0

We are using B2C for a number of Apps. Each app is owned by a separate team and currently each team has its own nonprod and prod B2C tenants.

The number of apps will definitely grow. We want to use fewer tenants going forward. To be precise, we want to use just 2 tenants for all apps. 1 nonprod and 1 prod. The major concern in this approach is that we currently give the developers app registrations for client credentials grant with permissions such as User.ReadWrite.All & Directory.ReadWrite.All at the tenant level. So, there is the possibility that the actions of a developer for one team/app will inadvertently affect users for another app. To this end, we are looking to create a wrapper User Management API around Graph API and also a front end to this new API. User Management admins will authenticate at the front end and use the custom API, which makes calls to Graph API. The hope is that with this setup, only the custom API will use client credentials grant with the Graph API permissions. The User Admins will authenticate to login to the front end web app to use the custom API.

Questions

  1. Is this a correct approach to achieve our long term goal of using much fewer tenants? What are the alternatives?
  2. Regarding the custom API/frontend setup. One way we are thinking to implement is to use a dedicated B2C tenant for the User Management admins. This tenant will contain one app registration for the custom API. Scopes will be exposed on this API. The custom API will use client credentials grant to perform CRUD operations on other B2C tenants. There will be a second app registration for the web app frontend which will be assigned permissions exposed on the custom API. Is this doable and if not, what options are available?
  3. The second approach we are thinking about for the API/frontend setup is similar but, we want to make the frontend web app multi-tenant so that the user management admins don't have to have accounts in the tenant that houses the custom API and frontend as they already have accounts in their respective B2C tenants. How can one achieve multi-tenant support in B2C and will it work for this scenario?
Bandz
  • 253
  • 4
  • 15

1 Answers1

0

In an effort to segregate duties (devs not having access to prod) along with reproducing large amounts of b2c setup across multiple tenants (POC,NonProd,Prod) - have undergone an automation effort to configure the day to day management of B2C tenants. I have a JSON file per environment (dev/test/uat/prod/dr) that feeds a powershell script to enforce the business rules for creating (100s) apps within a tenant. Automation of the tenant requires you create some admin apps/service accounts to manage via API but it will further allow to restrict the roles you give to the team (global READER vs admin roles). Unfortunately B2C does not support PIM for JIT/JEA

Scripting includes:

  • Creating B2C UI App registrations ( manifest control over reply urls / public clients / downstream permissions )
  • Setting manifest directly for properties that are not supported by PS commands
  • Creating B2C AAD App registrations ( mostly for OAuth STS, app scopes/permissions)
  • Create credentials (client id) for app registrations (cert/secret) and manage via keyvault (rotate and self heal)
  • Admin Permissions Grant

Have also expanded B2C automation to IEF custom policy XML file deployment.

felickz
  • 4,292
  • 3
  • 33
  • 37
  • Thank you @felickz but while helpful in its own right, this does not answer my questions around fewer tenants, the API/frontend setup with admin identities in the same tenant, or the API/frontend setup with multi-tenancy support. – Bandz Feb 16 '21 at 14:18
  • My answer was in response to your question 1 - what is your alternative. Dont spend time creating a UI/wrapper of graph API - just automate it ;) – felickz Feb 16 '21 at 18:59