How to allow multi-tenant Azure Function with EasyAuth for selected tenants only?

0
votes

Given a multi-tenant configured app (azure function) with EasyAuth enabled for Azure Active Directory only, how can I limit access to only selected tenants?

The consequence of using multi-tenant app with EasyAuth was removing the Issuer URL completely which means that everyone could access the app. I want to limit it to a few known tenants.

Can we somehow configure the Issuer URL to carry an array of tenant IDs?

1
azureazure-active-directoryazure-functions

1 Answers

1
votes

There isn't really a built-in way to do this as far as I know. Assuming that is the case, you'll want to implement it yourself in your application code. For example:

  • Store a list of selected tenants in your application (e.g. in a database)
  • For each request, look at the iss (issuer) claim and compare it against your list of selected tenants
  • If the iss claim doesn't match a selected tenant, redirect them to your custom registration page (or return 403 if you don't have one).