Can I use Azure Active Directory (AAD) as IAM for a multi-tenant SAAS product?

2
votes

We are building a enterprise product, and expect a lot of customers, to not have active directory of their own.

We plan to use AAD as our IAM provider.

We plan to create a master AAD for the product, and then invite users of each customer (tenant) as external users to the master AAD, using their business email id. Each set of users for a given customer, will be added to an external group for manageability.

Would this be the right approach, for supporting multi-tenanted IAM for a product hosted in Azure?

2
azureazure-active-directory

2 Answers

2
votes

It's a pretty hard question. AAD's multi-tenancy basically requires the org to have an AAD to have proper separation etc.

But in the case of an org not having an AAD, this is one option.

One crucial thing you must not forget with this path is to turn on the option in the AAD tenant to restrict Guest user permissions. This makes it so that the invited users can't just go to portal.azure.com and get a full list of all users in the tenant. At least usually this is a desired thing when multiple clients are in the same tenant.

Other options could be:

  1. Setting up an AAD tenant for each customer
    • Good separation for customers
    • There might be a limit how many you can create
    • I'm not aware of an API you could use for this (but hey Selenium works :D)
  2. Set up your own identity provider with e.g. IdentityServer
    • Maximum customizability
    • Lot of work for you to develop and maintain

Everything would of course be easier if they just had an AAD :)

1
votes

It would depend on some details of the approach you want to follow. If you are expecting for them to use their business email, then you may consider having Single Sign-On (many organizations expect not needing to duplicate accounts and you may want to delegate your customers the hassle of resetting passwords).

Also, you need to determine what kind of isolation need(do you want to have a single set of users or have a clear separation by tenant?) and the budget (AAD cost is measured on a per-user basis) you have for this? Azure AD B2C could be also an option, or as @juunas mentioned, implementing your own solution with something like IdentityServer.