Correct implementation of multi-tenancy in Azure Active Directory

2
votes

Lets say I set up and create a new Azure Account and Subscription. Azure automatically creates me an Azure AD called "somedomain.onmicrosoft.com".

Later I deploy REST API and Angular SPA app to Azure. Since I'm using Azure AD for authentication and authorization on both of the applications I register them on my Azure AD, under the domain "somedomain.onmicrosoft.com".

Everything works fine, however after some time I realize that I want to allow access to my services/apps to other organizations. After doing some research I realize that what I want to achieve is multi-tenancy.

In order to register a new tenant I do the following:

  1. Go to Azure portal.
  2. On the left blade menu click on "Create a resource" and search for "Azure Active Directory".
  3. Create a new directory called "tenant-1.onmicrosoft.com".

Next, I update my registered apps (on "somedomain.onmicrosoft.com") according to this documentation - enabling multi tenancy and common endpoint.

After all of this, both users from AD "somedomain.onmicrosoft.com" and "tenant-1.onmicrosoft.com" should be able to authenticate and access my services.

Question

Is this the correct way of achieving and implementing multi tenancy?

2
azureactive-directoryazure-active-directory
From Azure AD point of view, yes.Gaurav Mantri

2 Answers

3
votes

You don't need to create a new Azure AD tenant (xyz.onmicrosoft.com). Just register the application in the existing tenant or mark the existing application as multi-tenant. Then, existing other AAD tenants will be able to signup to use your app without doing further registrations. You will need to modify your app code to accept tokens from other tenants, e.g. enter link description here This link points to a regular .NET web app, not SPA. You will need to translate it to your SPA environment.

0
votes

I'm not sure of your high level use case but one thing to note about the AAD multi-tenant approach. You are assuming that person signing in has an Azure AD tenant, for example through Office365.

If they don't have an Azure AD then they won't be able to sign in.

You 'could' create an AAD for each new tenant and create a user account in there. They would have the [email protected] address and could add their own domain later.

That way they can then take advantage of all the enterprise features of AzureAD. It might be a use case, but I think you would need an AAD per tenant and I'm not sure of the limits or if this is best practice.

You can also look at B2C if you want social logins/other OpenIDConnect.