Best Practice to Protect Azure WebApp for Individual Users versus only Issuer on SaaS / Multi-Tenant Implementations

Question

Hello,

Situation:

• I have a Multi-Tenant Azure WebApp that is protected with [Authorize] and AAD.
• I have a Multi-Tenant Azure WebApi that is access by the WebApp that also uses [Authorize] and AAD and User Claim Scope validations

Help Needed:

• I am looking for the proper way to protect the WebApp, so that although it is Multi-Tenant that is can validate individual users ability to use the WebApp, versus merely doing IssuerValidation, which is the default way. Using this however merely ensures that I can check that a Tenant is ok to call the App, not that an individual in the Tenant can.

I would love any suggestions, guidance etc on how to implement this based on what is available in the StartUp.Auth.cs at run time. Maybe I need to track both Tenants (Guids/issuers) plus the individuals guid/id within their directory and store that in a DB/Azure Table/Something and then when they attempt to access, check?

I guess if that is the cause, how is the proper way to get that information at run-time both from a registration perspective (I guess have a sign up flow) and then in the Startup.Auth to get the current attempting to log in persons credentials?

Thank you!!!!!

Answer 1

Hi @MMEGFL ,

I think what you are looking for is Azure B2C for customers that are outside of your AAD tenant. You can learn more about it on https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview in addition to looking over concepts, samples, and tutorials. One sample app you may want to look at is https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi.

Hope this helps. If not, please let me know.