I'm looking to develop an application using Azure Active Directory, primarily because of the built-in support for easy authentication in Web API and across various Azure tools.
My application will consist of a number of projects that each contain a number of sub-projects. With authentication covered, I'm trying to work out how I can handle authorization with Azure AD now. I envision that there would be different roles associated with each of the sub-projects (5-10), with people getting assigned to them on a per-sub-project basis.
Now, I know that AD supports roles and groups. Roles are sets of permissions and groups are sets of users. While I could create a group for each of the sub-projects, I expect that some of the roles could vary based on each of the larger projects, so I can't just check to see if a given user is assigned to X group and Y role. Not to mention, because a user could be assigned to more than one group and role, I don't see a way to specify that the role is applicable to just a single group (since the user may not be intended to have that role in all groups).
So, the only way I see right now to move forward would be to create new roles each time I create a new project and sub-project that are specific to each. However, as these projects and sub-projects are created and deleted over time, I expect we'll start hitting the upper caps of how many roles AD supports altogether (especially on a per-user basis).
In traditional Active Directory, I expect this would be handled via Organizational Units that could represent each of the projects and each of the sub-projects, each with assigned roles and groups. However, according to https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-create-ou there isn't support for Organizational Units in Azure AD and that it can't be assigned via the AD Graph API.
Using Azure AD, is there a better approach to take here apart from unique roles for each sub-project at this point?
Thanks!
Edit for more information:
Right now Azure AD supports groups and roles. Let's say I have two projects, A and B and each of those has two inner sub-projects, A1 and A2, and B1 and B2. Additionally, I have a user that I want assigned to an Admin role on A1, a Power User role on B2, and no access to B2 or A1.
It seems that I could make a group for A1, A2, B1 and B2 and simply assign the user to group A1 and B2. On the backend, I can just specify that the user should be in those groups and deny access for anyone that's not.
Ok, so that handles group access, but then I want to assign the roles. I can grant them Admin and Power User, but then they'll have both of those roles on both of the groups they're in because I can't assign the roles in the context of a group.
The only other approach I can see is to create distinct roles for each of the groups, so now I have "Admin-A1", "Power User-A1", "Admin-A2", "Power User-A2", "Admin-B1", "Power User-B1", "Admin-B2", and "Power User-B2", but this is going to greatly inflate my object count over time (50 projects with 10 sub-projects apiece with 8 roles will start working up there, though 500k is quite the high threshold).
I forsee a maintainability problem with having so many roles. Since I can't correlate a role with a group and can only specify the display name and description for it (both would be useful for a project owner to see when assigning them), how might you suggest that I identify on the backend which roles are associated with which project (without having to keep my own list of guids to store the extra attributes)? Is there a way to submit custom attributes with the roles/groups?