0

Hello friends and thank you for taking the time to read my question and for all potential answers.

I am building a customer application which allows several proprietors (business owners) to log-in and manage their business. I don't want to focus on the details of the app as it is not relevant (I think) because this is more of a qualitative question.

I am using Azure AD (App Registrations) for both the Blazor WASM and API. I am comfortable creating and utilizing those. What I am trying to understand is how to not allow customers to see each other's data by using purely just Azure AD.

Example:

  • Customer User A from business X logs into the app. They are redirected to myapp.com/Business-X
  • The Roles I have right now in Azure AD are User.Read, User.ReadWrite and User.Admin
  • Customer User B from business Y logs into the app and is redirected to myapp.com/Business-Y

Nothing is preventing User A from changing their URL to myapp.com/Business-Y and have the same role in another business' app. I understand that I can change my Roles in Azure AD to be User.Read.X, User.ReadWrite.X, User.Admin.X, User.Read.Y, User.ReadWrite.Y, User.Admin.Y etc. but imagine if I have hundreds of customer's let's say, that is unmanageable and my blazor code will just be a mess.

Is there a better/smarter way to do this? For example I can keep the current simplified roles and add users to a database where I map them to the business they have access to but is that secure? I suspect using a database to store this does not sound right because it feels that Azure AD can do this and I just don't know how.

Thank you again!

achilles
  • 119
  • 1
  • 9

1 Answers1

0

• Yes, you can surely do restrict the users access to a particular application registered in Azure AD by ensuring these applications are also registered as ‘Enterprise Applications’ in Azure AD. Once, these applications are shown up in ‘Enterprise Applications’ in Azure AD, then you can configure them to require assignment for a particular set of users only by ensuring that the required users only have access to that application. To enable user assignment and assign users for that application in Azure AD, you should have ‘Global Administrator, Application Administrator or Cloud Administrator’ directory roles assigned to your ID.

Please find the snapshots below for more information in this regard: -

Azure AD user assignment

Azure AD user assignment - 1

Also, once you have configured the above, you should ensure to create a custom role at the directory-level and assign it the required permissions as then this role would be assigned to all the users and these users then individually can be assigned to the required application, thus ensuring that only specific users are allowed to access the assigned app.

Please note that tenant wide admin consent is granted to apps that would require assignment. Kindly refer to the below link for more information: -

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • Thank you for your answer! I was wondering how can I restrict access across customer data within the same app via Azure AD. I understand how it can work across different apps. Would it be the same way for that? – achilles Aug 24 '22 at 13:23
  • 1
    Yes, it can be the same way for an application hosted in App Service, wherein you will have to ensure that Identity authentication for that app service is enabled and integrated with Azure AD such that the application is registered in Azure AD and further you can manage it from there. – Kartik Bhiwapurkar Aug 24 '22 at 13:26