Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Azure AD multitenant permissions

Tags:

c#

asp.net-mvc-5

azure

azure-active-directory

I have an Azure webapp that's managing it's users via Azure AD. I want the users to be able to register in my Azure AD directory to create an account (self-service), so I gave the app read-write access to the directory and setup a page using the Graph API to create the users.

Until here, everything is great. But the problem I have now is that I want to enable multi tenancy, so users of external AD directories can login to my app. This works, but I need to login as an administrator for the account because it also asks read-write access to their directory.

Is there a way to fix this? I only want read-write access to my directory to be able to create user accounts. I don't want to ask permission to touch their directory because, most probably, they wouldn't trust my app.

Thanks.

like image 654
Carles Company Avatar asked May 28 '15 09:05

Carles Company

People also ask

Can Azure AD have multiple tenants?

Azure AD B2B collaboration enables users to use one set of credentials to sign in to multiple tenants. For educational institutions, the benefits of B2B collaboration include: Centralized administration team managing multiple tenants.

What is the difference between multitenant and single-tenant?

Single-tenancy is typically contrasted with Multi-tenancy, an architecture in which a single instance of a software application serves multiple customers. In a multi-tenant architecture, each customer shares the same database and application.

What is multi-tenant authorization?

Multitenancy is an architecture where multiple tenants share the same physical instance of the app. Although tenants share physical resources (such as VMs or storage), each tenant gets its own logical instance of the app. Typically, application data is shared among the users within a tenant, but not with other tenants.

How do I enable multi tenants?

Enable multi-tenancyIn the Deep Security Manager, go to Administration > System Settings > Advanced. In the Multi-Tenant Options area, click Enable Multi-Tenancy. The Multi-Tenant Configuration wizard appears. Enter your multi-tenancy activation code and click Next.

1 Answers

I found a quick and dirty solution: Add another app to the Active Directory. This app should be single tenant and have only permission to read and write the active directory. We can the use this app's credentials to access the Graph API and the other app's credentials to authenticate users.

I wait to see if someone has a better solution for this scenario...

like image 110
Carles Company Avatar answered Sep 21 '22 05:09

Carles Company
Sign in to Comment

Related questions

Api Explorer for external project or assembly
.NET MVC 4 WebAPI POST not working
Why GMail does not recognize meeting request sent from code?
Entity Framework using IdentityDbContext with Code First Automatic Migrations table location and schema?
Adding MetadataReference in Roslyn Vs Microsoft.CodeAnalysis
LinearGradientBrush does not render correctly
Does MSpec support "row tests" or data-driven tests, like NUnit TestCase?
OpenXml "Can not access a closed stream" only on production
Strongly Typed RedirectToAction (Futures) using async Controllers
Compilation fails with sln file loaded with Roslyn, but compiles in Visual Studio
Bulk insert strategy from c# to SQL Server
C# equivalent of LinkedHashMap [duplicate]
Mapping Enum to string column with custom SqlMapper.ITypeHandler - Dapper
How to add a callback to a webform Project
Moq an indexed property and use the index value in the return/callback
C# Static Initializer With (and Without) Mixed Static Constructors
Skype API Message output
TargetInvocationException when retrieving list from SOAP web service in Azure
UWP: styling the window buttons does not work on the close button
Visual Studio highlights non-existant errors in .cshtml pages using MVC5 and Razor

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!