Not Monitored
Tag not monitored by Microsoft.
37,800 questions
How to handle Group Membership in Multi Tenant App in Azure Active Directory
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 93%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
bmaso-dev
26
Reputation points
I'm currently working in the security features of a multi tenant app that will use Azure Active Directory for authentication
The app will be able to add users to companies by using any email address. A guest user will be created and an invitation sent.
If a second company tries to add an existing guest user, the AD guest user is reused
The purpose is to have multiple companies with multiple users, with each user having just one role membership for the specific company.
At the moment a company is a data element, not visible to Azure.
We were using AD Groups and the benefits of getting group membership information in the tokens
This work well for a single tenant approach, since this membership is like a "global" attribute, not a company attribute
Any ideas on how to implement this?
Our web API will be able to read tokens and possible infer the company-user relationship
The thing is how to be able to have many admin-user1 group membership each one corresponding to different companies by using AD Users and AD Groups
thanks a lot!
NOTE: by "multi tenant app "I am referring to an app that will internally handle multiple customers and multiple users for each customer
a customer may or may not be related to another azure tenant and can be any external email of any domain
{count} votes
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,436 Reputation points2022-10-07T03:05:27.647+00:00 Hello @bmaso-dev and thanks for reaching out. Can you elaborate more/What do you mean with:
- each user having just one role membership for the specific company?
- have many admin-user1 group membership each one corresponding to different companies
-
bmaso-dev 26 Reputation points
2022-10-11T18:32:23.383+00:00 Hi alfredo!
It's #2 the one that matches.
As owner of the plattform I can create the Contoso company and Popsico company
Then the Contoso admin can add the user John as member of the Contoso Admins
but the Popsico admin can also add it as member of the Popsico TechniciansI wanted to get AD groups memberships in the token, but it seems that this is only useful for portal-wide memberships
since I won't be abre to get customer or tenant info in the token (application tenant) -
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,436 Reputation points
2022-10-25T16:36:24.01+00:00 Hello @bmaso-dev , my understanding is that you want to be able to host, ideally in just your tenant, users that can be members of more than one company and that you want such relationship issued as a claim in a token. Is that correct? Will a company have one or more groups?
Sign in to comment