programmatic role management using the Graph API, you can achieve role-based access control in your Azure AD B2C application.

Answer 2

Hi @Yogesh Jain

I read your problem description in detail. Yes, Azure AD B2C can create custom attributes to control user role-based access. But as far as I know, these custom role attributes will not be synchronized into the token, which means that you cannot judge whether the user has the role you have granted by parsing the token when logging in, but only by calling the graph API endpoint.

By the way, the access token for the graph API is a version 1.0 token, which does not allow custom claims to be populated in the token, even in an Azure AD tenant. Only access tokens for web APIs can populate custom claims.

Before that, make sure you have created the "roles" custom attribute in Azure AD B2C, then assign this attribute to the user via the graph API:

PATCH https://graph.microsoft.com/v1.0/users/{user id}
{
    "extension_{app_id}_roles": "superuser"
}

Filter users by custom attribute:

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.