1

My question is regarding a multi tenant, Azure AD authenticated, microservice architecture in which I allow customers to consumer via an api.

Lets say my architecture is made up of service A, service B and service C, each has an api for the microservice. Each api requires authentication, therefore there is an app registration for A,B and C. Each service has user roles, user and admin, for authorization within the api's.

My questions are:

  1. If a customer wants to consume the api's this would mean they need the enterprise app for each service in their tenant. This feels like we would be bloating their app registrations. Even if I wrote an api to wrap all the service api's, the service api's would still need a jwt therefore would still need registering in the client tenant. How can I avoid so may registrations?

  2. As each service api relies on user roles, admin and user. This would mean a clients sys admin would have to go through each registration apply users to relevant roles, over and over again. This seems like a management nightmare for a client. Is there a way around this.

  3. There is likely to be some endpoints in the services which are for internal use, not clients. How do I restrict what scopes are mad available to the client tenants to protect them endpoints?

BeginnerDBADan
  • 91
  • 1
  • 5
  • 1
    You asked a similar question a few days ago https://stackoverflow.com/questions/70887024/protect-multi-tenant-web-api-with-azure-ad – CSharpRocks Feb 01 '22 at 12:43
  • 1
    And another one https://stackoverflow.com/questions/70915220/multi-tenant-microservice-architecture-using-azure-ad – CSharpRocks Feb 01 '22 at 12:44
  • Does this answer your question? [Protect multi tenant web API with azure AD](https://stackoverflow.com/questions/70887024/protect-multi-tenant-web-api-with-azure-ad) – Good Night Nerd Pride Jul 17 '23 at 08:11

0 Answers0