How to handle Group Membership in Multi Tenant App in Azure Active Directory

bmaso-dev 21 Reputation points

I'm currently working in the security features of a multi tenant app that will use Azure Active Directory for authentication
The app will be able to add users to companies by using any email address. A guest user will be created and an invitation sent.
If a second company tries to add an existing guest user, the AD guest user is reused

The purpose is to have multiple companies with multiple users, with each user having just one role membership for the specific company.
At the moment a company is a data element, not visible to Azure.

We were using AD Groups and the benefits of getting group membership information in the tokens
This work well for a single tenant approach, since this membership is like a "global" attribute, not a company attribute

Any ideas on how to implement this?

Our web API will be able to read tokens and possible infer the company-user relationship
The thing is how to be able to have many admin-user1 group membership each one corresponding to different companies by using AD Users and AD Groups

thanks a lot!

NOTE: by "multi tenant app "I am referring to an app that will internally handle multiple customers and multiple users for each customer
a customer may or may not be related to another azure tenant and can be any external email of any domain

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
36,570 questions
{count} votes