Best Practice to Protect Azure WebApp for Individual Users versus only Issuer on SaaS / Multi-Tenant Implementations

MMEGFL 1 Reputation point
2020-05-08T22:09:11.303+00:00

Hello,

Situation:

  • I have a Multi-Tenant Azure WebApp that is protected with [Authorize] and AAD.
  • I have a Multi-Tenant Azure WebApi that is access by the WebApp that also uses [Authorize] and AAD and User Claim Scope validations

Help Needed:

  • I am looking for the proper way to protect the WebApp, so that although it is Multi-Tenant that is can validate individual users ability to use the WebApp, versus merely doing IssuerValidation, which is the default way. Using this however merely ensures that I can check that a Tenant is ok to call the App, not that an individual in the Tenant can.

I would love any suggestions, guidance etc on how to implement this based on what is available in the StartUp.Auth.cs at run time. Maybe I need to track both Tenants (Guids/issuers) plus the individuals guid/id within their directory and store that in a DB/Azure Table/Something and then when they attempt to access, check?

I guess if that is the cause, how is the proper way to get that information at run-time both from a registration perspective (I guess have a sign up flow) and then in the Startup.Auth to get the current attempting to log in persons credentials?

Thank you!!!!!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,914 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,120 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ryan Hill 28,636 Reputation points Microsoft Employee
    2020-05-11T19:37:13.61+00:00

    Hi @MMEGFL ,

    I think what you are looking for is Azure B2C for customers that are outside of your AAD tenant. You can learn more about it on https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview in addition to looking over concepts, samples, and tutorials. One sample app you may want to look at is https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi.

    Hope this helps. If not, please let me know.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.