Custom Azure application single URL domain, multiple companies, each with its own users

Eric Lynch 21 Reputation points
2022-05-12T15:09:22.42+00:00

I am an experienced developer with a long history of using C# and .NET and some LDAP experience. I would like to create an SaaS application using Azure best practices.

However, I find myself struggling a bit with the best practices for authentication/authorization using Azure. I would appreciate any help/links that are specific to my application's needs. I've found lots of generalized links, but these cover the topic much too broadly.

My application will (at least to start) have a single domain (e.g. https://mydomain.com/) shared by multiple separate customers each with its own users. Consider the case of two companies (Company1 and Company2). Both Company1 and Company2 would have a different set of users. Each company should be able to manage its own users and their authorizations/permissions. Neither company should be able to see or manage the other company's users. Each user should be able to change their own password. Companies would (ideally) be differentiated by a portion of the overall URL (e.g. https://mydomain.com/Company1 vs https://mydomain.com/Company2).

If I understand correctly, the best practice is to use Azure AD as an identity provider. Assuming I choose this approach, I would appreciate any advice, direction, or links discussing a scenario similar to the one described above...the more specific (and jargon-free) the better. If it's simply not possible to support this scenario, using Azure AD, alternative suggestions are also welcome.

I am a quick study, and don't mind doing the work of reading and figuring it out for myself. I am simply hoping for a little help finding a good starting point. The topic is simply covered too broadly for me to easily find one. While I wouldn't mind eventually becoming an Azure AD expert, my current needs are much more targeted.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,472 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2022-05-13T00:51:50.33+00:00

    Hi @Eric Lynch , this sounds like something tailored for Azure AD B2C. Each customer can have its own tenant which will get federated. This approach will provide complete company data isolation and simplify per customer customization.

    Initial steps:

    1. Create a new tenant in Azure Active Directory per customer
    2. Create an Azure Active Directory B2C tenant
    3. Create custom policies in Azure Active Directory B2C (Skip Add Facebook as an identity provider)
    4. Set up sign-in for each Azure Active Directory customer tenant. One ClaimsProviderSelection, ClaimExchange, ClaimProvider and OpenIdConnect Technical Profile must be added per customer tenant.
    5. Create an ASP.NET application that will leverage the previously created custom policy and signin users into your application. You can later customize it with domain hints, multiple custom policies and/or login pages and more.

    Also, take a look to Authorization in ASP.NET, specially roles, claims and policy-based.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.