0

I've read how to set up my application to support multiple tenants with each of them having their own Azure AD. But I would also like to support clients without Azure AD. I thought about using Azure AD B2B (inviting them to my Azure AD). But how do I then tell which tenant user belongs to? Token will have my Azure AD as iss. Can I add custom fields to token? Or maybe I should assign them to different groups based on tenant? What is the best way to do it?

Piotr Perak
  • 10,718
  • 9
  • 49
  • 86
  • What id you mean by `with one Azure AD?` – Md Farid Uddin Kiron Mar 01 '20 at 12:14
  • One Azure AD - invited users in my company's Azure AD. Normally users belong to their company's Azure AD and I would recognize tenant based on `iss` in token. But small companies don't have it and I still want to support them. – Piotr Perak Mar 01 '20 at 12:43
  • Yes that's make sense, for your case, you could make a group with this kind of user and set a [group claim for token](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims) even [token also can be configurable](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims) where you can provide optional claims for that kind of user. Though this is under preview until you could manage them as guest user. – Md Farid Uddin Kiron Mar 01 '20 at 13:22
  • I would in addition suggest that you make a separate AAD tenant for these users, and create users with userType Guest in there, unless there is a specific need to put them in your company's tenant. But be sure to make their user type Guest so they can't see user listings etc. – juunas Mar 01 '20 at 15:10
  • @juunas I tried this but when I create new Azure AD it asks for another subscription. Can I somehow connect it to my existing subscription? Have two Azure ADs with one subscription? – Piotr Perak Mar 01 '20 at 16:32
  • You don't need a subscription. You only need it if you want to deploy Azure services under that tenant, which isn't necessary in this case. – juunas Mar 01 '20 at 16:33
  • @juunas ok I'll gry again. Do I van create as many od them as I lime? But it looks to me MS suggests inviting users to your AD. That's called Azure AD B2B? – Piotr Perak Mar 01 '20 at 17:54
  • I'm not sure how many you can create. MS suggests using B2B when you want to give users access to resources in your organisation :) In this case you're not technically giving them access to anything in your org. – juunas Mar 01 '20 at 18:41
  • I do. I give them access to my application. But only this. But what you suggest od less rosły. – Piotr Perak Mar 01 '20 at 20:35

0 Answers0