Best Practice to Protect Azure WebApp for Individual Users versus only Issuer on SaaS / Multi-Tenant Implementations

MMEGFL 1 Reputation point



  • I have a Multi-Tenant Azure WebApp that is protected with [Authorize] and AAD.
  • I have a Multi-Tenant Azure WebApi that is access by the WebApp that also uses [Authorize] and AAD and User Claim Scope validations

Help Needed:

  • I am looking for the proper way to protect the WebApp, so that although it is Multi-Tenant that is can validate individual users ability to use the WebApp, versus merely doing IssuerValidation, which is the default way. Using this however merely ensures that I can check that a Tenant is ok to call the App, not that an individual in the Tenant can.

I would love any suggestions, guidance etc on how to implement this based on what is available in the StartUp.Auth.cs at run time. Maybe I need to track both Tenants (Guids/issuers) plus the individuals guid/id within their directory and store that in a DB/Azure Table/Something and then when they attempt to access, check?

I guess if that is the cause, how is the proper way to get that information at run-time both from a registration perspective (I guess have a sign up flow) and then in the Startup.Auth to get the current attempting to log in persons credentials?

Thank you!!!!!

Azure Web Apps
Azure Web Apps
A feature of Azure App Service used to create and deploy scalable, mission-critical web apps.
4,321 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,676 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ryan Hill 16,076 Reputation points Microsoft Employee

    Hi @MMEGFL ,

    I think what you are looking for is Azure B2C for customers that are outside of your AAD tenant. You can learn more about it on in addition to looking over concepts, samples, and tutorials. One sample app you may want to look at is

    Hope this helps. If not, please let me know.

    No comments