1
votes

I need to build a solution that utilizes Azure B2B Collaboration to on-board customers from different organizations to use my system.

Each customer may have 100's or 1000's of users, where some may have Azure AD and other don't.

The application will have different user roles/groups structure that controls access to my API's.

What is the best way to design this and can you provide references?

Option 1: Create a separate Azure AD for each customer

Each customer will have their own Azure AD and I can use Azure Groups to control access.

Option 2: Create a single Azure AD for all customers/users

All users for all customers will be added to a single Azure AD and for users segregation, each customer's users belong to a separate Azure Security Group.

  • In this scenario, I will probably need to maintain each customer groups in a local database since they may have different groups.
  • Any concerns from having all customer's users in the same directory?

Options 3:???

1

1 Answers

0
votes

In my opinion single tenant is better. Creating a tenant for each customer makes management much harder (also login becomes harder to implement). Limit of Azure AD per subscription probably does not exist since directories are above subscriptions in the hierarchy. Yes, you can setup a group for each customer and keep the id of the group in your database.

The users will be added as Guests to your directory, make sure that the setting Guest user permissions are limited is enabled in the external collaboration settings. That will make it so that they cannot access the user or group list at all in your tenant.