Azure AD with different SaaS application

Alessandro Bacci 0 Reputation points
2023-01-25T13:44:41.9566667+00:00

Hello, I'm developing a SaaS application that will be customized for each client using different VMs (actually the frontend will remain the same, but the backend data not) and I want to add authentication and authorization mechanism with Azure AD.

At the moment I have only one client and I have created 2 applications in Azure AD: one that handles the SPA, and the other responsible for API authorization. Users added to these 2 applications are able to login into the platform and see the correct data, that's fine.

In case of more VMs, and therefore more customers, how can I say that a certain group of users can only access their platform (i.e. VM) ? Should I create other SPA applications in Azure AD to manage users?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
6,847 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,743 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla (Ex-MSFT) 26,756 Reputation points
    2023-01-27T15:54:21.6533333+00:00

    Hello, yes, in order to restrict access to Azure AD applications per customer/VM you will have to create a set of app registrations per each one and limit user access. In order to simplify management you may create an Azure AD Dynamic Group per customer/VM/app set and assign it to the application. E.g. you can create a group for customer #1 that dynamically builds its member list (using Dynamic rules) for users that are external and whose email end with @customer1.com

    For external Azure AD users, you may create a multi-tenant apps. No suer should be allowed to login in the home tenant (where the app registrations are created), but once they get onboarded in a customer tenant, it will be the customer who will manage who has acccess their application instance.

    Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.