Permissions for SAAS in Azure AD

Question

I am looking to develop a SAAS product where tenant from different organizations can log into my application and there are specific set of custom Permissions that I want to create for my application which will allow users to access different endpoints in my application.

Application is hosted in a inhouse server.

Can someone please help me to understand what would be my approach to do so?

I am doing App Registration in Azure AD. And in the redirect uri I am passing my application url. I am stuck after that.

Answer 1

I tried to reproduce the same in my environment and got the results like below:

To integrate the SaaS Application in Azure AD, Register an Application in Azure AD.

As you need tenant from different organizations log into the application, make sure to configure the Application as Multi-Tenant like below:

Based on your requirement you can select the API permission which you want the users to access like below:

For sample, I selected Microsoft Graph and added the required API permissions:

You can choose Delegated or Application API permissions based the Grant Flows.

For Client-Credentials, need to grant Application API permissions and for Authorization Code Flow need to grant Delegated API permissions.

For sample, I am using OAuth 2.0 authorization code flow to generate the token for authentication.

I generated Auth-Code using below authorize endpoint:

This will authorize the request and redirect it to the application.

I generated the token using below parameters:

Using the above generated Access token, you can call Microsoft Graph API.

If you want B2B collaboration, refer to the document provided by bahrep in the comments.

References:

Register a SaaS application - Azure Marketplace | Microsoft Learn

Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra