How to properly create a multi tenant application using Azure AD

Question

I've read across dozens of pages of documentation, reviewed a couple of demo apps but I'm still not able to fully get my head around how to create a B2B application using Azure AD.

This is my scenario:
I'm developing a B2B SaaS solution where the sole customer base is going to be other companies. There is no intention of providing the software to single customers, we only target businesses.
We investigated the market and came to the conclusion that we need to support two use cases:

1. The customer already has a fully configured AD, either on-premises or in the cloud.
2. The customer has no AD to bring with and user management, groups and permissions need to be managed by us.

Our goal is to use Azure AD as a PIM as much as possible. The big picture would be to

1. Handle tenant management in Azure (aside from licensing and stuff like that). Customers should be able to self-service with no support intervention needed from us.
2. Handle user management in Azure. We don't want to deal with all things related to user accounts. Users only belong to a single tenant, there will never be a user that is member of multiple tenants and there will be no user not belonging to a tenant.
3. Handle permissions in Azure. Our permission system is quite standard, there will be roles, groups and assignments between those.
4. Handle token creation, management, invalidation in Azure. MSAL is preferred.

Is this possible? What trade-offs need to be made here?

This is what I was able to find:

1. Tenant management seems to exist in Azure AD but from my understanding this does not translate to our scenario. Furthermore, there seems to be a limit of 20 tenants per Azure AD. I also was not able to find any information on self-servicing in that regard. I want to avoid putting potential customers through the hassle of creating an AD on their own.
2. User management is integrated completely and nothing major needs to be done in order to use it.
3. Apps can have roles that can be assigned to principals (our in our case only groups).
4. Token creation is supported completely by MSAL.

Microsoft advises to use a single AD to manage multiple tenants. This makes it difficult to distinguish users between tenants and I would rather have clear boundaries between my tenants in Azure, there should be no overlapping of groups or users. Best case would be to have a directory per tenant so nothing could clash. I was also looking into Azure B2C but it seems to me that this allows any organization to log into the application, no matter if they should have access or not. This would mean that we need another layer of validation that a signed in user really belongs to a valid tenant that has a license. This is counterintuitive.

I was not able to find such a scenario somewhere in the docs, at least not in that detail I would need to fully understand the flow.

Answer 1

Hi Christian,

There are some cross references and overlaps in your requirements and understanding of the solution, B2B is fully managed via the self service sign ins or invitation basis and I have not come acorss any limitations of 20 tenants in Azure AD.

I will suggest you to review the Multi-Tenant Solution and it will give you clear understanding and design of the multi-tenant applications for your requirements.

Some of the starting links that will help you out :

1. List item
2. List item
3. List item
4. List item
5. List item

Please let me know if this is helpful? And we can have further discussion on this solution for you.

Hope this helps.

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.