25,081 questions
OAuth SSO with Azure AD
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 57.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
arik alon
0
Reputation points
We provide a multi tenant service. Each tenant is an account, and each account has multiple users.
We'd like to implement SSO with Azure, so, that based on Azure AD we can allow users to connect to accounts.
We want to base the solution on Azure AD groups.
So, for example:
Any user that has Azure group id "ABC123" can connect to "account A"
Any user that has Azure group id "XYZ123" can connect to "account B"
Will that be secure?
Can a malicious user, somehow inject to his Azure Groups a group id of a different account, and get access to that account this way?
Are Azure Group IDs unique across all azure tenants? Can a user set/modify a group id?
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Graph
13,721 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 78%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Julian Sperling 451 Reputation points2024-02-25T13:59:48.44+00:00 So the quick answers first: Azure Group IDs are Globally Unique in theory and can not be set or modified in Entra ID (which used to be called Azure AD)- however they should most definetely not be used as a primary authentication Mechanism.
To fully answer what the best way would be I need some context around your wording - If you say "Tenant", do you mean an Entra ID Tenant or a Tenant within your solution?
Further, I would interpret "Account" to be equivalent to a "Customer" in your case, so pretty much the same Concept as a "Tenant" in Azure, is that correct?
You are also giving slightly conflicting information from what I can tell - If each Tenant is Associated with one account, why are we talking about groups connecting to specific Accounts? This would mean one Tenant can be associated with multiple accounts. Or Are Accounts equal to Users?
Sign in to comment
Sign in to answer