I want to build a multi-tenant web application that calls a multi-tenant Web API using AAD.
I am following this sample but replacing the UWP app client with a ASP.NET Web Application.
It all works fine but I am concerned that the validation of the issuer is done using a custom AuthorizationFilterAttribute based on values in a bespoke database.
Rather than using a separate database is it possible to use an AAD implementation, one that uses the directory.
Seems like a possible security risk if somehow the database is compromised to include 'bad data'