This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 57.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Let's say I have a multi tentant microservice architecture fronted with an API gateway of which a client app calls to access the microservices behind. Let's say it's grown to a complex system that has 50 microservices all needing user identity/authentication. Therefore each microservice web API has a multi tenanted app registration assigned to it. As these are multi tenanted app registrations these will become enterprise apps in the tenants AAD, in this case there would be 50. This would clutter up there AAD I feel, also would it give away some internals workings of our system. Is this there correct way and we should accept they will have 50 enterprise apps in there AAD or am I missing a trick?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
it would make more sense to have a proxy app that called all the other services. then your tenants would only need to authorize this app for each of their users.
the proxy app would authenticate to the other apps with its own device account, but would include the verified user token in the requests as a parameter or additional header.